It appears AlienVault is sending malformed SSH traffic to itself

srdroppers

The OSSIM (4.1) configuration includes two active interfaces, one in 149.48.228.0/24 and one in 10.168.200.0/24. It appears the 149.48.228.0/24 interface (149.48.228.119) is not sending the appropriate SSH headers to the other interface. These create alarms. Any thoughts about how to avoid these alarms?

Dec 17 13:47:24 sim-ossim-01 sshd[19553]: Did not receive identification string from 149.48.228.119 

alexg

Ah, didn't think of that, yep.

alexg

Do you, by chance have Nagios for ssh on that machine enabled?

srdroppers

Yes - Nagios is enabled for that host (the Alienvault) - I can't remember for sure, but I think the host had Nagios enabled after installing the system. (I did start Nagios for some other servers, but I think I did this after seeing the Alienvault server with Nagios "on".

Interestingly it turns out there are THREE assets for the Alienvault IP address - I will open another question about the assets - see http://forums.alienvault.com/discussion/718/three-assets-for-the-same-ip-address-alienvault-host

alexg

Check if nagios checks for ssh availability please.

srdroppers

Working on it - since I am an OSSIM newbie I am working on figuring out where to look for the answer to your question.

srdroppers

It appears that Nagios IS checking SSH - it lists localhost as an SSH server:

SSH

OK

2012-12-18 10:54:26

32d 23h 55m 14s

1/4

SSH OK - OpenSSH_5.5p1 Debian-6+squeeze2 (protocol 2.0)

It does not detect SSH on the other servers that have been enabled.

srdroppers

I poked around in the raw logs for a bit - it appears the alerts are occurring about every 70 minutes. This seems related more to the hourly nmap asset discovery job than nagios. I have turned off the nmap discovery jobs. I will report back if this clears the issue or not.

srdroppers

After turning off the hourly nmap asset check, no more unexpected SSHD entries. Will look at how to mark this particular event a false positive and not generate an alarm.