On Thu, Jan 21, 2010 at 11:14 AM, Dennis Golden <[email protected]> wrote: > I have discovered a serious problem with the subject rules. here is the result > running ossec-logtest: > > -- > Dennis Golden2010/01/21 09:49:16 ossec-testrule: INFO: Started (pid: 20196). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 20 21:45:23 dg-linux2 sshd[29397]: reverse mapping > checking getaddrinfo for 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in > [115.118.6.19] failed - POSSIBLE BREAK-IN ATTEMPT!' > hostname: 'dg-linux2' > program_name: 'sshd' > log: 'reverse mapping checking getaddrinfo for > 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in [115.118.6.19] failed - > POSSIBLE > BREAK-IN ATTEMPT!' > > **Phase 2: Completed decoding. > decoder: 'sshd' > srcip: '115.118.6.19.static-ttsl-hyderabad.vsnl.net.in' > > **Phase 3: Completed filtering (rules). > Rule id: '5702' > Level: '5' > Description: 'Reverse lookup error (bad ISP or attack).' > **Alert to be generated. > > Needless to say that if active response tries to use the address that has > already failed it will also fail; therefore, the attack can continue forever. > > Dennis > -- > Golden Consulting Services, Inc. >
Strangely, I've found at least 3 variations on this log event (including yours). Out of curiosity, what OS or distribution are you running?
