Hello,
I have just started testing ossec for my work environment and I am
trying to ignore our vulnerability scanner. Unfortunately, I am still
getting alerts regarding this host. Below is the rule i am using in
local_rules.xml and the logs I am monitoring in ossec.conf. The
entries in the alerts.log and then the actual log message from syslog.
It looks like the decoder is not getting the srcip from the message.
Am I missing something?
Thanks in advance.
Mark
conf files --
local_rules.xml
<group name="local">
<rule id="100101" level="0">
<srcip>10.100.25.188</srcip>
<description>Ignoring Vulnerability Scanner</description>
</rule>
</group>
ossec.conf
<localfile>
<log_format>syslog</log_format>
<location>/var/log/messages</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/maint.log</location>
</localfile>
<localfile>
<log_format>syslog</log_format>
<location>/var/log/mail.info</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/usr/local/httpd/logs/error_log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/usr/local/httpd/logs/access_log</location>
</localfile>
---
alerts.log
** Alert 1196343759.233092: - syslog,sshd,recon,
2007 Nov 29 08:42:39 server-ws03->/var/log/messages
Rule: 5706 (level 6) -> 'SSH insecure connection attempt (scan).'
Src IP: (none)
User: (none)
Nov 29 08:42:39 server-ws03 sshd[5035]: Did not receive identification
string from 10.100.25.188
** Alert 1196343761.233390: mail - syslog,sshd,
2007 Nov 29 08:42:41 server-ws03->/var/log/messages
Rule: 5701 (level 8) -> 'Possible attack on the ssh server (or version
gathering).'
Src IP: (none)
User: (none)
Nov 29 08:42:39 server-ws03 sshd[5036]: Bad protocol version
identification 'QUIT' from 10.100.25.188
---
syslog message
Nov 29 08:42:39 server-ws03 sshd[5035]: Did not receive identification
string from 10.100.25.188
Nov 29 08:42:39 server-ws03 sshd[5036]: Bad protocol version
identification 'QUIT' from 10.100.25.188
