Hi, I have a agent/server OSSEC setup and everything is going well. I'm in the middle of tuning the configs to remedy false positives, particularly SSH scans from our Security team.
I've managed to do just that, but I came across a few things that's got me perplexed. It's logging some events from an "UNKNOWN" source, i.e: ===================================================================== OSSEC HIDS Notification. 2011 Jul 11 19:49:27 Received From: server001.xxx ->/var/log/authpriv Rule: 5706 fired (level 6) -> "SSH insecure connection attempt (scan)." Portion of the log(s): Jul 11 19:49:27 server001.xxx sshd[31851]: Did not receive identification string from UNKNOWN ==================================================================== Then the active-response portion kicks in and does the following with this "UNKNOWN" source: =============================================== Mon Jul 11 19:49:30 GMT 2011 /var/ossec/active-response/bin/host- deny.sh add - UNKNOWN 1310413770.47879 5701 Mon Jul 11 19:49:30 GMT 2011 Invalid ip/hostname entry: UNKNOWN Mon Jul 11 19:49:30 GMT 2011 /var/ossec/active-response/bin/firewall- drop.sh add - UNKNOWN 1310413770.47879 5701 Mon Jul 11 19:49:30 GMT 2011 Unable to run (iptables returning != 2): 1 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN 1310413770.47879 5701 Mon Jul 11 19:49:31 GMT 2011 Unable to run (iptables returning != 2): 2 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN 1310413770.47879 5701 Mon Jul 11 19:49:33 GMT 2011 Unable to run (iptables returning != 2): 3 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN 1310413770.47879 5701 Mon Jul 11 19:49:36 GMT 2011 Unable to run (iptables returning != 2): 4 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN 1310413770.47879 5701 Mon Jul 11 19:49:40 GMT 2011 Unable to run (iptables returning != 2): 5 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN 1310413770.47879 5701 Mon Jul 11 19:49:45 GMT 2011 Unable to run (iptables returning != 2): 6 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN 1310413770.47879 5701 Mon Jul 11 20:08:36 GMT 2011 /var/ossec/active-response/bin/host- deny.sh delete - UNKNOWN 1310413770.47879 5701 Mon Jul 11 20:08:36 GMT 2011 Invalid ip/hostname entry: UNKNOWN Mon Jul 11 20:08:36 GMT 2011 /var/ossec/active-response/bin/firewall- drop.sh delete - UNKNOWN 1310413770.47879 5701 Mon Jul 11 20:08:37 GMT 2011 Unable to run (iptables returning != 2): 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1310413770.47879 5701 Mon Jul 11 20:08:38 GMT 2011 Unable to run (iptables returning != 2): 2 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1310413770.47879 5701 Mon Jul 11 20:08:40 GMT 2011 Unable to run (iptables returning != 2): 3 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1310413770.47879 5701 Mon Jul 11 20:08:43 GMT 2011 Unable to run (iptables returning != 2): 4 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1310413770.47879 5701 Mon Jul 11 20:08:47 GMT 2011 Unable to run (iptables returning != 2): 5 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1310413770.47879 5701 Mon Jul 11 20:08:52 GMT 2011 Unable to run (iptables returning != 2): 6 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN 1310413770.47879 5701 ===================================================== Does anyone have an idea why this is happening? I asked our SEC department if the scanning software is able to mask the IP address and they told me there is no such feature.
