--[ UxBoD ]-- wrote: > ----- "Dennis Golden" <[email protected]> wrote: > >> I have discovered a serious problem with the subject rules. here is >> the result >> running ossec-logtest: >> >> -- >> Dennis Golden2010/01/21 09:49:16 ossec-testrule: INFO: Started (pid: >> 20196). >> ossec-testrule: Type one log per line. >> >> >> >> **Phase 1: Completed pre-decoding. >> full event: 'Jan 20 21:45:23 dg-linux2 sshd[29397]: reverse >> mapping >> checking getaddrinfo for >> 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in >> [115.118.6.19] failed - POSSIBLE BREAK-IN ATTEMPT!' >> hostname: 'dg-linux2' >> program_name: 'sshd' >> log: 'reverse mapping checking getaddrinfo for >> 115.118.6.19.static-ttsl-hyderabad.vsnl.net.in [115.118.6.19] failed - >> POSSIBLE >> BREAK-IN ATTEMPT!' >> >> **Phase 2: Completed decoding. >> decoder: 'sshd' >> srcip: '115.118.6.19.static-ttsl-hyderabad.vsnl.net.in' >> >> **Phase 3: Completed filtering (rules). >> Rule id: '5702' >> Level: '5' >> Description: 'Reverse lookup error (bad ISP or attack).' >> **Alert to be generated. >> >> Needless to say that if active response tries to use the address that >> has >> already failed it will also fail; therefore, the attack can continue >> forever. >> >> Dennis > I was under the impression that for Active Response you should disable the > DNS lookup in sshd_config. >
I'll have to look into that. Regards, Dennis -- Dennis Golden Golden Consulting Services, Inc.
