----- "Dennis Golden" <[email protected]> wrote:
> I have discovered a serious problem with the subject rules. here is > the result > running ossec-logtest: > > -- > Dennis Golden2010/01/21 09:49:16 ossec-testrule: INFO: Started (pid: > 20196). > ossec-testrule: Type one log per line. > > > > **Phase 1: Completed pre-decoding. > full event: 'Jan 20 21:45:23 dg-linux2 sshd[29397]: reverse > mapping > checking getaddrinfo for > 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in > [115.118.6.19] failed - POSSIBLE BREAK-IN ATTEMPT!' > hostname: 'dg-linux2' > program_name: 'sshd' > log: 'reverse mapping checking getaddrinfo for > 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in [115.118.6.19] failed - > POSSIBLE > BREAK-IN ATTEMPT!' > > **Phase 2: Completed decoding. > decoder: 'sshd' > srcip: '115.118.6.19.static-ttsl-hyderabad.vsnl.net.in' > > **Phase 3: Completed filtering (rules). > Rule id: '5702' > Level: '5' > Description: 'Reverse lookup error (bad ISP or attack).' > **Alert to be generated. > > Needless to say that if active response tries to use the address that > has > already failed it will also fail; therefore, the attack can continue > forever. > > Dennis I was under the impression that for Active Response you should disable the DNS lookup in sshd_config. -- Thanks, Phil
