On Sat, Aug 9, 2014 at 9:01 AM, Randy Dover <[email protected]> wrote: > I am performing a vulnerability scan internally (using OpenVAS on Kali). I am > getting the alerts below. > > Is there a way to filter or exclude these events if they are coming from the > server that OpenVAS (Kali) is installed on? Either by IP address or server > name? >
Not really. You can add an ignore rule to ignore some alerts based on "<srcip>whatever</srcip>" or <match>ing that IP address. It won't eliminate everything, but it might help. I'd love to say this is something to work on in the future, but some log messages just don't include the necessary information. > rdover > > ________________________________________ > From: OSSEC HIDS > Sent: Saturday, August 09, 2014 8:30 AM > Subject: OSSEC Notification - ossec-server - Alert level 10 > > OSSEC HIDS Notification. > 2014 Aug 09 08:30:28 > > Received From: ossec-server->/var/log/secure > Rule: 5712 fired (level 10) -> "SSHD brute force trying to get access to the > system." > Portion of the log(s): > > Aug 9 08:30:27 ossec-server sshd[3646]: Failed password for invalid user MGR > from KALI-server-IP## port 56965 ssh2 > Aug 9 08:30:25 ossec-server sshd[3646]: Invalid user MGR from > KALI-server-IP## > Aug 9 08:30:13 ossec-server sshd[3636]: Failed password for invalid user mfg > from KALI-server-IP## port 55357 ssh2 > Aug 9 08:30:11 ossec-server sshd[3636]: Invalid user mfg from > KALI-server-IP## > Aug 9 08:29:37 ossec-server sshd[3632]: Failed password for invalid user rwa > from KALI-server-IP## port 43264 ssh2 > Aug 9 08:29:36 ossec-server sshd[3632]: Invalid user rwa from > KALI-server-IP## > Aug 9 08:29:35 ossec-server sshd[3630]: Failed password for invalid user ro > from KALI-server-IP## port 42992 ssh2 > Aug 9 08:29:34 ossec-server sshd[3630]: Invalid user ro from KALI-server-IP## > > --END OF NOTIFICATION > > OSSEC HIDS Notification. > 2014 Aug 09 08:30:28 > > Received From: ossec-server->/var/log/secure > Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of > time." > Portion of the log(s): > > Aug 9 08:30:27 ossec-server sshd[3648]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## > Aug 9 08:30:25 ossec-server sshd[3646]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## > Aug 9 08:30:22 ossec-server sshd[3644]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## > user=root > Aug 9 08:30:20 ossec-server sshd[3642]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## > user=root > Aug 9 08:30:18 ossec-server sshd[3640]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## > user=root > Aug 9 08:30:11 ossec-server sshd[3636]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## > Aug 9 08:29:36 ossec-server sshd[3632]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## > Aug 9 08:29:34 ossec-server sshd[3630]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=KALI-server-IP## > > --END OF NOTIFICATION > > OSSEC HIDS Notification. > 2014 Aug 09 08:30:32 > > Received From: ossec-server->/var/log/secure > Rule: 5703 fired (level 10) -> "Possible breakin attempt (high number of > reverse lookup errors)." > Portion of the log(s): > > Aug 9 08:30:32 ossec-server sshd[3652]: reverse mapping checking getaddrinfo > for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! > Aug 9 08:30:29 ossec-server sshd[3650]: reverse mapping checking getaddrinfo > for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! > Aug 9 08:30:27 ossec-server sshd[3648]: reverse mapping checking getaddrinfo > for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! > Aug 9 08:30:25 ossec-server sshd[3646]: reverse mapping checking getaddrinfo > for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! > Aug 9 08:30:22 ossec-server sshd[3644]: reverse mapping checking getaddrinfo > for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! > Aug 9 08:30:20 ossec-server sshd[3642]: reverse mapping checking getaddrinfo > for KALI-server.FQDN failed - POSSIBLE BREAK-IN ATTEMPT! > > --END OF NOTIFICATION > This email is intended for its designated recipients. The information, and > attachments, contained in this email may be considered private and/or > confidential. If the transmission is received in error, delete messages(s) > from your system and notify the sender. You may not, directly or indirectly, > use, disclose or distribute any part of this email. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
