Hi Steve, Thanks for the suggestion. I committed your improved decoder to CVS already and it will be included in the next version. As for having custom decoders, I am thinking on creating a new "local_decoders.xml", because right now all entries on decoders.xml are overwritten during upgrade.
Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On 8/15/07, Steve West <[EMAIL PROTECTED]> wrote: > > Hi Dave, > > Thank you so much for all of your help! > > Just for clarification, our vpopmail logs do NOT have the http:// stuff > which I'm seeing being added in your reply. > > It seems that the OSSEC decoder might need a new rule or updating to > catch pop3 brute force attacks where the attacker doesn't send a domain > name (ie user@:69.3.64.3 ... rather than [EMAIL PROTECTED]: 69.3.64.3). > > Daniel, can the decoder vpopmail rules be edited to catch something like > the following: > > user@:x.x.x.x > [EMAIL PROTECTED]:x.x.x.x > > I think this is achievable if the regex is changed to: > > (\S+)@\S*:(\d+.\d+.\d+.\d+)$ > > What do u think? Can anyone else see a problem with this? So, the > decoder rule would be as follows: > > <decoder name="vpopmail-notfound"> > <parent>vpopmail</parent> > <prematch>^vchkpw-pop3: vpopmail user not </prematch> > <regex offset="after_prematch">^found > (\S+)@\S*:(\d+.\d+.\d+.\d+)$</regex> > <order>user, srcip</order> > </decoder> > > And lastly, how can I add custom decoder rules that would survive OSSEC > updates? > > thx,
