Hi, How do you know it is not working? If you do a rule like:
<rule id="10000" level="10"> <decoded_as>tlips</decoded_as> <description>Tesing Decoder</description> </rule> Does it work? Also, which device is this log from? If you can provide more samples, we can help you to add the decoders/rules for it. Thanks, -- Daniel B. Cid dcid ( at ) ossec.net On Wed, May 28, 2008 at 9:12 AM, <[EMAIL PROTECTED]> wrote: > > Sorry, I made mistake it is not rule that made problem. It is decoder. > > This simple decoder dosn't work. > > <decoder name="tlips"> > <prematch>IPS5500-150E</prematch> > </decoder> > > This is log. How would you create decoder from this log? > > May 26 16:02:41 host-x-01 5.5.5.5 IPS5500-150E: id=060002 pt=TLN-TS > prot=UDP cip=2.2.2.2 cprt=1587 sip=4.4.4.4 sprt=1434 atck=tln-106024 > disp=mitigate ckt=1 src=extern msg="EXPLT: MSSQL Resolution Overflow > 1" > > > May 26 16:02:42 host-x-01 6.6.6.6 IPS5500-150E: id=060001 pt=TLN-TS > prot=TCP cip=1.1.1.1 cprt=45326 sip=3.3.3.3 sprt=80 atck=tln-009113 > disp=monitor ckt=2 src=intern msg="AAUPV: IM-MSN Tunneled" > > > On 26 мај, 19:55, [EMAIL PROTECTED] wrote: >> please, >> >> send us your rule and ossec.conf >> >> On May 26, 4:26 pm, "Aleksandar Stanojevic" <[EMAIL PROTECTED]> >> wrote: >> >> >> >> > Hi, >> >> > I'm new in this. I just created some simple rule and it seems that is not >> > working. Is there a way to troubleshoot rules? >> >> > Thanks in advance >> >> > Regards >> >> > Aleksandar Stanojevic >> > ICT security officer- Сакриј наведени текст - >> >> - Прикажи текст између наводника - >
