Hello, I'm using OSSEC 2.7 but i get still this alert!! Please, how to resolve this issue ?
Thank you in advance On Friday, December 3, 2010 1:21:23 AM UTC+1, Daniel Cid wrote: > > Yes, a bug on OSSEC. These messages are randomly generated and should not > reach > analysisd. > > Been fixed on the latest snapshot: http:/www.ossec.net/files/snapshots/ > > thanks, > > On Thu, Dec 2, 2010 at 6:32 PM, dan (ddp) <[email protected] <javascript:>> > wrote: > > On Thu, Dec 2, 2010 at 4:52 PM, loyd.darby <[email protected]<javascript:>> > wrote: > >> That leaves only a memory / buffer overflow kind of error . If it only > >> happened once I would not sweat it. > >> It is also "possible" that the log data got corrupted in transit (look > at > >> netstat -s for host and client interfaces) > >> If it repeats, then I would relook at the logs, possibly with a > different > >> tool. > >> Binary data in a log file can hide from editors so cat, grep and > strings are > >> better tools. > >> I think it is unlikely that OSSEC bug can cause this but you could > >> re-install as a last resort. > >> > >> > > > > Or it could be part of the keep alive messages in OSSEC: > > (from src/logcollector/logcollector.c) > > char *rand_keepalive_str(char *dst, int size) > > { > > static const char text[] = "abcdefghijklmnopqrstuvwxyz" > > "ABCDEFGHIJKLMNOPQRSTUVWXYZ" > > "0123456789" > > "!@#$%^&*()_+-=;'[],./?"; > > int i, len = rand() % (size - 10); > > strncpy(dst, "--MARK--: ", 12); > > for ( i = 10; i < len; ++i ) > > { > > dst[i] = text[rand() % (sizeof text - 1)]; > > } > > dst[i] = '\0'; > > return dst; > > } > > > > > >> On 12/02/2010 04:06 PM, Andre Pawlowski wrote: > >>> > >>> I don't find this log entry in any of my logs. That means that there > was > >>> no syslog message with this text. Smart didn't detect anything strange > >>> either. > >>> > >>> Andre Pawlowski > >>> > >>> ------------------------------------------------------------------- > >>> > >>> Poor is the pupil who does not surpass his master. > >>> -Leonardo da Vinci > >>> > >>> On 12/02/2010 07:54 PM, loyd.darby wrote: > >>> > >>>> > >>>> It means that a syslog message had one of these words in it: > >>>> core_dumped|failure|error|attack|bad |illegal > >>>> |denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted > >>>> MARK and the string of characters is actually part of the message and > it > >>>> is likely a disk error. > >>>> It definitely should be looked at. > >>>> > >>>> On 12/02/2010 12:10 PM, dan (ddp) wrote: > >>>> > >>>>> > >>>>> On Thu, Dec 2, 2010 at 11:27 AM, Andre > >>>>> Pawlowski<[email protected]<javascript:> > > > >>>>> wrote: > >>>>> > >>>>> > >>>>>> > >>>>>> Hi list, > >>>>>> > >>>>>> I've got a strange error message from my ossec server that I don't > >>>>>> understand: > >>>>>> > >>>>>> OSSEC HIDS Notification. > >>>>>> 2010 Dec 02 09:48:40 > >>>>>> > >>>>>> Received From: kokyt0s->ossec-keepalive > >>>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the > >>>>>> system." > >>>>>> Portion of the log(s): > >>>>>> > >>>>>> --MARK--: > >>>>>> > >>>>>> > &pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=]IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH)4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G%7.xhI;s)267.rV214O@t2#w)Z(k'UQp9]MyDERrOrG[-,e?iS@B3Rg/kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> --END OF NOTIFICATION > >>>>>> > >>>>>> > >>>>>> Has anyone an idea what this means? > >>>>>> > >>>>>> Regards > >>>>>> > >>>>>> -- > >>>>>> > >>>>>> Andre Pawlowski > >>>>>> > >>>>>> ------------------------------------------------------------------- > >>>>>> > >>>>>> Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts. > >>>>>> -Albert Einstein > >>>>>> > >>>>>> > >>>>>> > >>>>> > >>>>> I think it's "normal" (although I didn't think these messages were > >>>>> going to be logged). It's definitely nothing to worry about. I think > >>>>> the random text in the message is just padding to make the keep > alives > >>>>> indistinguishable from other messages based on packet size. > >>>>> > >>>>> > >>>> > >>>> > >> > >> -- > >> R. Loyd Darby, OSSIM-OCSE > >> Project Manager DOC/NOAA/NMFS > >> Infrastructure coordinator > >> Southeast Fisheries Science Center > >> 305-361-4297 > >> > >> > > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
