• Support
  • Forums
  • Blogs

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Related Discussions

It appears AlienVault is sending malformed SSH traffic to itself


Entry Level
The OSSIM (4.1) configuration includes two active interfaces, one in and one in It appears the interface ( is not sending the appropriate SSH headers to the other interface. These create alarms. Any thoughts about how to avoid these alarms?

Dec 17 13:47:24 sim-ossim-01 sshd[19553]: Did not receive identification string from 

Share post:

Best Answer


  • Do you, by chance have Nagios for ssh on that machine enabled?

  • edited December 2012
    Yes - Nagios is enabled for that host (the Alienvault) - I can't remember for sure, but I think the host had Nagios enabled after installing the system. (I did start Nagios for some other servers, but I think I did this after seeing the Alienvault server with Nagios "on".

    Interestingly it turns out there are THREE assets for the Alienvault IP address - I will open another question about the assets - see http://forums.alienvault.com/discussion/718/three-assets-for-the-same-ip-address-alienvault-host
  • Check if nagios checks for ssh availability please.
  • Working on it - since I am an OSSIM newbie I am working on figuring out where to look for the answer to your question.
  • It appears that Nagios IS checking SSH - it lists localhost as an SSH server:

    OK2012-12-18 10:54:2632d 23h 55m 14s1/4SSH OK - OpenSSH_5.5p1 Debian-6+squeeze2 (protocol 2.0) 

    It does not detect SSH on the other servers that have been enabled.
  • I poked around in the raw logs for a bit - it appears the alerts are occurring about every 70 minutes. This seems related more to the hourly nmap asset discovery job than nagios. I have turned off the nmap discovery jobs. I will report back if this clears the issue or not.
  • After turning off the hourly nmap asset check, no more unexpected SSHD entries. Will look at how to mark this particular event a false positive and not generate an alarm.
This discussion has been closed.