• Support
  • Forums
  • Blogs

HIDS/OSSEC Agent not reconnecting after IP address change

VibraITSecVibraITSec

New Life Form
We are testing HIDS deployment in our corporate network and we have run into an issue with the HIDS Agent not reporting back to the USM (all-in-one on prem) after the workstation changes IP addresses.  With our workstations' IPs being managed by DHCP this is something that will happen frequently.  How can I get the HIDS to correctly report back when the endpoint changes IPs?

Share post:

Answers

  • VibralTSec,

    When you add the agent, it asks for the IP address or CIDR address. This address is used to create an ACL for the agent. IF you are using DHCP, then the address used for connection must include the entire DHCP range (you can used 0.0.0.0/0 for "any").

    If you are deploying using agent autodeployment, there is an option during deployment to specify that the agent is using DHCP, which will force the CIDR 0.0.0.0/0 for the agent.

    You could also use DHCP reservation to create a consistent address, which is my preference. This will aid in consistency of NIDS events, and in correlating them to the HIDS events historically. 
    VibraITSec
  • I will try that, quick question though.  We have separate VLANS for our wired and wireless connections
    I.E. 10.10.0.xxx/24 for wired and 10.20.0.xxx/24 for wireless.  Would I be able to configure it to allow for users to switch back and forth without interruption to the HIDS reporting back?  As for the DHCP reservation unfortunately with the size of our network, configuration of the wireless on a separate VLAN and the turnover of machines that isn't really an option. 
Sign In or Register to comment.