For some reason OpenSSH is giving you that: canohost.c: /* Get the real hostname if socket; otherwise return UNKNOWN. */ canohost.c: host = "UNKNOWN";
On Mon, Jul 11, 2011 at 5:49 PM, j5-hms <[email protected]> wrote: > Hi, > > I have a agent/server OSSEC setup and everything is going well. I'm > in the middle of tuning the configs to remedy false positives, > particularly SSH scans from our Security team. > > I've managed to do just that, but I came across a few things that's > got me perplexed. It's logging some events from an "UNKNOWN" source, > i.e: > > ===================================================================== > OSSEC HIDS Notification. > 2011 Jul 11 19:49:27 > > Received From: server001.xxx ->/var/log/authpriv > Rule: 5706 fired (level 6) -> "SSH insecure connection attempt > (scan)." > Portion of the log(s): > > Jul 11 19:49:27 server001.xxx sshd[31851]: Did not receive > identification string from UNKNOWN > ==================================================================== > > Then the active-response portion kicks in and does the following with > this "UNKNOWN" source: > > =============================================== > Mon Jul 11 19:49:30 GMT 2011 /var/ossec/active-response/bin/host- > deny.sh add - UNKNOWN 1310413770.47879 5701 > Mon Jul 11 19:49:30 GMT 2011 Invalid ip/hostname entry: UNKNOWN > Mon Jul 11 19:49:30 GMT 2011 /var/ossec/active-response/bin/firewall- > drop.sh add - UNKNOWN 1310413770.47879 5701 > Mon Jul 11 19:49:30 GMT 2011 Unable to run (iptables returning != 2): > 1 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 19:49:31 GMT 2011 Unable to run (iptables returning != 2): > 2 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 19:49:33 GMT 2011 Unable to run (iptables returning != 2): > 3 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 19:49:36 GMT 2011 Unable to run (iptables returning != 2): > 4 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 19:49:40 GMT 2011 Unable to run (iptables returning != 2): > 5 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 19:49:45 GMT 2011 Unable to run (iptables returning != 2): > 6 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 20:08:36 GMT 2011 /var/ossec/active-response/bin/host- > deny.sh delete - UNKNOWN 1310413770.47879 5701 > Mon Jul 11 20:08:36 GMT 2011 Invalid ip/hostname entry: UNKNOWN > Mon Jul 11 20:08:36 GMT 2011 /var/ossec/active-response/bin/firewall- > drop.sh delete - UNKNOWN 1310413770.47879 5701 > Mon Jul 11 20:08:37 GMT 2011 Unable to run (iptables returning != 2): > 1 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 20:08:38 GMT 2011 Unable to run (iptables returning != 2): > 2 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 20:08:40 GMT 2011 Unable to run (iptables returning != 2): > 3 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 20:08:43 GMT 2011 Unable to run (iptables returning != 2): > 4 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 20:08:47 GMT 2011 Unable to run (iptables returning != 2): > 5 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1310413770.47879 5701 > Mon Jul 11 20:08:52 GMT 2011 Unable to run (iptables returning != 2): > 6 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN > 1310413770.47879 5701 > ===================================================== > > Does anyone have an idea why this is happening? I asked our SEC > department if the scanning software is able to mask the IP address and > they told me there is no such feature.
