Hi list, I just posted on my blog about a very useful tool (available on CVS) to test the rules/decoders in real time. If you ever need to write or change rules, it can save a lot of time.
If you are interested, take a look at: http://www.ossec.net/dcid/?p=136 Part of the output from logtest, when run against a sshd message: " # ./ossec-logtest 2008/07/04 09:57:28 ossec-testrule: INFO: Started (pid: 12683). ossec-testrule: Type one log per line. Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from 192.168.2.10 port 35259 ssh2 **Phase 1: Completed pre-decoding. full event: 'Jul 4 09:42:16 enigma sshd[11990]: Accepted password for dcid from 192.168.2.10 port 35259 ssh2′ hostname: 'enigma' program_name: 'sshd' log: 'Accepted password for dcid from 192.168.2.10 port 35259 ssh2′ **Phase 2: Completed decoding. decoder: 'sshd' dstuser: 'dcid' srcip: '192.168.2.10′ **Phase 3: Completed filtering (rules). Rule id: '10100′ Level: '4′ Description: 'First time user logged in.' **Alert to be generated. " Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net
