<!-- Vpopmail decoder.
- vpopmail[32485]: vchkpw-pop3: password fail [EMAIL PROTECTED]:x.x.x.x
- vpopmail[32485]: vchkpw-[PORT-NO] password fail
[EMAIL PROTECTED]:x.x.x.x
- vpopmail[2100]: vchkpw-pop3: vpopmail user not found [EMAIL PROTECTED]:x.x.x.x
-->
<decoder name="vpopmail">
<prematch>^vpopmail[\d+]: </prematch>
</decoder>
<decoder name="vpopmail-fail">
<parent>vpopmail</parent>
<prematch>^vpopmail[\d+]: vchkpw-pop3: password fail </prematch>
<regex offset="after_prematch">^(\S+):(\d+.\d+.\d+.\d+)</regex>
<order>user,srcip</order>
</decoder>
<decoder name="vpopmail-notfound">
<parent>vpopmail</parent>
<prematch>^vpopmail[\d+]: vchkpw-pop3: vpopmail user not found </prematch>
<regex offset="after_prematch">^(\S+):(\d+.\d+.\d+.\d+)</regex>
<order>user,srcip</order>
</decoder>
To execute the active response, ossec needs to know the ip address to
block. Did you
write a decoder for vpopmail? If you look at /var/ossec/etc/decoder.xm
you will see all
the ones we currently have.
Basically, the decoder extract the IPs, usernames and other data from the logs.
The rules do the pattern matching to generate the alerts.
The following entry in the wiki explains a bit more about the relation
between the
decoders and rules:
http://www.ossec.net/wiki/index.php/Decoder_rules_relation
*btw, share your rules when they are done :)
Hope it helps,
--
Daniel B. Cid
dcid ( at ) ossec.net
On 9/13/06, Ceg Ryan <[EMAIL PROTECTED]> wrote:
>
> Hi all,
>
> I am writing new vpopmail rules to block vpopmail pop3 brute force
> attack. I find logs in alert/2006/Sep/ at level 10 by my new rules. But I
> could not see the active-response. I did set to trigger the active-response
> at level 10 in ossec.conf.
>
> What is the problem here ?
>
>
