On Sat, Oct 22, 2011 at 9:34 AM, dan (ddp) <[email protected]> wrote: > That's an issue in the current tree. Easy fix. Add the following decoder to > decoders.xml or local_decoders.xml: > <decoder name="ftp-proxy"> > <decoded_as>^ftp-proxy</decoded_as> > </decoder> >
Adding this to local_decoders.xml didn't work. The file needs to be called local_decoder.xml (no "s" at the end, despite there being a file called decoders.xml). When I add this to local_decoder.xml and attempt to start, I get a new error: 2011/10/22 09:58:04 ossec-analysisd: Invalid element 'decoded_as' for decoder 'decoder' 2011/10/22 09:58:04 ossec-testrule(1202): ERROR: Configuration error at '/etc/local_decoder.xml'. Exiting. I found this snippet for ftp-proxy: <decoder name="ftp-proxy"> <program_name>^ftp-proxy</program_name> </decoder> from here: http://code.google.com/p/wip-ossec-rules/source/browse/ossec/etc/local_decoder.xml?r=4aada4eb6175351f35351f4ba4f96e8e3f4f835a and tried that instead. Now I get a different error: 2011/10/22 10:02:10 ossec-testrule: INFO: Reading local decoder file. 2011/10/22 10:02:10 ossec-analysisd: Invalid decoder name: 'hotplugd'. 2011/10/22 10:02:10 ossec-testrule(1220): ERROR: Error loading the rules: 'openbsd_rules.xml'. hotplugd didn't exist in decoders.xml, so I did the same thing. Now ossec starts. In summary, I added the following to local_decoder.xml: # cat local_decoder.xml <decoder name="ftp-proxy"> <program_name>^ftp-proxy</program_name> </decoder> <decoder name="hotplugd"> <program_name>^hotplugd</program_name> </decoder>
