Hi Rafael,

It has been fixed already on our development snapshot:
http://www.ossec.net/files/snapshots/ossec-hids-100317.tar.gz

The issue was that the decoder was not picking up the source ip address
properly.

That's the result now:
**Phase 1: Completed pre-decoding.
       full event: 'Mar 18 10:08:53 server courierpop3login: LOGIN
FAILED, [email protected], ip=[::ffff:18.104.87.110]'
       hostname: 'server'
       program_name: 'courierpop3login'
       log: 'LOGIN FAILED, [email protected], ip=[::ffff:18.104.87.110]'

**Phase 2: Completed decoding.
       decoder: 'courier'
       srcip: '::ffff:18.104.87.110'

**Phase 3: Completed filtering (rules).
       Rule id: '3902'
       Level: '5'
       Description: 'Courier (imap/pop3) authentication failed.'
**Alert to be generated.


Thanks,

--
Daniel B. Cid
dcid ( at ) ossec.net


On Thu, Mar 18, 2010 at 5:05 PM, rafael.gomes <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Guys,
>
> I am getting this msg in my OSSEC:
>
> Mar 18 10:08:53 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:08:53 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:07:41 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:07:41 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:06:30 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:06:30 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
> Mar 18 10:05:13 server courierpop3login: LOGIN FAILED,
> [email protected], ip=[::ffff:18.104.87.110]
>
> But it doesn't active response. Why?
>
> I got this archived mail:
>
> http://www.mail-archive.com/[email protected]/msg01874.html
>
> I know that developers need time to do this, I am not requiring nothing,
> but just asking if they have intention to developing it soon.
>
> This log is killing me, I am thinking about add another tool to control
> just it.
>
> I am not able to help with devel, but I can test if you need.
>
> Thanks!
>
> - --
> Atenciosamente,
>
> Rafael Brito Gomes
> Analista de Segurança
> LPIC-1 MCSO
> DISUP/CPD/UFBA
> Tel : +55 71 3283 6100
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkuih3YACgkQmcKAeZZwz2bZIgCgrhebTc/HrmQGLkIhiHkWHxpY
> TWwAnjHNsufmCJtfMfCFnqSwOJxiXWwi
> =mVO1
> -----END PGP SIGNATURE-----
>
> To unsubscribe from this group, send email to 
> ossec-list+unsubscribegooglegroups.com or reply to this email with the words 
> "REMOVE ME" as the subject.
>

To unsubscribe from this group, send email to 
ossec-list+unsubscribegooglegroups.com or reply to this email with the words 
"REMOVE ME" as the subject.

Reply via email to