dan (ddp) wrote: > On Thu, Jan 21, 2010 at 11:14 AM, Dennis Golden > <[email protected]> wrote: >> I have discovered a serious problem with the subject rules. here is the >> result >> running ossec-logtest: >> >> -- >> Dennis Golden2010/01/21 09:49:16 ossec-testrule: INFO: Started (pid: 20196). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 20 21:45:23 dg-linux2 sshd[29397]: reverse mapping >> checking getaddrinfo for 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in >> [115.118.6.19] failed - POSSIBLE BREAK-IN ATTEMPT!' >> hostname: 'dg-linux2' >> program_name: 'sshd' >> log: 'reverse mapping checking getaddrinfo for >> 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in [115.118.6.19] failed - >> POSSIBLE >> BREAK-IN ATTEMPT!' >> >> **Phase 2: Completed decoding. >> decoder: 'sshd' >> srcip: '115.118.6.19.static-ttsl-hyderabad.vsnl.net.in' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '5702' >> Level: '5' >> Description: 'Reverse lookup error (bad ISP or attack).' >> **Alert to be generated. >> >> Needless to say that if active response tries to use the address that has >> already failed it will also fail; therefore, the attack can continue forever. >> >> Dennis >> -- >> Golden Consulting Services, Inc. >> > > Strangely, I've found at least 3 variations on this log event (including > yours). > Out of curiosity, what OS or distribution are you running? >
This is openSUSE 11.0. I've modified it to work here, but it won't work for messages that are in the format you have in the example. Regards, Dennis -- Dennis Golden Golden Consulting Services, Inc.
