Hello,
I've found that OSSEC doesn't recognize ftpd log on FreeBSD:
Jan 23 09:03:04 xxx ftpd[45858]: FTP LOGIN FAILED FROM
h-72-245-107-20.chcgilg b.covad.net, admin
To learn OSSEC about it I've added next block to decoders.xml:
<decoder name="ftpd-freebsd">
<parent>ftpd</parent>
<regex>FROM (\S+), (\S+)$</regex>
<order>srcip, user</order>
</decoder>
and to local_rules.xml:
<group name="local,syslog,ftpd,">
<rule id="100101" level="6">
<if_sid>11100</if_sid>
<match>FTP LOGIN FAILED</match>
<description>Login failed accessing the FTP server</description>
<group>authentication_failed,</group>
</rule>
</group>
--
DSS5-RIPE DSS-RIPN mailto:[EMAIL PROTECTED] xmpp:[EMAIL PROTECTED]
http://wizard.volgograd.ru/ 2:550/[EMAIL PROTECTED] 2:550/[EMAIL PROTECTED]
