Re: [rsyslog] %HOSTNAME% corruption

Wed, 07 Nov 2018 12:01:01 -0800 

On Wed, 7 Nov 2018, John Chivian wrote:
As previously mentioned, that is the result of a scanner trying to do a vulnerability assessment. 


I find it incredibly annoying that such things bombard any and all 
listening ports they might find with instructions and commands that look 
nothing like what rsyslog is expecting to parse, and hence you get 
hostname values of GET and VERSION and all that other nonsense.



In my environment we have a list of "known scanner IP's" and we 
implement a filtering ruleset that drops all traffic from them with 
extreme prejudice.


that works, as long as you log from a different IP ;-)


you can also whitelist the syslog port in the vulnerability scanner ("I know 
what's running there, don't try and figure it out"


David Lang




On 11/6/18 3:14 PM, David Lang wrote:

setup some loging to detect these hostnames and log with a template 
that shows you $rawmsg (RSYSLOG_DebugFormat is good for this)


if $hostname == ['VERSION', 'GET', 'OPTIONS'] then {
 /var/log/badhosts;RSYSLOG_DebugFormat
 stop
}


or something similar would help you figure out what's really happening 
here pretty easily


David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a 
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST 
if you DON'T LIKE THAT.



_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards

NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.





















					Reply via email to