I am performing a vulnerability scan internally (using OpenVAS on Kali). I am getting the alerts below.
Is there a way to filter or exclude these events if they are coming from the server that OpenVAS (Kali) is installed on? Either by IP address or server name? rdover ________________________________________ From: OSSEC HIDS Sent: Saturday, August 09, 2014 8:30 AM Subject: OSSEC Notification - ossec-server - Alert level 10 OSSEC HIDS Notification. 2014 Aug 09 08:30:28 Received From: ossec-server->/var/log/secure Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the system." Portion of the log(s): Aug 9 08:30:27 ossec-server sshd[3646]: Failed password for invalid user MGR from KALI-server-IP## port 56965 ssh2 Aug 9 08:30:25 ossec-server sshd[3646]: Invalid user MGR from KALI-server-IP## Aug 9 08:30:13 ossec-server sshd[3636]: Failed password for invalid user mfg from KALI-server-IP## port 55357 ssh2 Aug 9 08:30:11 ossec-server sshd[3636]: Invalid user mfg from KALI-server-IP## Aug 9 08:29:37 ossec-server sshd[3632]: Failed password for invalid user rwa from KALI-server-IP## port 43264 ssh2 Aug 9 08:29:36 ossec-server sshd[3632]: Invalid user rwa from KALI-server-IP## Aug 9 08:29:35 ossec-server sshd[3630]: Failed password for invalid user ro from KALI-server-IP## port 42992 ssh2 Aug 9 08:29:34 ossec-server sshd[3630]: Invalid user ro from KALI-server-IP## --END OF NOTIFICATION OSSEC HIDS Notification. 2014 Aug 09 08:30:28 Received From: ossec-server->/var/log/secure Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of time." Portion of the log(s): Aug 9 08:30:27 ossec-server sshd[3648]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## Aug 9 08:30:25 ossec-server sshd[3646]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## Aug 9 08:30:22 ossec-server sshd[3644]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## user=root Aug 9 08:30:20 ossec-server sshd[3642]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## user=root Aug 9 08:30:18 ossec-server sshd[3640]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## user=root Aug 9 08:30:11 ossec-server sshd[3636]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## Aug 9 08:29:36 ossec-server sshd[3632]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## Aug 9 08:29:34 ossec-server sshd[3630]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## --END OF NOTIFICATION OSSEC HIDS Notification. 2014 Aug 09 08:30:32 Received From: ossec-server->/var/log/secure Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of reverse lookup errors)." Portion of the log(s): Aug 9 08:30:32 ossec-server sshd[3652]: reverse mapping checking getaddrinfo for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! Aug 9 08:30:29 ossec-server sshd[3650]: reverse mapping checking getaddrinfo for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! Aug 9 08:30:27 ossec-server sshd[3648]: reverse mapping checking getaddrinfo for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! Aug 9 08:30:25 ossec-server sshd[3646]: reverse mapping checking getaddrinfo for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! Aug 9 08:30:22 ossec-server sshd[3644]: reverse mapping checking getaddrinfo for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! Aug 9 08:30:20 ossec-server sshd[3642]: reverse mapping checking getaddrinfo for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! --END OF NOTIFICATION This email is intended for its designated recipients. The information, and attachments, contained in this email may be considered private and/or confidential. If the transmission is received in error, delete messages(s) from your system and notify the sender. You may not, directly or indirectly, use, disclose or distribute any part of this email. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
