Daniel, Great!
Here are a few sample log entries (from /var/log/secure.log): Jun 20 09:00:42 File-Server ftpd[65613]: Failed authentication from: [U2FsdGVkX18af1PrJ6KSUhskC8ikccfvTqyjjJI/qtk=] @ 58.211.16.202 [58.211.16.202] Jun 20 09:00:52 File-Server ftpd[65625]: Failed authentication from: [U2FsdGVkX1+RbLXPa7lV2Ly9a3Bir9x88RdjF2oWkg4=] @ 58.211.16.202 [58.211.16.202] Jun 20 09:01:02 File-Server ftpd[65639]: Failed authentication from: [U2FsdGVkX18V16WdD4Z7rcx6tv0zBiUG6bok2Y3IQGQ=] @ 58.211.16.202 [58.211.16.202] Jun 25 10:24:06 File-Server ftpd[29807]: Failed authentication from: 1.Red-88-2-137.staticIP.rima-tde.net [88.2.137.1] Jun 25 10:24:25: --- last message repeated 1 time --- Jun 25 10:24:25 File-Server ftpd[29871]: Failed authentication from: 1.Red-88-2-137.staticIP.rima-tde.net [88.2.137.1] Thanks! Charles On Jun 24, 2008, at 20:02 , Daniel Cid wrote: > > Hi Charles, > > We currently do not support ftpd log from Mac OS. If you can provide a > few log samples to us (from a sucessful > connection, failed password, invalid user trying to FTP, etc), we can > easily create some decoders/rules for it. > > Thanks, > > -- > Daniel B. Cid > dcid ( at ) ossec.net > > On Sat, Jun 21, 2008 at 6:37 AM, kef_list <[EMAIL PROTECTED]> wrote: >> >> Hi Guys, >> >> I am having a problem with ossec 1.4 under Mac OS X Server 10.5 >> >> The ftpd logs are not interpreted correctly and the IP address is not >> read, so the active response is never triggered. >> >> Bellow are two sample alert logs: >> >> >> ** Alert 1213947151.801450: mail - syslog,errors, >> 2008 Jun 20 09:32:31 File-Server->/var/log/system.log >> Rule: 1002 (level 2) -> 'Unknown problem somewhere in the system.' >> Src IP: (none) >> User: (none) >> Jun 20 09:32:30 File-Server ftpd[68281]: FTP LOGIN REFUSED (PASS >> before USER) FROM 58.211.16.202 [58.211.16.202] >> >> >> >> ** Alert 1213947135.800831: mail - >> syslog,access_control,authentication_failed, >> 2008 Jun 20 09:32:15 File-Server->/var/log/system.log >> Rule: 2502 (level 10) -> 'User missed the password more than one >> time' >> Src IP: (none) >> User: (none) >> Jun 20 09:32:13 File-Server ftpd[68268]: repeated login failures from >> 58.211.16.202 [58.211.16.202] >> >> >> In both cases the "Src IP" is read as "none" so my firewall is never >> activated... >> >> >> >> Does anyone know how to fix this? >> >> Thanks, >> Charles >> >> ____________________________________________________ Institut Balear de Comunicacions, S.L. Gremio Tejedores 22, 1 07009 Palma de Mallorca, Spain Tel: +34 971.45.90.99 | Mobile: +34 607.87.12.77 Fax: +34 971.43.08.18 | E-mail: [EMAIL PROTECTED] URL: http://www.ibacom.es/ ____________________________________________________ La legislación española ampara el secreto de las comunicaciones. Este correo electrónico es estrictamente confidencial y va dirigido exclusivamente a su destinatario/a. Si no es Ud., le rogamos que no difunda ni copie la transmisión y nos lo notifique cuanto antes. -------- Spanish law guarantees privacy in electronic communications. This electronic transmission is strictly confidential and intended solely for the addressee. If you are not the intended addressee, you are kindly requested not to disclose nor to copy this transmission and to notify us as soon as possible.
