• Support
  • Forums
  • Blogs

New Release!

AlienVault v5.0.4 is now available for OSSIM and USM. Learn more

Announcement

Documentation for USM and OSSIM has moved. Check out the new AlienVault Documentation Center

It appears AlienVault is sending malformed SSH traffic to itself

The OSSIM (4.1) configuration includes two active interfaces, one in 149.48.228.0/24 and one in 10.168.200.0/24. It appears the 149.48.228.0/24 interface (149.48.228.119) is not sending the appropriate SSH headers to the other interface. These create alarms. Any thoughts about how to avoid these alarms?

Dec 17 13:47:24 sim-ossim-01 sshd[19553]: Did not receive identification string from 149.48.228.119 

Best Answer

Answers

  • Do you, by chance have Nagios for ssh on that machine enabled?


  • edited December 2012
    Yes - Nagios is enabled for that host (the Alienvault) - I can't remember for sure, but I think the host had Nagios enabled after installing the system. (I did start Nagios for some other servers, but I think I did this after seeing the Alienvault server with Nagios "on".

    Interestingly it turns out there are THREE assets for the Alienvault IP address - I will open another question about the assets - see http://forums.alienvault.com/discussion/718/three-assets-for-the-same-ip-address-alienvault-host
  • Check if nagios checks for ssh availability please.
  • Working on it - since I am an OSSIM newbie I am working on figuring out where to look for the answer to your question.
  • It appears that Nagios IS checking SSH - it lists localhost as an SSH server:

    SSH
    OK2012-12-18 10:54:2632d 23h 55m 14s1/4SSH OK - OpenSSH_5.5p1 Debian-6+squeeze2 (protocol 2.0) 

    It does not detect SSH on the other servers that have been enabled.
  • I poked around in the raw logs for a bit - it appears the alerts are occurring about every 70 minutes. This seems related more to the hourly nmap asset discovery job than nagios. I have turned off the nmap discovery jobs. I will report back if this clears the issue or not.
  • After turning off the hourly nmap asset check, no more unexpected SSHD entries. Will look at how to mark this particular event a false positive and not generate an alarm.
Sign In or Register to comment.