Greetings: How can rule 5703 be adjusted to be more meaningful?
Current rule 5703 Received From: host) [ip]->/var/log/secure Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of reverse lookup errors)." Portion of the log(s): Jan 24 20:32:18 vps sshd[30002]: reverse mapping checking getaddrinfo for . failed - POSSIBLE BREAK-IN ATTEMPT! Jan 24 20:32:18 vps sshd[30001]: reverse mapping checking getaddrinfo for . failed - POSSIBLE BREAK-IN ATTEMPT! Jan 24 20:32:17 vps sshd[29998]: reverse mapping checking getaddrinfo for . failed - POSSIBLE BREAK-IN ATTEMPT! Jan 24 20:32:17 vps sshd[29997]: reverse mapping checking getaddrinfo for . failed - POSSIBLE BREAK-IN ATTEMPT! Jan 24 20:32:17 vps sshd[29994]: reverse mapping checking getaddrinfo for . failed - POSSIBLE BREAK-IN ATTEMPT! --END OF NOTIFICATION Here is what is actually in the logs: Jan 24 20:32:18 vps sshd[30010]: Connection from 66.90.103.37 port 33008 Jan 24 20:32:18 vps sshd[30009]: Connection from 66.90.103.37 port 39795 Jan 24 20:32:18 vps sshd[30010]: reverse mapping checking getaddrinfo for . failed - POSSIBLE BREAK-IN ATTEMPT! Jan 24 20:32:18 vps sshd[30009]: reverse mapping checking getaddrinfo for . failed - POSSIBLE BREAK-IN ATTEMPT! Jan 24 20:32:19 vps sshd[30012]: Received disconnect from 66.90.103.37: 11: Bye Bye Jan 24 20:32:19 vps sshd[30011]: Received disconnect from 66.90.103.37: 11: Bye Bye Jan 24 20:32:19 vps sshd[30013]: Connection from 66.90.103.37 port 39853 Yet, ossec is only picking up the lines abut the break in (which is good), but not the IP address trying to do the break in. What would need to be adjusted to report the actual IP address of the attack? Thank you.
