Daniel Cid a écrit :
The issue is with the format of the logs. OSSEc is very strict in the
regexes
(for performance reasons) and it will not match if the logging action
from
iptables has spaces on it. If you can change it from "DROP FLOOD" to
"DROP_FLOOD" it will work...
work fine ;) thx
*the same applies for the other logs provided.
*You can also tweak the regexes to match on actions with spaces.
Hope it helps.
--
Daniel B. Cid
dcid ( at ) ossec.net
On 2/1/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
this are not loggued:
Feb 1 18:00:58 gatlan kernel: DROP FLOOD_ICMP IN=ppp0 OUT= MAC=
SRC=90.19.58.253 DST=90.20.131.158 LEN=60 TOS=0x00 PREC=0x00 TTL=125
ID=41650 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=10241
On Feb 1, 5:53 pm, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
wrote:
> I have a problem when OSSEC log iptables logFeb 1 17:47:41 gatlan
kernel: DROP ICMP_ERROR IN=ppp0 OUT= MAC= SRC=203.141.119.233
DST=90.20.131.158 LEN=94 TOS=0x00 PREC=0x00 TTL=44 ID=59875
PROTO=ICMP TYPE=3 CODE=1 [SRC=90.20.131.158 DST=192.168.11.2 LEN=66
TOS=0x00 PREC=0x00 TTL=43 ID=47914 PROTO=UDP SPT=9689 DPT=4672 LEN=46 ]
> this are loggued, but this:Feb 1 17:51:35 gatlan kernel: DROP
SPOOF IN=ppp0 OUT= MAC= SRC=192.168.1.2 DST=90.20.131.158 LEN=40
TOS=0x00 PREC=0x00 TTL=113 ID=5460 DF PROTO=TCP SPT=4662 DPT=4346
WINDOW=65205 RES=0x00 ACK FIN URGP=0
> are not loggued by OSSEC, i don't not why...
