All, I'm getting this alert also in 2.7.1. I tried writing a rule to filter them, but it caused remoted to not want to work properly. I'd welcome a hack at this point, if not a proper fix.
--Josh On Thu, Mar 13, 2014 at 4:37 AM, Bib Kam <[email protected]> wrote: > Hello, > > I'm using OSSEC 2.7 but i get still this alert!! > Please, how to resolve this issue ? > > Thank you in advance > > On Friday, December 3, 2010 1:21:23 AM UTC+1, Daniel Cid wrote: >> >> Yes, a bug on OSSEC. These messages are randomly generated and should not >> reach >> analysisd. >> >> Been fixed on the latest snapshot: http:/www.ossec.net/files/snapshots/ >> >> thanks, >> >> On Thu, Dec 2, 2010 at 6:32 PM, dan (ddp) <[email protected]> wrote: >> > On Thu, Dec 2, 2010 at 4:52 PM, loyd.darby <[email protected]> wrote: >> >> That leaves only a memory / buffer overflow kind of error . If it only >> >> happened once I would not sweat it. >> >> It is also "possible" that the log data got corrupted in transit (look >> at >> >> netstat -s for host and client interfaces) >> >> If it repeats, then I would relook at the logs, possibly with a >> different >> >> tool. >> >> Binary data in a log file can hide from editors so cat, grep and >> strings are >> >> better tools. >> >> I think it is unlikely that OSSEC bug can cause this but you could >> >> re-install as a last resort. >> >> >> >> >> > >> > Or it could be part of the keep alive messages in OSSEC: >> > (from src/logcollector/logcollector.c) >> > char *rand_keepalive_str(char *dst, int size) >> > { >> > static const char text[] = "abcdefghijklmnopqrstuvwxyz" >> > "ABCDEFGHIJKLMNOPQRSTUVWXYZ" >> > "0123456789" >> > "!@#$%^&*()_+-=;'[],./?"; >> > int i, len = rand() % (size - 10); >> > strncpy(dst, "--MARK--: ", 12); >> > for ( i = 10; i < len; ++i ) >> > { >> > dst[i] = text[rand() % (sizeof text - 1)]; >> > } >> > dst[i] = '\0'; >> > return dst; >> > } >> > >> > >> >> On 12/02/2010 04:06 PM, Andre Pawlowski wrote: >> >>> >> >>> I don't find this log entry in any of my logs. That means that there >> was >> >>> no syslog message with this text. Smart didn't detect anything strange >> >>> either. >> >>> >> >>> Andre Pawlowski >> >>> >> >>> ------------------------------------------------------------------- >> >>> >> >>> Poor is the pupil who does not surpass his master. >> >>> -Leonardo da Vinci >> >>> >> >>> On 12/02/2010 07:54 PM, loyd.darby wrote: >> >>> >> >>>> >> >>>> It means that a syslog message had one of these words in it: >> >>>> core_dumped|failure|error|attack|bad |illegal >> >>>> |denied|refused|unauthorized|fatal|failed|Segmentation >> Fault|Corrupted >> >>>> MARK and the string of characters is actually part of the message >> and it >> >>>> is likely a disk error. >> >>>> It definitely should be looked at. >> >>>> >> >>>> On 12/02/2010 12:10 PM, dan (ddp) wrote: >> >>>> >> >>>>> >> >>>>> On Thu, Dec 2, 2010 at 11:27 AM, Andre Pawlowski<[email protected]> >> >>>>> wrote: >> >>>>> >> >>>>> >> >>>>>> >> >>>>>> Hi list, >> >>>>>> >> >>>>>> I've got a strange error message from my ossec server that I don't >> >>>>>> understand: >> >>>>>> >> >>>>>> OSSEC HIDS Notification. >> >>>>>> 2010 Dec 02 09:48:40 >> >>>>>> >> >>>>>> Received From: kokyt0s->ossec-keepalive >> >>>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >> >>>>>> system." >> >>>>>> Portion of the log(s): >> >>>>>> >> >>>>>> --MARK--: >> >>>>>> >> >>>>>> &pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=] >> IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH) >> 4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G% >> 7.xhI;s)267.rV214O@t2#w)Z(k'UQp9]MyDERrOrG[-,e?iS@B3Rg/ >> kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+ >> buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?- >> TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> --END OF NOTIFICATION >> >>>>>> >> >>>>>> >> >>>>>> Has anyone an idea what this means? >> >>>>>> >> >>>>>> Regards >> >>>>>> >> >>>>>> -- >> >>>>>> >> >>>>>> Andre Pawlowski >> >>>>>> >> >>>>>> ------------------------------------------------------------ >> ------- >> >>>>>> >> >>>>>> Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts. >> >>>>>> -Albert Einstein >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>> >> >>>>> I think it's "normal" (although I didn't think these messages were >> >>>>> going to be logged). It's definitely nothing to worry about. I think >> >>>>> the random text in the message is just padding to make the keep >> alives >> >>>>> indistinguishable from other messages based on packet size. >> >>>>> >> >>>>> >> >>>> >> >>>> >> >> >> >> -- >> >> R. Loyd Darby, OSSIM-OCSE >> >> Project Manager DOC/NOAA/NMFS >> >> Infrastructure coordinator >> >> Southeast Fisheries Science Center >> >> 305-361-4297 >> >> >> >> >> > >> >> -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
