Could you pass along an event to go with the decoder? There are some newer decoders for sshd in the latest snapshots, but I don't know if they'd cover an event from open suse.
On Sat, Jun 26, 2010 at 3:08 PM, Dennis Golden <[email protected]> wrote: > Hi, > > The decoder supplied with the ossec distribution (2.4.1) does not > properly decode the srcip for openSUSE. I have added a decoder ahead of > the existing decoder. I'm including the diff output in hopes that it > will help someone else on the list. > > 1c1 > < <!-- @(#) $Id: decoder.xml,v 1.2 2010/06/26 18:57:04 root Exp $ > --- >> <!-- @(#) $Id: decoder.xml,v 1.164 2010/03/10 18:08:07 dcid Exp $ > 155,161d154 > < > < <decoder name="ssh-reverse-mapping-suse"> > < <parent>sshd</parent> > < <prematch>^reverse mapping checking </prematch> > < <regex offset="after_prematch">^\w+ for \S+ [(\S+)] </regex> > < <order>srcip</order> > < </decoder> > > It would be nice if this could be added to the distribution (assuming > that it doesn't break anything. > > Dennis > -- > Dennis Golden > Golden Consulting Services, Inc. >
