As previously mentioned, that is the result of a scanner trying to do a
vulnerability assessment.
I find it incredibly annoying that such things bombard any and all
listening ports they might find with instructions and commands that look
nothing like what rsyslog is expecting to parse, and hence you get
hostname values of GET and VERSION and all that other nonsense.
In my environment we have a list of "known scanner IP's" and we
implement a filtering ruleset that drops all traffic from them with
extreme prejudice.
On 11/6/18 3:14 PM, David Lang wrote:
setup some loging to detect these hostnames and log with a template
that shows you $rawmsg (RSYSLOG_DebugFormat is good for this)
if $hostname == ['VERSION', 'GET', 'OPTIONS'] then {
/var/log/badhosts;RSYSLOG_DebugFormat
stop
}
or something similar would help you figure out what's really happening
here pretty easily
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
