On Fri, Sep 28, 2018 at 1:09 AM Chinmay Pandya
<[email protected]> wrote:
>
> Hi Dan
>
> Had you looked into this issue?
>
Nope, I've been busy.
> On Wednesday, September 19, 2018 at 11:04:36 AM UTC+5:30, Chinmay Pandya
> wrote:
>>
>> This is the alert from alert.log file
>>
>> ** Alert 1536818415.3348561390: - syslog,sshd,recon,
>> 2018 Sep 13 06:00:15 east1001->10.88.10.114
>> Rule: 5706 (level 6) -> 'SSH insecure connection attempt (scan).'
>> Src IP: 10.14.158.11
>>
>>
>> Sep 13 06:00:15 east1001 sshd[14453]: Did not receive identification string
>> from 10.14.158.11
>>
>> and this is what I got in syslog JSON output from ossec
>>
>>
>> ossec-box ossec:
>> {"crit":6,"id":5706,"component":"east1001->10.88.10.114","classification":"
>> syslog,sshd,recon,","description":"SSH insecure connection attempt
>> (scan).","message":"","src_ip":"10.14.158.11"}
>>
>> So looks like there is some code error in writing message body for this rule
>> id.
>>
>>
>>
>> On Friday, September 14, 2018 at 4:33:07 PM UTC+5:30, dan (ddpbsd) wrote:
>>>
>>> On Fri, Sep 14, 2018 at 6:12 AM Chinmay Pandya
>>> <[email protected]> wrote:
>>> >
>>> > I have set ossec to forward alerts in JSON format to my alerting server.
>>> >
>>> > But sometimes I am getting blank message object in json.
>>> >
>>> > Here is a sample log
>>> >
>>> > ossec-box ossec:
>>> > {"crit":6,"id":5706,"component":"east1001->10.88.10.114","classification":"
>>> > syslog,sshd,recon,","description":"SSH insecure connection attempt
>>> > (scan).","message":"","src_ip":"10.14.158.11"}
>>> >
>>> > It mostly happens with ssh related alert.
>>> >
>>>
>>> What's usually in that field, the full log?
>>>
>>> >
>>> > Any clue where should I see for error cause I am not getting any errors
>>> > in ossec logs.
>>> >
>>> > _____________________________________________________________
>>> > The information contained in this communication is intended solely for
>>> > the use of the individual or entity to whom it is addressed and others
>>> > authorized to receive it. It may contain confidential or legally
>>> > privileged information. If you are not the intended recipient you are
>>> > hereby notified that any disclosure, copying, distribution or taking any
>>> > action in reliance on the contents of this information is strictly
>>> > prohibited and may be unlawful. If you have received this communication
>>> > in error, please notify us immediately by responding to this email and
>>> > then delete it from your system. The firm is neither liable for the
>>> > proper and complete transmission of the information contained in this
>>> > communication nor for any delay in its receipt.
>>> >
>>> > --
>>> >
>>> > ---
>>> > You received this message because you are subscribed to the Google Groups
>>> > "ossec-list" group.
>>> > To unsubscribe from this group and stop receiving emails from it, send an
>>> > email to [email protected].
>>> > For more options, visit https://groups.google.com/d/optout.
>
>
> _____________________________________________________________
> The information contained in this communication is intended solely for the
> use of the individual or entity to whom it is addressed and others authorized
> to receive it. It may contain confidential or legally privileged information.
> If you are not the intended recipient you are hereby notified that any
> disclosure, copying, distribution or taking any action in reliance on the
> contents of this information is strictly prohibited and may be unlawful. If
> you have received this communication in error, please notify us immediately
> by responding to this email and then delete it from your system. The firm is
> neither liable for the proper and complete transmission of the information
> contained in this communication nor for any delay in its receipt.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
