[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ossec-list] Re: Alert level 12
- To: ossec-list@xxxxxxxxxxxxxxxx
- Subject: [ossec-list] Re: Alert level 12
- From: "Daniel Cid" <daniel.cid@xxxxxxxxx>
- Date: Wed, 12 Sep 2007 23:36:01 -0300
- Authentication-results: mx.google.com; spf=pass (google.com: domain of daniel.cid@xxxxxxxxx designates 64.233.166.180 as permitted sender) smtp.mail=daniel.cid@xxxxxxxxx; dkim=pass (test mode) header.i=@xxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=E99zybBxoJKcBzYPs7Y9EjWASPTDEss8EInjFsnYJ6E=; b=XoOPCz5upL1MjMrJ3oFaYnygahzPudFL52B0NHrwqD2JmpOd2XrkzCJkzYlNdRhVWUFIpXsLdBoqk2VBXaT0losHlyP3MbjseXGfrVFlaFNvuiR/c9oAkr05YpWdJMHZ69w0xaDuTHCssiJfT6gRht3yRe7/kcF4r17Ved57Pxk=
Hi Eric,
You shouldn't be too worried about, since it is just a scanner or
something like that. If you
do a netcat (or telnet) to your ssh server you will get the same
error. I will reduce the
severity of this one...
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/12/07, Eric Yeoh <eyeoh@xxxxxxxxxxxx> wrote:
>
> Hi ,
>
> I got the below message from one of our servers:
> OSSEC HIDS Notification.
> 2007 Sep 12 16:24:25
>
> Received From: birdy->/var/log/secure
> Rule: 5701 fired (level 12) -> "Possible attack on the ssh server (or
> version gathering)."
> Portion of the log(s):
>
> Sep 12 16:24:24 raven sshd[647]: Bad protocol version identification
> '\377\364\377\375\006' from UNKNOWN
>
>
>
> I see that it is a possible scan....is that something I should be worried
> about. I haven't got a Level 12 alert before.
>
> Please advise.
>
> Regards,
>
> Eric
>
OSSEC home |
Main Index |
Thread Index
OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.