Yes, a bug on OSSEC. These messages are randomly generated and should not reach analysisd.
Been fixed on the latest snapshot: http:/www.ossec.net/files/snapshots/ thanks, On Thu, Dec 2, 2010 at 6:32 PM, dan (ddp) <[email protected]> wrote: > On Thu, Dec 2, 2010 at 4:52 PM, loyd.darby <[email protected]> wrote: >> That leaves only a memory / buffer overflow kind of error . If it only >> happened once I would not sweat it. >> It is also "possible" that the log data got corrupted in transit (look at >> netstat -s for host and client interfaces) >> If it repeats, then I would relook at the logs, possibly with a different >> tool. >> Binary data in a log file can hide from editors so cat, grep and strings are >> better tools. >> I think it is unlikely that OSSEC bug can cause this but you could >> re-install as a last resort. >> >> > > Or it could be part of the keep alive messages in OSSEC: > (from src/logcollector/logcollector.c) > char *rand_keepalive_str(char *dst, int size) > { > static const char text[] = "abcdefghijklmnopqrstuvwxyz" > "ABCDEFGHIJKLMNOPQRSTUVWXYZ" > "0123456789" > "!...@#$%^&*()_+-=;'[],./?"; > int i, len = rand() % (size - 10); > strncpy(dst, "--MARK--: ", 12); > for ( i = 10; i < len; ++i ) > { > dst[i] = text[rand() % (sizeof text - 1)]; > } > dst[i] = '\0'; > return dst; > } > > >> On 12/02/2010 04:06 PM, Andre Pawlowski wrote: >>> >>> I don't find this log entry in any of my logs. That means that there was >>> no syslog message with this text. Smart didn't detect anything strange >>> either. >>> >>> Andre Pawlowski >>> >>> ------------------------------------------------------------------- >>> >>> Poor is the pupil who does not surpass his master. >>> -Leonardo da Vinci >>> >>> On 12/02/2010 07:54 PM, loyd.darby wrote: >>> >>>> >>>> It means that a syslog message had one of these words in it: >>>> core_dumped|failure|error|attack|bad |illegal >>>> |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted >>>> MARK and the string of characters is actually part of the message and it >>>> is likely a disk error. >>>> It definitely should be looked at. >>>> >>>> On 12/02/2010 12:10 PM, dan (ddp) wrote: >>>> >>>>> >>>>> On Thu, Dec 2, 2010 at 11:27 AM, Andre Pawlowski<[email protected]> >>>>> wrote: >>>>> >>>>> >>>>>> >>>>>> Hi list, >>>>>> >>>>>> I've got a strange error message from my ossec server that I don't >>>>>> understand: >>>>>> >>>>>> OSSEC HIDS Notification. >>>>>> 2010 Dec 02 09:48:40 >>>>>> >>>>>> Received From: kokyt0s->ossec-keepalive >>>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >>>>>> system." >>>>>> Portion of the log(s): >>>>>> >>>>>> --MARK--: >>>>>> >>>>>> &pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=]IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH)4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G%7.xhI;s)267.rv2...@t2#w)Z(k'UQp9]MyDERrOrG[-,e...@b3rg/kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> --END OF NOTIFICATION >>>>>> >>>>>> >>>>>> Has anyone an idea what this means? >>>>>> >>>>>> Regards >>>>>> >>>>>> -- >>>>>> >>>>>> Andre Pawlowski >>>>>> >>>>>> ------------------------------------------------------------------- >>>>>> >>>>>> Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts. >>>>>> -Albert Einstein >>>>>> >>>>>> >>>>>> >>>>> >>>>> I think it's "normal" (although I didn't think these messages were >>>>> going to be logged). It's definitely nothing to worry about. I think >>>>> the random text in the message is just padding to make the keep alives >>>>> indistinguishable from other messages based on packet size. >>>>> >>>>> >>>> >>>> >> >> -- >> R. Loyd Darby, OSSIM-OCSE >> Project Manager DOC/NOAA/NMFS >> Infrastructure coordinator >> Southeast Fisheries Science Center >> 305-361-4297 >> >> >
