Did not receive identification string from UNKNOWN
587 views
Skip to first unread message
j5-hms
Jul 11, 2011, 5:49:05 PM7/11/11
to ossec-list
Hi,
I have a agent/server OSSEC setup and everything is going well. I'm
in the middle of tuning the configs to remedy false positives,
particularly SSH scans from our Security team.
I've managed to do just that, but I came across a few things that's
got me perplexed. It's logging some events from an "UNKNOWN" source,
i.e:
=====================================================================
OSSEC HIDS Notification.
2011 Jul 11 19:49:27
Received From: server001.xxx ->/var/log/authpriv
Rule: 5706 fired (level 6) -> "SSH insecure connection attempt
(scan)."
Portion of the log(s):
Jul 11 19:49:27 server001.xxx sshd[31851]: Did not receive
identification string from UNKNOWN
====================================================================
Then the active-response portion kicks in and does the following with
this "UNKNOWN" source:
===============================================
Mon Jul 11 19:49:30 GMT 2011 /var/ossec/active-response/bin/host-
deny.sh add - UNKNOWN 1310413770.47879 5701
Mon Jul 11 19:49:30 GMT 2011 Invalid ip/hostname entry: UNKNOWN
Mon Jul 11 19:49:30 GMT 2011 /var/ossec/active-response/bin/firewall-
drop.sh add - UNKNOWN 1310413770.47879 5701
Mon Jul 11 19:49:30 GMT 2011 Unable to run (iptables returning != 2):
1 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 19:49:31 GMT 2011 Unable to run (iptables returning != 2):
2 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 19:49:33 GMT 2011 Unable to run (iptables returning != 2):
3 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 19:49:36 GMT 2011 Unable to run (iptables returning != 2):
4 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 19:49:40 GMT 2011 Unable to run (iptables returning != 2):
5 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 19:49:45 GMT 2011 Unable to run (iptables returning != 2):
6 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:36 GMT 2011 /var/ossec/active-response/bin/host-
deny.sh delete - UNKNOWN 1310413770.47879 5701
Mon Jul 11 20:08:36 GMT 2011 Invalid ip/hostname entry: UNKNOWN
Mon Jul 11 20:08:36 GMT 2011 /var/ossec/active-response/bin/firewall-
drop.sh delete - UNKNOWN 1310413770.47879 5701
Mon Jul 11 20:08:37 GMT 2011 Unable to run (iptables returning != 2):
1 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:38 GMT 2011 Unable to run (iptables returning != 2):
2 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:40 GMT 2011 Unable to run (iptables returning != 2):
3 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:43 GMT 2011 Unable to run (iptables returning != 2):
4 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:47 GMT 2011 Unable to run (iptables returning != 2):
5 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:52 GMT 2011 Unable to run (iptables returning != 2):
6 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
=====================================================
Does anyone have an idea why this is happening? I asked our SEC
department if the scanning software is able to mask the IP address and
they told me there is no such feature.
I have a agent/server OSSEC setup and everything is going well. I'm
in the middle of tuning the configs to remedy false positives,
particularly SSH scans from our Security team.
I've managed to do just that, but I came across a few things that's
got me perplexed. It's logging some events from an "UNKNOWN" source,
i.e:
=====================================================================
OSSEC HIDS Notification.
2011 Jul 11 19:49:27
Received From: server001.xxx ->/var/log/authpriv
Rule: 5706 fired (level 6) -> "SSH insecure connection attempt
(scan)."
Portion of the log(s):
Jul 11 19:49:27 server001.xxx sshd[31851]: Did not receive
identification string from UNKNOWN
====================================================================
Then the active-response portion kicks in and does the following with
this "UNKNOWN" source:
===============================================
Mon Jul 11 19:49:30 GMT 2011 /var/ossec/active-response/bin/host-
deny.sh add - UNKNOWN 1310413770.47879 5701
Mon Jul 11 19:49:30 GMT 2011 Invalid ip/hostname entry: UNKNOWN
Mon Jul 11 19:49:30 GMT 2011 /var/ossec/active-response/bin/firewall-
drop.sh add - UNKNOWN 1310413770.47879 5701
Mon Jul 11 19:49:30 GMT 2011 Unable to run (iptables returning != 2):
1 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 19:49:31 GMT 2011 Unable to run (iptables returning != 2):
2 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 19:49:33 GMT 2011 Unable to run (iptables returning != 2):
3 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 19:49:36 GMT 2011 Unable to run (iptables returning != 2):
4 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 19:49:40 GMT 2011 Unable to run (iptables returning != 2):
5 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 19:49:45 GMT 2011 Unable to run (iptables returning != 2):
6 - /var/ossec/active-response/bin/firewall-drop.sh add - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:36 GMT 2011 /var/ossec/active-response/bin/host-
deny.sh delete - UNKNOWN 1310413770.47879 5701
Mon Jul 11 20:08:36 GMT 2011 Invalid ip/hostname entry: UNKNOWN
Mon Jul 11 20:08:36 GMT 2011 /var/ossec/active-response/bin/firewall-
drop.sh delete - UNKNOWN 1310413770.47879 5701
Mon Jul 11 20:08:37 GMT 2011 Unable to run (iptables returning != 2):
1 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:38 GMT 2011 Unable to run (iptables returning != 2):
2 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:40 GMT 2011 Unable to run (iptables returning != 2):
3 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:43 GMT 2011 Unable to run (iptables returning != 2):
4 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:47 GMT 2011 Unable to run (iptables returning != 2):
5 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
Mon Jul 11 20:08:52 GMT 2011 Unable to run (iptables returning != 2):
6 - /var/ossec/active-response/bin/firewall-drop.sh delete - UNKNOWN
1310413770.47879 5701
=====================================================
Does anyone have an idea why this is happening? I asked our SEC
department if the scanning software is able to mask the IP address and
they told me there is no such feature.
dan (ddp)
Jul 19, 2011, 8:36:58 PM7/19/11
to ossec...@googlegroups.com
For some reason OpenSSH is giving you that:
canohost.c: /* Get the real hostname if socket; otherwise return UNKNOWN. */
canohost.c: host = "UNKNOWN";
canohost.c: /* Get the real hostname if socket; otherwise return UNKNOWN. */
canohost.c: host = "UNKNOWN";
Reply all
Reply to author
Forward
0 new messages