I used to get this on 2.6 and still get them on 2.7.1 Presumably the snapshots in 2010 didn't have a full fix. Would like to know the implications of this - is it really a bug that can be ignored or is there something else going on under the surface ? Speaking as an admin of PCI-compliant systems who has twitchy bosses about things like this.
On Thursday, 13 March 2014 15:41:43 UTC, Joshua Garnett wrote: > > All, > > I'm getting this alert also in 2.7.1. I tried writing a rule to filter > them, but it caused remoted to not want to work properly. I'd welcome a > hack at this point, if not a proper fix. > > --Josh > > > On Thu, Mar 13, 2014 at 4:37 AM, Bib Kam <[email protected] <javascript:>> > wrote: > >> Hello, >> >> I'm using OSSEC 2.7 but i get still this alert!! >> Please, how to resolve this issue ? >> >> Thank you in advance >> >> On Friday, December 3, 2010 1:21:23 AM UTC+1, Daniel Cid wrote: >>> >>> Yes, a bug on OSSEC. These messages are randomly generated and should >>> not reach >>> analysisd. >>> >>> Been fixed on the latest snapshot: http:/www.ossec.net/files/snapshots/ >>> >>> thanks, >>> >>> On Thu, Dec 2, 2010 at 6:32 PM, dan (ddp) <[email protected]> wrote: >>> > On Thu, Dec 2, 2010 at 4:52 PM, loyd.darby <[email protected]> wrote: >>> >> That leaves only a memory / buffer overflow kind of error . If it >>> only >>> >> happened once I would not sweat it. >>> >> It is also "possible" that the log data got corrupted in transit >>> (look at >>> >> netstat -s for host and client interfaces) >>> >> If it repeats, then I would relook at the logs, possibly with a >>> different >>> >> tool. >>> >> Binary data in a log file can hide from editors so cat, grep and >>> strings are >>> >> better tools. >>> >> I think it is unlikely that OSSEC bug can cause this but you could >>> >> re-install as a last resort. >>> >> >>> >> >>> > >>> > Or it could be part of the keep alive messages in OSSEC: >>> > (from src/logcollector/logcollector.c) >>> > char *rand_keepalive_str(char *dst, int size) >>> > { >>> > static const char text[] = "abcdefghijklmnopqrstuvwxyz" >>> > "ABCDEFGHIJKLMNOPQRSTUVWXYZ" >>> > "0123456789" >>> > "!@#$%^&*()_+-=;'[],./?"; >>> > int i, len = rand() % (size - 10); >>> > strncpy(dst, "--MARK--: ", 12); >>> > for ( i = 10; i < len; ++i ) >>> > { >>> > dst[i] = text[rand() % (sizeof text - 1)]; >>> > } >>> > dst[i] = '\0'; >>> > return dst; >>> > } >>> > >>> > >>> >> On 12/02/2010 04:06 PM, Andre Pawlowski wrote: >>> >>> >>> >>> I don't find this log entry in any of my logs. That means that there >>> was >>> >>> no syslog message with this text. Smart didn't detect anything >>> strange >>> >>> either. >>> >>> >>> >>> Andre Pawlowski >>> >>> >>> >>> ------------------------------------------------------------------- >>> >>> >>> >>> Poor is the pupil who does not surpass his master. >>> >>> -Leonardo da Vinci >>> >>> >>> >>> On 12/02/2010 07:54 PM, loyd.darby wrote: >>> >>> >>> >>>> >>> >>>> It means that a syslog message had one of these words in it: >>> >>>> core_dumped|failure|error|attack|bad |illegal >>> >>>> |denied|refused|unauthorized|fatal|failed|Segmentation >>> Fault|Corrupted >>> >>>> MARK and the string of characters is actually part of the message >>> and it >>> >>>> is likely a disk error. >>> >>>> It definitely should be looked at. >>> >>>> >>> >>>> On 12/02/2010 12:10 PM, dan (ddp) wrote: >>> >>>> >>> >>>>> >>> >>>>> On Thu, Dec 2, 2010 at 11:27 AM, Andre Pawlowski<[email protected]> >>> >>>>> wrote: >>> >>>>> >>> >>>>> >>> >>>>>> >>> >>>>>> Hi list, >>> >>>>>> >>> >>>>>> I've got a strange error message from my ossec server that I don't >>> >>>>>> understand: >>> >>>>>> >>> >>>>>> OSSEC HIDS Notification. >>> >>>>>> 2010 Dec 02 09:48:40 >>> >>>>>> >>> >>>>>> Received From: kokyt0s->ossec-keepalive >>> >>>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >>> >>>>>> system." >>> >>>>>> Portion of the log(s): >>> >>>>>> >>> >>>>>> --MARK--: >>> >>>>>> >>> >>>>>> &pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=] >>> IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH) >>> 4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G% >>> 7.xhI;s)267.rV214O@t2#w)Z(k'UQp9]MyDERrOrG[-,e?iS@B3Rg/ >>> kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+ >>> buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?- >>> TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>>> --END OF NOTIFICATION >>> >>>>>> >>> >>>>>> >>> >>>>>> Has anyone an idea what this means? >>> >>>>>> >>> >>>>>> Regards >>> >>>>>> >>> >>>>>> -- >>> >>>>>> >>> >>>>>> Andre Pawlowski >>> >>>>>> >>> >>>>>> ------------------------------------------------------------ >>> ------- >>> >>>>>> >>> >>>>>> Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts. >>> >>>>>> -Albert Einstein >>> >>>>>> >>> >>>>>> >>> >>>>>> >>> >>>>> >>> >>>>> I think it's "normal" (although I didn't think these messages were >>> >>>>> going to be logged). It's definitely nothing to worry about. I >>> think >>> >>>>> the random text in the message is just padding to make the keep >>> alives >>> >>>>> indistinguishable from other messages based on packet size. >>> >>>>> >>> >>>>> >>> >>>> >>> >>>> >>> >> >>> >> -- >>> >> R. Loyd Darby, OSSIM-OCSE >>> >> Project Manager DOC/NOAA/NMFS >>> >> Infrastructure coordinator >>> >> Southeast Fisheries Science Center >>> >> 305-361-4297 >>> >> >>> >> >>> > >>> >>> -- >> >> --- >> You received this message because you are subscribed to the Google Groups >> "ossec-list" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
