[ossec-list] Re: ossec server reporting itself as 0.0.0.0 and more

Thu, 14 Sep 2006 14:38:03 -0700

I ran a interesting test. I took the logs from wiki and ran them through ossec2mysql.pl and everything was fine. here is the log you can test  with:
---file start here --
** Alert 1157059138.537:
2006 Sep 01 00:18:58 topgun->/var/log/mail.info
Rule: 3303 (level 5) -> 'Sender domain is not found (450: Requested mail action not taken).'
Src IP: 82.182.108.180
User: (none)
postfix/smtpd[4351]: NOQUEUE: reject: RCPT from 1-1-4-21a.gka.gbg[172.16.108.180]: 450 <[EMAIL PROTECTED]>: Recipient address rejected: Gre helo=<1-1-4-21a.gka.gbg >

** Alert 1157453980.455791: mail
2006 Sep 05 13:59:40 (Web) 195.X.X.X->WinEvtLog
Rule: 18153 (level 10) -> 'Multiple Windows audit failure events.'
Src IP: (none)
User: SYSTEM
WinEvtLog: Security: AUDIT_FAILURE(529): Security: SYSTEM: NT AUTHORITY: X: Logon Failure:           Reason:     Unknown user name or bad password        User Name:      X            Domain:         X     Logon Type:     3   Logon Process:   NtLmSsp         Authentication Package: NTLM            Workstation Name:       X

WinEvtLog: Security: AUDIT_FAILURE(681): Security: SYSTEM: NT AUTHORITY: X: The logon to account: X by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    from workstation: X    failed. The error code was: 3221225572

** Alert 1157450401.442293: mail
2006 Sep 05 13:00:01 (Web) 195.X.X.X->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file 'C:\Program Files/Microsoft SQL Server/MSSQL/Data/X.mdf' has changed.'
Src IP: (none)
User: (none)
Integrity checksum changed for: 'C:\Program Files/Microsoft SQL Server/MSSQL/Data/X.mdf'
Size changed from '112132096' to '135725056'

** Alert 1157448825.440232: mail
2006 Sep 05 12:33:45 (SERVER2) 195.X.X.X->syscheck
Rule: 13 (level 8) -> 'Integrity checksum of file 'C:\WINNT/Debug/PASSWD.LOG' has changed.'
Src IP: (none)
User: (none)
Integrity checksum changed for: 'C:\WINNT/Debug/PASSWD.LOG'
Size changed from '12460' to '12638'
Old md5sum was: '7815a64d079991d60aeba658be961633'
New md5sum is : 'e58818dd1f1155053a4616e1884dc554'
Old sha1sum was: '9df84637f4d746899cbd80bafcc2e37fc7066bdf'
New sha1sum is : '0d5b6ccabe9ae1d37ed0c4dad72f61e816620e47'

** Alert 1158059536.19220030:    nomail
2006 Sep 12 11:12:16 92382-borch1 -> 10.116.16.32
Rule: 5109 (level 4) -> 'Kernel Input/Output error'
Src IP: ( 0.0.0.0)
User: (none)
kernel: end_request: I/O error, dev sdd, sector 805583239

---file ends here --
copy all the lines  between the --- lines

On 9/14/06, Leonardo Goldim <[EMAIL PROTECTED]> wrote:

hi, i finished to import my logs to base and see that, the dstip is
always the server ip or 127.0.0.1 ... shouldn't appear the other machine
ip too ?
and the signatures appear always like numbers (1, 4, 2, 3), not text
like before the upgrade ...

--
________________________________________
Leonardo Goldim - Auditoria Intranetworks
[EMAIL PROTECTED]

Intranetworks
Rua Marquês do Pombal 1710/805
Porto Alegre - RS - 90540-000
+55 51 3325-5700
+55 51 8415-8604



Leonardo Goldim wrote:
>
> very good ... now the ips are ok ... perfect ...
> but, at signature column appear just a number, not the text ... is it
> a problem at db ?
>

Reply via email to