[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]

Subject: [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
From: daniel.cid at gmail.com (Daniel Cid)
Date: Mon, 8 May 2006 14:53:45 -0300

Hi Kayvan,

This is a terrible behavior. If you can go to your
/var/ossec/rules/attack_rules.xml
and remove the user "bin" from the SYS_USERS variable, it should fix
the problem.

Change it from:
<var name="SYS_USERS">apache|mysql|www|nobody|nogroup|portmap|named|rpc|mail|ftp|shutdown|bin|daemon|postfix|shell|info|guest|psql</var>

To:<var name="SYS_USERS">apache|mysql|www|nobody|nogroup|portmap|named|rpc|mail|ftp|shutdown|daemon|postfix|shell|info|guest|psql</var>

The problem is that we are using regular expressions and the system
user "bin" is
matching on the user "robin". I will come up with a fix very soon. Sorry for
the trouble.

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net

On 5/8/06, Kayvan A. Sylvan <kayvan at sylvan.com> wrote:
> Hi! OSSEC is IP banning my normal users when they log in...
>
> Here is the alert and I see the IP address of the machine on my internal
> network in hosts.deny.
>
> This does not seem like good behavior...
>
> Any suggestions?
>
> ----- Forwarded message from OSSEC HIDS <ossecm at satyr.sylvan.com> -----
>
> To: <root at sylvan.com>
> From: OSSEC HIDS <ossecm at satyr.sylvan.com>
> Subject: OSSEC Hids Notification - Alert level 12
>
> OSSEC HIDS Notification.
> 2006 May 08 10:36:15
>
> Received From: /var/log/secure
> Rule: 1601 fired (level 12) -> "System user sucessfully logged on the system.'"
> Portion of the log(s):
>
> sshd[19239]: Accepted password for robin from 192.168.0.18 port 38736 ssh2
>
>
>
>  --END OF NOTIFICATION
>
>
> ----- End forwarded message -----
>
> --
> Kayvan A. Sylvan          | Proud husband of       | Father to my kids:
> Sylvan Associates, Inc.   | Laura Isabella Sylvan, | Katherine Yelena (8/8/89)
> http://sylvan.com/~kayvan | my beautiful Queen.    | Robin Gregory (2/28/92)
> _______________________________________________
> ossec-list mailing list
> ossec-list at ossec.net
> http://mailman.underlinux.com.br/mailman/listinfo/ossec-list
>

Follow-Ups:
- [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
  - From: Kayvan A. Sylvan

References:
- [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
  - From: Kayvan A. Sylvan

Prev by Date: [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
Next by Date: [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
Previous by thread: [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
Next by thread: [Ossec-list] [ossecm@xxxxxxxxxxxxxxxx: OSSEC Hids Notification - Alert level 12]
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.