Sorry, I made mistake it is not rule that made problem. It is decoder.
This simple decoder dosn't work.
<decoder name="tlips">
<prematch>IPS5500-150E</prematch>
</decoder>
This is log. How would you create decoder from this log?
May 26 16:02:41 host-x-01 5.5.5.5 IPS5500-150E: id=060002 pt=TLN-TS
prot=UDP cip=2.2.2.2 cprt=1587 sip=4.4.4.4 sprt=1434 atck=tln-106024
disp=mitigate ckt=1 src=extern msg="EXPLT: MSSQL Resolution Overflow
1"
May 26 16:02:42 host-x-01 6.6.6.6 IPS5500-150E: id=060001 pt=TLN-TS
prot=TCP cip=1.1.1.1 cprt=45326 sip=3.3.3.3 sprt=80 atck=tln-009113
disp=monitor ckt=2 src=intern msg="AAUPV: IM-MSN Tunneled"
On 26 мај, 19:55, [EMAIL PROTECTED] wrote:
> please,
>
> send us your rule and ossec.conf
>
> On May 26, 4:26 pm, "Aleksandar Stanojevic" <[EMAIL PROTECTED]>
> wrote:
>
>
>
> > Hi,
>
> > I'm new in this. I just created some simple rule and it seems that is not
> > working. Is there a way to troubleshoot rules?
>
> > Thanks in advance
>
> > Regards
>
> > Aleksandar Stanojevic
> > ICT security officer- Сакриј наведени текст -
>
> - Прикажи текст између наводника -
