Hi Ken,
You got very closed. The problem with your decoder is that the offset for the regex is set to after the "prematch". So, if it finds "rhost=xxx", the regex will start looking after the hostname. If you change the regex offset to "after_parent", it will start looking after the "pam_unix[pid] : " and will work. <decoder name="pam-host"> <parent>pam</parent> <prematch offset="after_parent">rhost=\S+</prematch> <regex offset="after_parent">rhost=(\S+)</regex> <order>srcip</order> </decoder> Hope it helps, *yes, we need to document the decoders :) -- Daniel B. Cid dcid ( at ) ossec.net On 8/25/06, Ken A <[EMAIL PROTECTED]> wrote:
With ossec-hids-0.9 I'm having trouble getting a rule to work that will match multiple auth failures in syslog written by dovecot(pam_unix). "dovecot(pam_unix)[25346]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=aa.bb.cc.dd" By default, the authentication_failed group matches, and triggers the attack rule based on that, but it doesn't match the IP, so it doesn't trigger a block as I'd like it to. So I added a rule to match <same_source_ip>, but that isn't ever triggered, since the source IP doesn't seem to be decoded - it's not showing in the alert logs that match the authentication failed messages. I looked in the decoder.xml file and it looks like it should be matched by the pam decoder. I added a new decoder just for host, rather than host and user to try to catch it, but am not having any luck.. <decoder name="pam-host"> <parent>pam</parent> <prematch offset="after_parent">rhost=\S+</prematch> <regex offset="after_prematch">rhost=(\S+)</regex> <order>srcip</order> </decoder> Can you help me understand what I'm missing. Thanks, Ken A Pacific.Net
