I'm new at OSSEC and am currently evaluating it for use on my
network. I am continually getting emails (ips and names purposefully
munged):
==========================================================
OSSEC HIDS Notification.
2006 Oct 11 14:40:34
Received From: (client1) 1.1.1.2->/var/log/secure
Rule: 5701 fired (level 12) -> "Possible attack on the ssh server (or
version gathering)"
Portion of the log(s):
sshd[3822]: Bad protocol version identification
'Big-Brother-Monitor-1.9e'
from ::ffff:1.1.1.1
==========================================================
Note that the IP is in IPv6 format. I put in:
==========================================================
<group name="local_rules">
<rule id="100002" level="0">
<if_sid>5701</if_sid>
<srcip>1.1.1.1</srcip>
<description>Ignore BigBrother ssh connections</description>
</rule>
</group>
==========================================================
Into my local rules. I still get the email. If I change the IP
to the IPv6 address, OSSEC won't restart because the IP is in the wrong
format.
Can anyone tell me how to stop OSSEC from telling me that
BigBrother is just doing it's job?
Eric Stewart - Network Admin, USF Tampa Library - [EMAIL PROTECTED]
Given a problem to solve or an intriguing thread to follow from moment
to moment, that sort of geek will focus so sharply that they
forget to eat when hungry. - Feen, Benjy: Origins of Sysadmins
http://www.monkeybagel.com/sysadmin.html
