OSSEC Level 2 Alert Messages Every 15-20 Minutes
I installed OSSEC and that went fine with no issues. However I seem to be getting the same type of email messages every 20 minutes or so. I didn't realize my IPtables were being tested this often. Is this normal? They are from various IPs around the world (some US, a lot of Asia like China, Taiwan, Japan etc) including an occasional mail server from Google.com which is interesting. And if Port# is represented by "SPT" that changes as well. Or is these are some sort of legitimate traffic Im blocking? And how can I diminish these types of reports? I'd like to get notified of important intrusions of course, but I'm going to become tone deaf after 500+ emails every day. Would be nice if OSSEC knew what it was.
Thank you.
[NOTE my IP redacted, I tried to provide a good enough sample below]
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jul 25 11:34:03 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=199.191.58.178 DST=XXX.XXX.XXX.XX LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=9966 DPT=9535 WINDOW=5840 RES=0x00 ACK SYN URGP=0
–----------------------------------------------------------------------------------------------------------
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jul 25 11:25:13 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=222.73.49.159 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jul 25 11:34:03 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=199.191.58.178 DST=XXX.XXX.XXX.XX LEN=44 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=TCP SPT=9966 DPT=9535 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jul 25 11:25:13 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=222.73.49.159 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=104 ID=256 PROTO=TCP SPT=6000 DPT=1433 WINDOW=16384 RES=0x00 SYN URGP=0
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jul 24 14:41:16 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=60.190.222.204 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256 PROTO=TCP SPT=8162 DPT=3389 WINDOW=16384 RES=0x00 SYN URGP=0
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jul 24 14:44:18 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=50.115.169.162 DST=XXX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=7189 PROTO=TCP SPT=36893 DPT=2222 WINDOW=65535 RES=0x00 SYN URGP=0
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jul 25 02:07:33 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=1.34.22.39 DST=XXX.XXX.XXX.XX LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=11033 PROTO=TCP SPT=6000 DPT=25 WINDOW=16384 RES=0x00 SYN URGP=0
Received From: myhost->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):
Jul 25 02:08:32 myhost kernel: iptables denied: IN=eth0 OUT= MAC=fe:fd:ad:ff:ed:12:88:43:e1:a4:04:ff:08:00 SRC=27.156.182.194 DST=XXX.XXX.XXX.XX LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=51427 DF PROTO=TCP SPT=39408 DPT=32807 WINDOW=5440 RES=0x00 SYN URGP=0
------------------------------------------------------------------------------------------------------------
7 Replies
are trying to connect to
I've never used OSSEC myself, but I would assume there's a configuration option to suppress warnings about connections that have been blocked, or perhaps consolidate these warnings into a daily digest e-mail.
Thanks for your responses. Your advice helps a great deal.
Best regards
J
@forumstalker:
Hi All,
Thanks for your responses. Your advice helps a great deal.
Best regards
J
How did you resolve this?
I found out that these errors are just port scanners and the IP Tables are just doing its thing. OSSEC is configured by default to send level 2 alerts (despite your email alert setting) on any "bad words" of which "denied" is one of them.
See references here:
Sorry again. Hope this helps anyone else who comes across this.
Thu May 23:18:54 EDT 2014 /var/ossec/active-response/bin/firewall-drop.sh delete - XXX.XXX.XXX.XX 1400814985.57041 31533
Thu May 22 23:19:20 EDT 2014 /var/ossec/active-response/bin/host-deny.sh add - XXX.XXX.XXX.XX 1400815160.59437 31533
The obscured IP is my host domain IP. It seems OSSEC is blocking the server it lives on. Not sure what that means.