ossec's BUG

102 views
Skip to first unread message

root

unread,
May 13, 2013, 7:03:57 AM5/13/13
to ossec-list
 
  hi,all
 
There is a problem,when some host make a different log,ossec can associated and has False positives!
 
for example
 
 
OSSEC HIDS Notification.
2013 May 13 18:39:12

Received From: l-logbackup1->/var/log/secure
Rule: 40112 fired (level 12) -> "Multiple authentication failures followed by a success."
Portion of the log(s):

May 13 18:39:10 l-logbackup1.ops.cn1.qunar.com sshd[5578]: Accepted publickey for robert from 192.168.0.59 port 31495 ssh2



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2013 May 13 18:39:12

Received From: l-interdb3->/var/log/secure
Rule: 40501 fired (level 15) -> "Attacks followed by the addition of an user."
Portion of the log(s):

May 13 18:39:12 l-interdb3 useradd[16574]: new user: name=bob, UID=40025, GID=1002, home=/home/bob, shell=/bin/bash
May 13 18:39:10 l-logbackup1 sshd[5578]: Accepted publickey for robert from 192.168.0.59 port 31495 ssh2
May 13 18:39:10 l-logbackup1 sshd[5578]: Accepted publickey for robert from 192.168.0.59 port 31495 ssh2



 --END OF NOTIFICATION

i don't konw why l-logbackup1's log  And he together l-interdb3.
 
i have Syslog server to Collecting all the log use rsyslog.
 
 
 
  thanks&Best Regards

Jason Frisvold

unread,
May 13, 2013, 1:21:56 PM5/13/13
to ossec...@googlegroups.com
root wrote:
> hi,all
>
> There is a problem,when some host make a different log,ossec can
> associated and has False positives!

Not a bug, it's by design. It's called grouping. If you want to
disable it, you need to add <do_not_group /> to your global email settings.

http://www.ossec.net/doc/syntax/head_ossec_config.email_alerts.html#element-do_not_group

--
---------------------------
Jason 'XenoPhage' Frisvold
xeno...@godshell.com
---------------------------

"Any sufficiently advanced magic is indistinguishable from technology.\"
- Niven's Inverse of Clarke's Third Law

Graeme Stewart

unread,
Feb 2, 2016, 5:42:16 PM2/2/16
to ossec-list, xeno...@godshell.com
I think the OP's original statement is valid, why is OSSEC reporting valid fire on alert 40501 when multiple hosts are involved (l-logbackup1 and l-interdb3)?

Seems this alert should only fire where the host is a match.

Dustin Lenz

unread,
Mar 23, 2016, 12:29:42 PM3/23/16
to ossec-list, xeno...@godshell.com
I second Graeme's statement. I'm running into the same issues. Here are my details:

This rule is a problem for me. I am seeing many false positives (FP).  Here is one such example:

Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root 192.168.1.50 (192.168.1.50) 52209
Mar 18 06:49:17 linuxhost tac_plus[97654]: login failure: root 192.168.1.50 (192.168.1.50) 52209 
2016 Mar 17 09:49:15 WinEvtLog: Security: AUDIT_SUCCESS(4722): Microsoft-Windows-Security-Auditing: (no user): no domain: WINDOWSHOST.domain-internal.com.internal: A user account was enabled. Subject: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX Account Name: username Account Domain: DOMAIN-INTERNAL Logon ID: 0x2xxXXXX Target Account: Security ID: S-1-5-XX-XXXSIDXXXX-XXXXXXXXXX-XXXXXXXXXX-XXXXX Account Name: VM01XXXX-XXXXXX$ Account Domain: DOMAIN-INTERNAL 

As you can see this is an obvious FP. 

Can someone weigh in here on how we can remediate these issues?  Some days we see 100+ FP's.

Thanks in advance,

Dustin
Reply all
Reply to author
Forward
0 new messages