strange error message from ossec-keepalive
Andre Pawlowski
I've got a strange error message from my ossec server that I don't
understand:
OSSEC HIDS Notification.
2010 Dec 02 09:48:40
Received From: kokyt0s->ossec-keepalive
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
--MARK--:
&pQSW__BPa5S?%tyDTJ3-iCG2lz2dU))r(F%6tjp8wqpf=]IKFT%ND2kP]ua/W)3-6'eHduX$;$Axqq7Vr.dVZ1SUDSaH)4xTXCIieaEKv47LD-bU)SXMnXO/jPGKn3.!NGBR_5]jD2UoSV9)h%z8G%7.xhI;s)267.rV214O@t2#w)Z(k'UQp9]MyDERrOrG[-,e?iS@B3Rg/kGiR[g6mc0K)/]S]0'+?+'/.[r$fqBR^7iAjoPv4j6SWjeRsLGr%$3#p+buf&u_RC3i/mE3vS3*jp&B1qSJM431TmEg,YJ][ge;6-dJI69?-TB?!BI4?Uza63V3vMY3ake6ahj-%A-m_5lgab!OVR,!pR+;L]eLgilU
--END OF NOTIFICATION
Has anyone an idea what this means?
Regards
--
Andre Pawlowski
-------------------------------------------------------------------
Wenn eine Idee nicht zuerst absurd erscheint, taugt sie nichts.
-Albert Einstein
dan (ddp)
I think it's "normal" (although I didn't think these messages were
going to be logged). It's definitely nothing to worry about. I think
the random text in the message is just padding to make the keep alives
indistinguishable from other messages based on packet size.
loyd.darby
core_dumped|failure|error|attack|bad |illegal
|denied|refused|unauthorized|fatal|failed|Segmentation Fault|Corrupted
MARK and the string of characters is actually part of the message and it
is likely a disk error.
It definitely should be looked at.
--
R. Loyd Darby, OSSIM-OCSE
Project Manager DOC/NOAA/NMFS
Infrastructure coordinator
Southeast Fisheries Science Center
305-361-4297
Andre Pawlowski
no syslog message with this text. Smart didn't detect anything strange
either.
Andre Pawlowski
-------------------------------------------------------------------
Poor is the pupil who does not surpass his master.
-Leonardo da Vinci
loyd.darby
happened once I would not sweat it.
It is also "possible" that the log data got corrupted in transit (look
at netstat -s for host and client interfaces)
If it repeats, then I would relook at the logs, possibly with a
different tool.
Binary data in a log file can hide from editors so cat, grep and strings
are better tools.
I think it is unlikely that OSSEC bug can cause this but you could
re-install as a last resort.
--
dan (ddp)
> That leaves only a memory / buffer overflow kind of error . If it only
> happened once I would not sweat it.
> It is also "possible" that the log data got corrupted in transit (look at
> netstat -s for host and client interfaces)
> If it repeats, then I would relook at the logs, possibly with a different
> tool.
> Binary data in a log file can hide from editors so cat, grep and strings are
> better tools.
> I think it is unlikely that OSSEC bug can cause this but you could
> re-install as a last resort.
>
>
Or it could be part of the keep alive messages in OSSEC:
(from src/logcollector/logcollector.c)
char *rand_keepalive_str(char *dst, int size)
{
static const char text[] = "abcdefghijklmnopqrstuvwxyz"
"ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"0123456789"
"!@#$%^&*()_+-=;'[],./?";
int i, len = rand() % (size - 10);
strncpy(dst, "--MARK--: ", 12);
for ( i = 10; i < len; ++i )
{
dst[i] = text[rand() % (sizeof text - 1)];
}
dst[i] = '\0';
return dst;
Daniel Cid
analysisd.
Been fixed on the latest snapshot: http:/www.ossec.net/files/snapshots/
thanks,
Bib Kam
Joshua Garnett
I'm getting this alert also in 2.7.1. I tried writing a rule to filter them, but it caused remoted to not want to work properly. I'd welcome a hack at this point, if not a proper fix.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Gary Mason
Presumably the snapshots in 2010 didn't have a full fix.
Would like to know the implications of this - is it really a bug that can be ignored or is there something else going on under the surface ?
Speaking as an admin of PCI-compliant systems who has twitchy bosses about things like this.
dan (ddp)
> I used to get this on 2.6 and still get them on 2.7.1
> Presumably the snapshots in 2010 didn't have a full fix.
> Would like to know the implications of this - is it really a bug that can be
> ignored or is there something else going on under the surface ?
> Speaking as an admin of PCI-compliant systems who has twitchy bosses about
> things like this.
>
*It does take up storage space, so harmless is a judgement call. There
are no known downsides, other than this and time spent ignoring any
alerts.
Michael Starks
> I used to get this on 2.6 and still get them on 2.7.1
> Presumably the snapshots in 2010 didn't have a full fix.
> Would like to know the implications of this - is it really a bug that
> can be ignored or is there something else going on under the surface ?
> Speaking as an admin of PCI-compliant systems who has twitchy bosses
> about things like this.
Ian Brown
OSSEC HIDS Notification.
2019 Apr 04 12:31:45
Received From: server->ossec-keepalive
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
--MARK--: gnetT9ILb_p+LIy(PF!1*#11NrDK!XIzsNS@4[4nwCd7s^c7ou*NbMiO3'GH/^oq!7KIjiWG;hVl-fATAla^fXx8QmY.]un5]fhT2lHU6KnfQ,Yyhghn3(D2/JZ'4ughAo0,$P/,[mb;iZq3nxy*X2]WTU.rwezW6Ha]=?=*Z;97?H(n4lM9vHz%J@a5^z!Po!KfrC-&8h?qO(*0.xEsmlOV-O8nvM2K5VP-F_pVJo@GaWaL)(3NM0QCitQ(n0wA3trcV_Y?c*FRI),9oir087,yI[kWd_-6iVr3=xk[i.L/*+8?.HhnWRMNMWd.LH3bLCmCZ@!q83obTEO/@V0&hgxb
Ubuntu 18.04 LTS
Version: 3.2.0-6132bionic