dan (ddp) wrote: > Could you pass along an event to go with the decoder? There are some > newer decoders for sshd in the latest snapshots, but I don't know if > they'd cover an event from open suse.
Sorry, I should have included it (but I think someone did earlier). Here is the syslog entry (line is wrapped): Jun 26 10:14:12 dg-linux sshd[16527]: reverse mapping checking getaddrinfo for 64.79.111.4.rdns.continuumdatacenters.com [64.79.111.4] failed - POSSIBLE BREAK-IN ATTEMPT! <snip> >> The decoder supplied with the ossec distribution (2.4.1) does not >> properly decode the srcip for openSUSE. I have added a decoder ahead of >> the existing decoder. I'm including the diff output in hopes that it >> will help someone else on the list. >> >> 1c1 >> < <!-- @(#) $Id: decoder.xml,v 1.2 2010/06/26 18:57:04 root Exp $ >> --- >>> <!-- @(#) $Id: decoder.xml,v 1.164 2010/03/10 18:08:07 dcid Exp $ >> 155,161d154 >> < >> < <decoder name="ssh-reverse-mapping-suse"> >> < <parent>sshd</parent> >> < <prematch>^reverse mapping checking </prematch> >> < <regex offset="after_prematch">^\w+ for \S+ [(\S+)] </regex> >> < <order>srcip</order> >> < </decoder> >> >> It would be nice if this could be added to the distribution (assuming >> that it doesn't break anything. <snip> -- Dennis Golden Golden Consulting Services, Inc.
