[ossec-list] Rule Network Scan fire by SSH "accepted publickey" ???

ossec Tue, 10 Oct 2006 01:39:52 -0700


Hi, I've got this rule fired yesterday :


OSSEC HIDS Notification.
2006 Oct 09 19:00:05

Received From: shax->/var/log/auth.log
Rule: 40601 fired (level 10) -> "Network scan from same source ip."
Portion of the log(s):

sshd[21006]: Accepted publickey for sioban from 10.10.12.15 port 58066 ssh2
sshd[20946]: Accepted publickey for sioban from 10.10.12.15 port 58065 ssh2
sshd[20939]: Accepted publickey for sioban from 10.10.12.15 port 58064 ssh2
sshd[20932]: Accepted publickey for sioban from 10.10.12.15 port 58063 ssh2
sshd[20925]: Accepted publickey for sioban from 10.10.12.15 port 58062 ssh2
sshd[20918]: Accepted publickey for sioban from 10.10.12.15 port 58061 ssh2
sshd[20911]: Accepted publickey for sioban from 10.10.12.15 port 58060 ssh2
sshd[20904]: Accepted publickey for sioban from 10.10.12.15 port 58059 ssh2
sshd[20897]: Accepted publickey for sioban from 10.10.12.15 port 58058 ssh2
sshd[20890]: Accepted publickey for sioban from 10.10.12.15 port 58057 ssh2



 --END OF NOTIFICATION

Happily it was on my whitelist, but I think that an exception should bemade here :D


Bye,

Sioban

[ossec-list] Rule Network Scan fire by SSH "accepted publickey" ???

Reply via email to