Hi Martin, Thanks for the additional information. I was able to reproduce the behavior and fix the problem inside ossec. You can try with the following package to see if the problem persists.
http://www.ossec.net/files/snapshots/ossec-hids-071218.tar.gz The issue is that ossec tries to remove duplicated syslog messages (same log from different files), but it was not taking the pid in consideration, so all the following messages were being considered the same. sshd[12440]: Invalid user apache from 203.250.179.11 sshd[12448]: Invalid user apache from 203.250.179.11 sshd[12456]: Invalid user apache from 203.250.179.11 It should be fixed now. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Dec 17, 2007 6:23 PM, Martin West <[EMAIL PROTECTED]> wrote: > Ive investigated this further as I saw in logwatch ... > > Login attempted when not in AllowUsers list: > mysql : 5 Time(s) > nobody : 62 Time(s) > root : 215 Time(s) > > which seemed a bit excessive with ossec running. > > attached are three files > > ossec-prob.log - from auth.log shows the attack started at 8:02 > > ossec-alerts-16.log.gz - the alerts log shows block at 8:24 > > ossec.log - shows a problem connecting to the ar queue. > > Question 1: Is it correct behaviour that it took twenty two minutes to > block the attack? > > Question 2: Any ideas on the ar queue connection problem? Is it > connected to problem 1? I tried restarting ossec but the same error came > up. > > This is ossec 1.4 running on debian, kernel 2.6.22-3-686. > > Thanks. > > -- > > Regards Martin West > >
