Hi, I just installed ossec and i've seen vpopmail alerts had wrong interpretation. This happen because with vpopmail you can choose to display wrong passwords in log:
here the difference between "original" and with password: vpopmail[32485]: vchkpw-2110 password fail [email protected]:x.x.x.x vpopmail[33678]: vchkpw-pop3: password fail (pass: 'qwerty') [email protected]:x.x.x.x in the second case you can't get correct user and srcip, so i just patched decoder.xml here for the archives: --- etc/decoder.xml.orig 2009-02-04 19:21:51.000000000 +0100 +++ etc/decoder.xml 2009-06-26 14:26:27.000000000 +0200 @@ -485,6 +485,7 @@ - Examples: - vpopmail[32485]: vchkpw-pop3: password fail [email protected]:x.x.x.x - vpopmail[32485]: vchkpw-2110 password fail [email protected]:x.x.x.x + - vpopmail[33678]: vchkpw-pop3: password fail (pass: 'qwerty') [email protected]:x.x.x.x - vpopmail[2100]: vchkpw-pop3: vpopmail user not found [email protected]:x.x.x.x - vpopmail[4162]: vchkpw-pop3: vpopmail user not found support@:69.3.64.3 --> @@ -495,7 +496,7 @@ <decoder name="vpopmail-fail"> <parent>vpopmail</parent> <prematch>^vchkpw-pop3: password fail</prematch> - <regex offset="after_prematch">^ (\S+)@\S+:(\d+.\d+.\d+.\d+)$</regex> + <regex offset="after_prematch">^ \.+ (\S+)@\S+:(\d+.\d+.\d+.\d+)$</regex> <order>user, srcip</order> </decoder> -- Cris, member of G.U.F.I Italian FreeBSD User Group http://www.gufi.org/
