Hi Eric, You shouldn't be too worried about, since it is just a scanner or something like that. If you do a netcat (or telnet) to your ssh server you will get the same error. I will reduce the severity of this one...
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 9/12/07, Eric Yeoh <[EMAIL PROTECTED]> wrote: > > Hi , > > I got the below message from one of our servers: > OSSEC HIDS Notification. > 2007 Sep 12 16:24:25 > > Received From: birdy->/var/log/secure > Rule: 5701 fired (level 12) -> "Possible attack on the ssh server (or > version gathering)." > Portion of the log(s): > > Sep 12 16:24:24 raven sshd[647]: Bad protocol version identification > '\377\364\377\375\006' from UNKNOWN > > > > I see that it is a possible scan....is that something I should be worried > about. I haven't got a Level 12 alert before. > > Please advise. > > Regards, > > Eric >