OSSEC Level 2 Alert Messages Every 15-20 Minutes

Hello,

I installed OSSEC and that went fine with no issues. However I seem to be getting the same type of email messages every 20 minutes or so. I didn't realize my IPtables were being tested this often. Is this normal? They are from various IPs around the world (some US, a lot of Asia like China, Taiwan, Japan etc) including an occasional mail server from Google.com which is interesting. And if Port# is represented by "SPT" that changes as well. Or is these are some sort of legitimate traffic Im blocking? And how can I diminish these types of reports? I'd like to get notified of important intrusions of course, but I'm going to become tone deaf after 500+ emails every day. Would be nice if OSSEC knew what it was.

Thank you.

[NOTE my IP redacted, I tried to provide a good enough sample below]

Received From: myhost->/var/log/syslog

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Portion of the log(s):

Jul 25 11:34:03 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=199.191.58.178 DST=XXX.XXX.XXX.XX LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=9966 DPT=9535 WINDOW=5840 RES=0x00 ACK SYN URGP=0

–----------------------------------------------------------------------------------------------------------

Received From: myhost->/var/log/syslog

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Portion of the log(s):

Jul 25 11:25:13 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=222.73.49.159 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0


Received From: myhost->/var/log/syslog

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Portion of the log(s):

Jul 25 11:34:03 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=199.191.58.178 DST=XXX.XXX.XXX.XX LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=9966 DPT=9535 WINDOW=5840 RES=0x00 ACK SYN URGP=0


Received From: myhost->/var/log/syslog

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Portion of the log(s):

Jul 25 11:25:13 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=222.73.49.159 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0


Received From: myhost->/var/log/syslog

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Portion of the log(s):

Jul 24 14:41:16 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=60.190.222.204 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256 PROTO=TCP SPT=8162 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0


Received From: myhost->/var/log/syslog

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Portion of the log(s):

Jul 24 14:44:18 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=50.115.169.162 DST=XXX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=7189 PROTO=TCP SPT=36893 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0


Received From: myhost->/var/log/syslog

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Portion of the log(s):

Jul 25 02:07:33 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=1.34.22.39 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=11033 PROTO=TCP SPT=6000 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0


Received From: myhost->/var/log/syslog

Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."

Portion of the log(s):

Jul 25 02:08:32 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=27.156.182.194 DST=XXX.XXX.XXX.XX LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=51427 DF PROTO=TCP SPT=39408 DPT=32807 WINDOW=5440 RES=0x00 SYN URGP=0

------------------------------------------------------------------------------------------------------------

7 Replies

I've never used OSSEC, but the warnings it gives are simply from iptables blocking access to certain ports. And yes, it's very common. I get them all day from all kinds of sources. Nothing special:)

DPT, the destination port, is more interesting as it gives an indication of what they are trying to connect to.

I'd say they're all scanning your server, attempting to break in. Of the services I can see in your sample extract, I can see they are trying to connect to LANDesk (remote management suite, DPT=9535), Microsoft SQL Server (DPT=1433), Windows Remote Desktop (RDP, aka. Terminal Services, DPT=3389), any possible SMTP server (DPT=25, most likely scanning for open relays), DirectAdmin/ESET Remote Admin (DPT=2222), and some unknown service running on TCP port 32807.

I've never used OSSEC myself, but I would assume there's a configuration option to suppress warnings about connections that have been blocked, or perhaps consolidate these warnings into a daily digest e-mail.

Hi All,

Thanks for your responses. Your advice helps a great deal.

Best regards

J

@forumstalker:

Hi All,

Thanks for your responses. Your advice helps a great deal.

Best regards

J

How did you resolve this?

You know I never noticed your question until now. My deepest apologies. I have to change my forum settings here. I'm not sure how I resolved it back then. The alerts eventually went away and I completely forgot about them. Then today they came back all of a sudden. I go to research the issue again only to come across my very own forum post here :P

I found out that these errors are just port scanners and the IP Tables are just doing its thing. OSSEC is configured by default to send level 2 alerts (despite your email alert setting) on any "bad words" of which "denied" is one of them.

See references here:

https://groups.google.com/forum/#!msg/o … xMc4bNXPUJ">https://groups.google.com/forum/#!msg/ossec-list/hHMAVWk5uIU/CYxMc4bNXPUJ

https://forum.linode.com/viewtopic.php?t=4888

http://www.roastinghosting.com/blog/?p=18

Sorry again. Hope this helps anyone else who comes across this.

The only thing that concerns me is how OSSEC reacts here. Found tons of these in my active-responses.log of OSSEC as below. Been happening for the past 3 hours or so.

Thu May 23:18:54 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh delete - XXX.XXX.XXX.XX 1400814985.57041 31533

Thu May 22 23:19:20 EDT 2014 /var/ossec/active-response/bin/host-deny.sh add - XXX.XXX.XXX.XX 1400815160.59437 31533

The obscured IP is my host domain IP. It seems OSSEC is blocking the server it lives on. Not sure what that means.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct