I am only 1 day into the post install, so please forgive me if I am asking silly questions here. First of all thanks for the software (ossec hids 0.9). It suits my needs quite well, was quick and easy to install on the various platforms I am responsible for, and also from what I gather incredibly flexible. Next, I have received a few alerts as I expect, but would like to expand a specific alert or create a new one. I would like to know when a specific user logs into and out of a BSD 6.1 system via ssh & key exchange. I was able to edit the rule that triggers the sshd authentication success to notify me just by raising the event level. Only this triggers at every login, not just the key exchange login. What I am unclear on is if there is a needs to be special built into the decoder to watch the logs for this event condition, or if this should be a rule within sshd_rules.xml or both.
Next, is there somewhere else aside from the actual rule, a rule id stated in the alert, can come from? I received an alert with an ID of 2701 and looked thru all the rules and could not find any matching 2701. The ssh 1515 rule I edited, has the id as I expect. I did find the text stated in the alert in the decoder, but no rule. Last, saw another user's request for the feature inclusion of notification of new files in a monitored directory, example: ftp drop-off directory. I would like to second the motion. That would be a great addition. Thanks again for the great app! Mark Deutschmann RMGDI
