I have discovered a serious problem with the subject rules. here is the result
running ossec-logtest:
--
Dennis Golden2010/01/21 09:49:16 ossec-testrule: INFO: Started (pid: 20196).
ossec-testrule: Type one log per line.
**Phase 1: Completed pre-decoding.
full event: 'Jan 20 21:45:23 dg-linux2 sshd[29397]: reverse mapping
checking getaddrinfo for 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in
[115.118.6.19] failed - POSSIBLE BREAK-IN ATTEMPT!'
hostname: 'dg-linux2'
program_name: 'sshd'
log: 'reverse mapping checking getaddrinfo for
115.118.6.19.static-ttsl-hyderabad.vsnl.net.in [115.118.6.19] failed - POSSIBLE
BREAK-IN ATTEMPT!'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '115.118.6.19.static-ttsl-hyderabad.vsnl.net.in'
**Phase 3: Completed filtering (rules).
Rule id: '5702'
Level: '5'
Description: 'Reverse lookup error (bad ISP or attack).'
**Alert to be generated.
Needless to say that if active response tries to use the address that has
already failed it will also fail; therefore, the attack can continue forever.
Dennis
--
Golden Consulting Services, Inc.
