Hi Guys, I am having a problem with ossec 1.4 under Mac OS X Server 10.5
The ftpd logs are not interpreted correctly and the IP address is not read, so the active response is never triggered. Bellow are two sample alert logs: ** Alert 1213947151.801450: mail - syslog,errors, 2008 Jun 20 09:32:31 File-Server->/var/log/system.log Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' Src IP: (none) User: (none) Jun 20 09:32:30 File-Server ftpd[68281]: FTP LOGIN REFUSED (PASS before USER) FROM 58.211.16.202 [58.211.16.202] ** Alert 1213947135.800831: mail - syslog,access_control,authentication_failed, 2008 Jun 20 09:32:15 File-Server->/var/log/system.log Rule: 2502 (level 10) -> 'User missed the password more than one time' Src IP: (none) User: (none) Jun 20 09:32:13 File-Server ftpd[68268]: repeated login failures from 58.211.16.202 [58.211.16.202] In both cases the "Src IP" is read as "none" so my firewall is never activated... Does anyone know how to fix this? Thanks, Charles
