• Support
  • Forums
  • Blogs

New Release!

AlienVault v5.1.1 is now available for OSSIM and USM. Learn more

Update!

Check out the new Open Threat Exchange (OTX) - with social sharing of threat data. Sign up today

It appears AlienVault is sending malformed SSH traffic to itself

The OSSIM (4.1) configuration includes two active interfaces, one in 149.48.228.0/24 and one in 10.168.200.0/24. It appears the 149.48.228.0/24 interface (149.48.228.119) is not sending the appropriate SSH headers to the other interface. These create alarms. Any thoughts about how to avoid these alarms?

Dec 17 13:47:24 sim-ossim-01 sshd[19553]: Did not receive identification string from 149.48.228.119 

Best Answer

Answers

  • Do you, by chance have Nagios for ssh on that machine enabled?


  • edited December 2012
    Yes - Nagios is enabled for that host (the Alienvault) - I can't remember for sure, but I think the host had Nagios enabled after installing the system. (I did start Nagios for some other servers, but I think I did this after seeing the Alienvault server with Nagios "on".

    Interestingly it turns out there are THREE assets for the Alienvault IP address - I will open another question about the assets - see http://forums.alienvault.com/discussion/718/three-assets-for-the-same-ip-address-alienvault-host
  • Check if nagios checks for ssh availability please.
  • Working on it - since I am an OSSIM newbie I am working on figuring out where to look for the answer to your question.
  • It appears that Nagios IS checking SSH - it lists localhost as an SSH server:

    SSH
    OK2012-12-18 10:54:2632d 23h 55m 14s1/4SSH OK - OpenSSH_5.5p1 Debian-6+squeeze2 (protocol 2.0) 

    It does not detect SSH on the other servers that have been enabled.
  • I poked around in the raw logs for a bit - it appears the alerts are occurring about every 70 minutes. This seems related more to the hourly nmap asset discovery job than nagios. I have turned off the nmap discovery jobs. I will report back if this clears the issue or not.
  • After turning off the hourly nmap asset check, no more unexpected SSHD entries. Will look at how to mark this particular event a false positive and not generate an alarm.
This discussion has been closed.