Hi Mark,
Most of the times, you don't need to modify the decoders. Can you show us the modifications you made to the rules and also what type of logs are you interested to watch? In addition to that, since you just started with ossec, why didn't you use the version 0.9-1? It has some extra fixes and new rules that the version 0.9 does not have. *Every rule above id 1,000 must be in the rules directory to match. Did you look at all the files? **Next version will have the hability to monitor new files on the monitored directories... Hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net On 8/31/06, Mark Deutschmann <[EMAIL PROTECTED]> wrote:
I am only 1 day into the post install, so please forgive me if I am asking silly questions here. First of all thanks for the software (ossec hids 0.9). It suits my needs quite well, was quick and easy to install on the various platforms I am responsible for, and also from what I gather incredibly flexible. Next, I have received a few alerts as I expect, but would like to expand a specific alert or create a new one. I would like to know when a specific user logs into and out of a BSD 6.1 system via ssh & key exchange. I was able to edit the rule that triggers the sshd authentication success to notify me just by raising the event level. Only this triggers at every login, not just the key exchange login. What I am unclear on is if there is a needs to be special built into the decoder to watch the logs for this event condition, or if this should be a rule within sshd_rules.xml or both. Next, is there somewhere else aside from the actual rule, a rule id stated in the alert, can come from? I received an alert with an ID of 2701 and looked thru all the rules and could not find any matching 2701. The ssh 1515 rule I edited, has the id as I expect. I did find the text stated in the alert in the decoder, but no rule. Last, saw another user's request for the feature inclusion of notification of new files in a monitored directory, example: ftp drop-off directory. I would like to second the motion. That would be a great addition. Thanks again for the great app! Mark Deutschmann RMGDI
