Hi, The decoder supplied with the ossec distribution (2.4.1) does not properly decode the srcip for openSUSE. I have added a decoder ahead of the existing decoder. I'm including the diff output in hopes that it will help someone else on the list.
1c1 < <!-- @(#) $Id: decoder.xml,v 1.2 2010/06/26 18:57:04 root Exp $ --- > <!-- @(#) $Id: decoder.xml,v 1.164 2010/03/10 18:08:07 dcid Exp $ 155,161d154 < < <decoder name="ssh-reverse-mapping-suse"> < <parent>sshd</parent> < <prematch>^reverse mapping checking </prematch> < <regex offset="after_prematch">^\w+ for \S+ [(\S+)] </regex> < <order>srcip</order> < </decoder> It would be nice if this could be added to the distribution (assuming that it doesn't break anything. Dennis -- Dennis Golden Golden Consulting Services, Inc.
