On Fri, Jun 13, 2014 at 5:56 AM, Gary Mason <[email protected]> wrote: > I used to get this on 2.6 and still get them on 2.7.1 > Presumably the snapshots in 2010 didn't have a full fix. > Would like to know the implications of this - is it really a bug that can be > ignored or is there something else going on under the surface ? > Speaking as an admin of PCI-compliant systems who has twitchy bosses about > things like this. >
It's harmless*. You can either ignore it, or help us fix it. *It does take up storage space, so harmless is a judgement call. There are no known downsides, other than this and time spent ignoring any alerts. > > On Thursday, 13 March 2014 15:41:43 UTC, Joshua Garnett wrote: >> >> All, >> >> I'm getting this alert also in 2.7.1. I tried writing a rule to filter >> them, but it caused remoted to not want to work properly. I'd welcome a >> hack at this point, if not a proper fix. >> >> --Josh >> >> >> On Thu, Mar 13, 2014 at 4:37 AM, Bib Kam <[email protected]> wrote: >>> >>> Hello, >>> >>> I'm using OSSEC 2.7 but i get still this alert!! >>> Please, how to resolve this issue ? >>> >>> Thank you in advance >>> >>> On Friday, December 3, 2010 1:21:23 AM UTC+1, Daniel Cid wrote: >>>> >>>> Yes, a bug on OSSEC. These messages are randomly generated and should >>>> not reach >>>> analysisd. >>>> >>>> Been fixed on the latest snapshot: http:/www.ossec.net/files/snapshots/ >>>> >>>> thanks, >>>> >>>> On Thu, Dec 2, 2010 at 6:32 PM, dan (ddp) <[email protected]> wrote: >>>> > On Thu, Dec 2, 2010 at 4:52 PM, loyd.darby <[email protected]> wrote: >>>> >> That leaves only a memory / buffer overflow kind of error . If it >>>> >> only >>>> >> happened once I would not sweat it. >>>> >> It is also "possible" that the log data got corrupted in transit >>>> >> (look at >>>> >> netstat -s for host and client interfaces) >>>> >> If it repeats, then I would relook at the logs, possibly with a >>>> >> different >>>> >> tool. >>>> >> Binary data in a log file can hide from editors so cat, grep and >>>> >> strings are >>>> >> better tools. >>>> >> I think it is unlikely that OSSEC bug can cause this but you could >>>> >> re-install as a last resort. >>>> >> >>>> >> >>>> > >>>> > Or it could be part of the keep alive messages in OSSEC: >>>> > (from src/logcollector/logcollector.c) >>>> > char *rand_keepalive_str(char *dst, int size) >>>> > { >>>> > static const char text[] = "abcdefghijklmnopqrstuvwxyz" >>>> > "ABCDEFGHIJKLMNOPQRSTUVWXYZ" >>>> > "0123456789" >>>> > "!@#$%^&*()_+-=;'[],./?"; >>>> > int i, len = rand() % (size - 10); >>>> > strncpy(dst, "--MARK--: ", 12); >>>> > for ( i = 10; i < len; ++i ) >>>> > { >>>> > dst[i] = text[rand() % (sizeof text - 1)]; >>>> > } >>>> > dst[i] = '\0'; >>>> > return dst; >>>> > } >>>> > >>>> > >>>> >> On 12/02/2010 04:06 PM, Andre Pawlowski wrote: >>>> >>> >>>> >>> I don't find this log entry in any of my logs. That means that there >>>> >>> was >>>> >>> no syslog message with this text. Smart didn't detect anything >>>> >>> strange >>>> >>> either. >>>> >>> >>>> >>> Andre Pawlowski >>>> >>> >>>> >>> ------------------------------------------------------------------- >>>> >>> >>>> >>> Poor is the pupil who does not surpass his master. >>>> >>> -Leonardo da Vinci >>>> >>> >>>> >>> On 12/02/2010 07:54 PM, loyd.darby wrote: >>>> >>> >>>> >>>> >>>> >>>> It means that a syslog message had one of these words in it: >>>> >>>> core_dumped|failure|error|attack|bad |illegal >>>> >>>> |denied|refused|unauthorized|fatal|failed|Segmentation >>>> >>>> Fault|Corrupted >>>> >>>> MARK and the string of characters is actually part of the message >>>> >>>> and it >>>> >>>> is likely a disk error. >>>> >>>> It definitely should be looked at. >>>> >>>> >>>> >>>> On 12/02/2010 12:10 PM, dan (ddp) wrote: >>>> >>>> >>>> >>>>> >>>> >>>>> On Thu, Dec 2, 2010 at 11:27 AM, Andre Pawlowski<[email protected]> >>>> >>>>> wrote: >>>> >>>>> >>>> >>>>> >>>> >>>>>> >>>> >>>>>> Hi list, >>>> >>>>>> >>>> >>>>>> I've got a strange error message from my ossec server that I >>>> >>>>>> don't >>>> >>>>>> understand: >>>> >>>>>> >>>> >>>>>> OSSEC HIDS Notification. >>>> >>>>>> 2010 Dec 02 09:48:40 >>>> >>>>>> >>>> >>>>>> Received From: kokyt0s->ossec-keepalive >>>> >>>>>> Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the >>>> >>>>>> system." >>>> >>>>>> Portion of the log(s): >>>> >>>>>> >>>> >>>>>> --MARK--: >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> &pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=]IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH)4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G%7.xhI;s)267.rV214O@t2#w)Z(k'UQp9]MyDERrOrG[-,e?iS@B3Rg/kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> --END OF NOTIFICATION >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> Has anyone an idea what this means? >>>> >>>>>> >>>> >>>>>> Regards >>>> >>>>>> >>>> >>>>>> -- >>>> >>>>>> >>>> >>>>>> Andre Pawlowski >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> ------------------------------------------------------------------- >>>> >>>>>> >>>> >>>>>> Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts. >>>> >>>>>> -Albert Einstein >>>> >>>>>> >>>> >>>>>> >>>> >>>>>> >>>> >>>>> >>>> >>>>> I think it's "normal" (although I didn't think these messages were >>>> >>>>> going to be logged). It's definitely nothing to worry about. I >>>> >>>>> think >>>> >>>>> the random text in the message is just padding to make the keep >>>> >>>>> alives >>>> >>>>> indistinguishable from other messages based on packet size. >>>> >>>>> >>>> >>>>> >>>> >>>> >>>> >>>> >>>> >> >>>> >> -- >>>> >> R. Loyd Darby, OSSIM-OCSE >>>> >> Project Manager DOC/NOAA/NMFS >>>> >> Infrastructure coordinator >>>> >> Southeast Fisheries Science Center >>>> >> 305-361-4297 >>>> >> >>>> >> >>>> > >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google Groups >>> "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> >>> For more options, visit https://groups.google.com/d/optout. >> >> > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
