I'm just passing out a simple decoder/rule i did to catch interesting events from a pound proxy: Is too basic so far, i hope expand it as soon i get used ossec and get the right security events to wait for.
So please take a look and consider add it to next release :) Decoder: <!-- 2010 Feb 16 11:20:19 (proxse16) 192.168.20.42->/var/log/messages Feb 16 11:21:09 proxse16 pound: bad request "OPTIONS / HTTP/1.1" from 190.145.16.170 2010 Feb 16 11:20:21 (proxse16) 192.168.20.42->/var/log/messages Feb 16 11:21:11 proxse16 pound: bad request "OPTIONS /docs/ HTTP/1.1" from 201.232.127.138 2010 Feb 16 11:20:21 (proxse16) 192.168.20.42->/var/log/messages Feb 16 11:21:12 proxse16 pound: bad request "OPTIONS /practicas/ HTTP/1.1" from 190.253.216.106 2010 Feb 16 11:20:23 (proxse16) 192.168.20.42->/var/log/messages Feb 16 11:21:13 proxse16 pound: bad request "OPTIONS /practicas/ HTTP/1.1" from 190.253.216.106 --> <decoder name="pound"> <program_name>^pound</program_name> </decoder> <decoder name="pound-ip"> <parent>pound</parent> <regex>from (\d+.\d+.\d+.\d+)$</regex> <order>srcip</order> </decoder> <decoder name="pound-url"> <parent>pound</parent> <regex>"\w+ (\S+) HTTP\S+</regex> <order>url</order> </decoder> Rule: <group name="pound"> <rule id="100200" level="0"> <decoded_as>pound</decoded_as> <description>Pound messages grouped.</description> </rule> <rule id="100201" level="6"> <if_sid>100200</if_sid> <match>^bad request</match> <description>bad request at pound proxy </description> </rule> </group> ----- End forwarded message -----
