active-responses.log shows hostname in stead of IP address

[prupert]

We encountered an annoying little thing since the ASL 4 upgrade: in the file /var/ossec/logs/active-responses.log shuns and de-shuns are being logged with hostnames in stead of IP addresses. This renders the log unsearchable. Additionally, because hacked boxes usually have no proper forward confirmed DNS, it is totally useless because the hostname will not tell you a thing about the real IP address of the attacker. Do note that it sometimes does log IP addresses.

Useful:

Tue Mar 25 08:18:50 CET 2014 /var/ossec/active-response/bin/asl-shun.pl add - 1.2.3.4 1395731930.757136 3912
Tue Mar 25 08:18:50 CET 2014 /var/ossec/active-response/bin/host-deny.sh add - 1.2.3.4 1395731930.757136 3912
Tue Mar 25 08:29:20 CET 2014 /var/ossec/active-response/bin/asl-shun.pl delete - 1.2.3.4 1395731930.757136 3912
Tue Mar 25 08:29:20 CET 2014 /var/ossec/active-response/bin/host-deny.sh delete - 1.2.3.4 1395731930.757136 3912

Bad bad bad:

Tue Mar 25 06:01:32 CET 2014 /var/ossec/active-response/bin/asl-shun.pl add - s1.redacteddomainname.net 1395723691.586949 5703
Tue Mar 25 06:01:32 CET 2014 /var/ossec/active-response/bin/host-deny.sh add - s1.redacteddomainname.net 1395723691.586949 5703
Tue Mar 25 06:31:33 CET 2014 /var/ossec/active-response/bin/asl-shun.pl delete - s1.redacteddomainname.net 1395723691.586949 5703
Tue Mar 25 06:31:33 CET 2014 /var/ossec/active-response/bin/host-deny.sh delete - s1.redacteddomainname.net 1395723691.586949 5703

[scott]

Its possible that the daemon logging the event only captured the hostname, and not the IP address. If thats the case, there isnt much we can do here. We'd need to see the original log event to know for sure.

[prupert]

Unfortunately I can't view the event details (a blank window is showing, see my other post at https://atomicorp.com/forum/viewtopic.php?f=3&t=7555), but I have found the corresponding log lines from /var/log/secure:

Mar 25 06:01:29 lispeltuut sshd[18196]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:29 lispeltuut sshd[18195]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:29 lispeltuut sshd[18200]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:29 lispeltuut sshd[18201]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:29 lispeltuut sshd[18209]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:29 lispeltuut sshd[18208]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:29 lispeltuut sshd[18210]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:29 lispeltuut sshd[18211]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:30 lispeltuut sshd[18212]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:30 lispeltuut sshd[18213]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:30 lispeltuut sshd[18214]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:30 lispeltuut sshd[18215]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:30 lispeltuut sshd[18216]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:30 lispeltuut sshd[18217]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:30 lispeltuut sshd[18220]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:30 lispeltuut sshd[18219]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:30 lispeltuut sshd[18221]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:30 lispeltuut sshd[18222]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:31 lispeltuut sshd[18231]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:31 lispeltuut sshd[18232]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:31 lispeltuut sshd[18233]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:31 lispeltuut sshd[18234]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:31 lispeltuut sshd[18235]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:31 lispeltuut sshd[18236]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:31 lispeltuut sshd[18237]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:31 lispeltuut sshd[18238]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:31 lispeltuut sshd[18239]: Invalid user oracle from 193.151.90.11
Mar 25 06:01:31 lispeltuut sshd[18239]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:31 lispeltuut sshd[18240]: input_userauth_request: invalid user oracle
Mar 25 06:01:31 lispeltuut sshd[18240]: Received disconnect from 193.151.90.11: 11: Bye Bye
Mar 25 06:01:31 lispeltuut sshd[18241]: Invalid user test from 193.151.90.11
Mar 25 06:01:31 lispeltuut sshd[18241]: reverse mapping checking getaddrinfo for s1.tuchahosting.tucha13.net failed - POSSIBLE BREAK-IN ATTEMPT!
Mar 25 06:01:31 lispeltuut sshd[18242]: input_userauth_request: invalid user test
Mar 25 06:01:31 lispeltuut sshd[18242]: Received disconnect from 193.151.90.11: 11: Bye Bye

If I understand correctly rule 5703 is actually shunning a hostname for which SSHD already determined that reverse mapping failed. In other words: it seems utterly useless to shun the hostname

[scott]

What you can do in this case is look it up by the alert id (1395731930.757136) in the alerts.log (or rotated version)