• Support
  • Forums
  • Blogs

Known Issue: AlienVault HIDS Events Displaying 0.0.0.0 as IP Addresses

531Y4531Y4

New Life Form
Hello,

I have update remote sensor to 5.4.1 but I have again this issue only on dst_ip with 0.0.0.0.
Ask a workaround exist for this issue ?

Best regards,
funklebitsberni69

Share post:

Comments

  • Hi,

    I have the same issue. Not sure why, patch does not seems to work?

    Regards,
    James
    531Y4
  • Hi,

    The issue seem to be only on plugin id 4003 other log have src and dst ip

    2017-08-23 09:31:10,533 Detector [WARNING]: ssh[4003] Event's field src_ip sensorname is not a valid IP.v4/IP.v6 address, falling back to default: 0.0.0.0
    2017-08-23 09:31:10,533 Detector [WARNING]: ssh[4003] Event's field dst_ip sensorname is not a valid IP.v4/IP.v6 address, falling back to default: 0.0.0.0
    2017-08-23 09:31:10,533 Detector [WARNING]: ssh[4003] Event's device field sensorname is not a valid IP.v4/IP.v6 address, falling back to default local.
    2017-08-23 09:31:10,534 Output [INFO]: event type="detector" date="1503473470" device="10.186.241.170" interface="eth0" plugin_id="4003" plugin_sid="27" src_ip="0.0.0.0" dst_ip="0.0.0.0" dst_port="22"
  • edited August 28
    I have ran into this issue whenever innitially starting hids up since the release of 5.4. I ended up running the following cli jailbreak command to get that service started correctly. I've experienced a few things not starting properly with the latest patch release. 

    ossim-reconfig 

    Hopefully this helps. 
  • Did anyone come up with any resolutions to this.  I am having the same problem and receiving numerous warning messages indicating that the system had to fallback to 0.0.0.0.  It appears that the parser is using the hostname in the src_ip and dst_ip fields and not resolving it to the IP address.  I had looked at some older version of the ossec-single-line.cfg file and found that often the src_ip/dst_ip was using resolv($hostname) but in my current version it is just doing a a direct assignment of $hostname.
  • edited September 11
    I have the same problem, I tried to update to the latest version but it didn't work.  I restarted, updated and reconfigured ossim but it didn't work neither.

    I tried to replace the syslog template to register the ip but i broke something more, and syslog messages stopeped to appear in the events dashboard.
    If anyone has a suggestion it will be welcome

    Regards

    .
  • edited October 25
    hi folks,
    i have had the misfortune of having to resolve this issue on one of my own ossim installations. Total PITA!
    Someone above has correctly observed that this behaviour is related to the ossim ossec plugin.

    PROBLEM:
    ossim shows 0.0.0.0 as the source / destination in the SIEM events view dispite the correct hostname or ip appearing in the event details.

    SOLUTION:
    - copy the entire contents of the ossec-single-line.cfg file into a file called ossec-single-line.cfg.local. the file lives in the /etc/ossim/agent/plugins/ directory. put the new file in the same directory.
    - in the new ossec-single-line.cfg.local file replace all occurances of
    src_ip={<whatever>} or
    dst_ip={<whatever>}
    with
    src_ip={resolv(<whatever>)} or
    dst_ip={resolv(<whatever>)}

    once you have made the changes save the file and run the command:
    ossim-reconfig && service ossim-agent restart

    new events should now have the correct ip's in the SIEM views.


Sign In or Register to comment.