Hi, Your rules/decoders are very good, with just one small problem: "Child" decoders will use the parent name by default instead of its own, so your rules will not match. If you change it to have "use_own_name", it should work:
<decoder name="sendmail-blocked-cbl"> <use_own_name>true</use_own_name> <parent>sendmail-reject</parent> <prematch>ip=</prematch> <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)</regex> <order>srcip</order> </decoder> Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On Nov 30, 2007 11:03 PM, jflowers <[EMAIL PROTECTED]> wrote: > > I am trying to learn enough about writing decoders and local rules to > use ossec-hids in protecting my spam-filter gateways against > distributed zombie attacks but I've run into one that I haven't been > able to figure out. > > The maillog entry that I want to decode is: > > Nov 30 00:05:41 mxgf2 sm-mta-in[52687]: lAU558MF052687: Milter: > from=<[EMAIL PROTECTED]>, reject=550 5.7.1 Blocked, look at > http://cbl.abuseat.org/lookup.cgi?ip=155.69.124.178 > > That should trigger the `sendmail-reject' decoder so I added a child: > > <decoder name="sendmail-blocked-cbl"> > <parent>sendmail-reject</parent> > <prematch>ip=</prematch> > <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)</regex> > <order>srcip</order> > </decoder> > > Then in local_rules.xml: > > <rule id="100060" level="0"> > <decoded_as>sendmail-blocked-cbl</decoded_as> > <description>Zombie pc connection</description> > <description>Blocked by cbl.abuseat.org.</description> > <group>spam,</group> > </rule> > > <rule id="100062" level="5"> > <if_sid>100060</if_sid> > <description>Zombie pc detected and blocked.</description> > <group>spam,</group> > </rule> > > <rule id="100064" level="10" frequency="5" timeframe="60"> > <if_matched_sid>100062</if_matched_sid> > <same_source_ip /> > <description>Multiple Zombie connections. </description> > <group>multiple_spam,</group> > </rule> > > But - nothing. Not even a 100062 alert (log_alert_level 1). > > I have similar rules operating to detect multiple smf-sav-rcpt > connections that work OK, the only difference being that they do not > use child decoders. > > Hopefully some one can point me in the right direction. I've read > everything I can find but obviously I don't have something right. >