On Mon, Jun 28, 2010 at 12:23 PM, Dennis Golden
<[email protected]> wrote:
> dan (ddp) wrote:
>> Could you pass along an event to go with the decoder? There are some
>> newer decoders for sshd in the latest snapshots, but I don't know if
>> they'd cover an event from open suse.
>
> Sorry, I should have included it (but I think someone did earlier). Here
> is the syslog entry (line is wrapped):
>
> Jun 26 10:14:12 dg-linux sshd[16527]: reverse mapping checking
> getaddrinfo for 64.79.111.4.rdns.continuumdatacenters.com [64.79.111.4]
> failed - POSSIBLE BREAK-IN ATTEMPT!
>
>
Someone else had submitted one, but I wanted to make sure there
weren't any changes or anything.
This is the output from the latest snapshot:
# /var/ossec/bin/ossec-logtest -D . -c etc/ossec.conf
2010/06/28 21:15:45 ossec-testrule: INFO: Started (pid: 14227).
ossec-testrule: Type one log per line.
Jun 26 10:14:12 dg-linux sshd[16527]: reverse mapping checking
getaddrinfo for 64.79.111.4.rdns.continuumdatacenters.com
[64.79.111.4] failed - POSSIBLE BREAK-IN ATTEMPT!
**Phase 1: Completed pre-decoding.
full event: 'Jun 26 10:14:12 dg-linux sshd[16527]: reverse
mapping checking getaddrinfo for
64.79.111.4.rdns.continuumdatacenters.com [64.79.111.4] failed -
POSSIBLE BREAK-IN ATTEMPT!'
hostname: 'dg-linux'
program_name: 'sshd'
log: 'reverse mapping checking getaddrinfo for
64.79.111.4.rdns.continuumdatacenters.com [64.79.111.4] failed -
POSSIBLE BREAK-IN ATTEMPT!'
**Phase 2: Completed decoding.
decoder: 'sshd'
srcip: '64.79.111.4'
**Phase 3: Completed filtering (rules).
Rule id: '5702'
Level: '5'
Description: 'Reverse lookup error (bad ISP or attack).'
**Alert to be generated.
So it looks like it's included in newer versions.
