I really messed that one up. Thanks. I'll add the hotplug one as well. On Oct 22, 2011 1:10 PM, "Joe S" <[email protected]> wrote:
> On Sat, Oct 22, 2011 at 9:34 AM, dan (ddp) <[email protected]> wrote: > > That's an issue in the current tree. Easy fix. Add the following decoder > to > > decoders.xml or local_decoders.xml: > > <decoder name="ftp-proxy"> > > <decoded_as>^ftp-proxy</decoded_as> > > </decoder> > > > > Adding this to local_decoders.xml didn't work. The file needs to be > called local_decoder.xml (no "s" at the end, despite there being a > file called decoders.xml). > > When I add this to local_decoder.xml and attempt to start, I get a new > error: > > 2011/10/22 09:58:04 ossec-analysisd: Invalid element 'decoded_as' for > decoder 'decoder' > 2011/10/22 09:58:04 ossec-testrule(1202): ERROR: Configuration error > at '/etc/local_decoder.xml'. Exiting. > > I found this snippet for ftp-proxy: > > <decoder name="ftp-proxy"> > <program_name>^ftp-proxy</program_name> > </decoder> > > from here: > > http://code.google.com/p/wip-ossec-rules/source/browse/ossec/etc/local_decoder.xml?r=4aada4eb6175351f35351f4ba4f96e8e3f4f835a > > and tried that instead. Now I get a different error: > > 2011/10/22 10:02:10 ossec-testrule: INFO: Reading local decoder file. > 2011/10/22 10:02:10 ossec-analysisd: Invalid decoder name: 'hotplugd'. > 2011/10/22 10:02:10 ossec-testrule(1220): ERROR: Error loading the > rules: 'openbsd_rules.xml'. > > hotplugd didn't exist in decoders.xml, so I did the same thing. > > Now ossec starts. > > In summary, I added the following to local_decoder.xml: > > # cat local_decoder.xml > <decoder name="ftp-proxy"> > <program_name>^ftp-proxy</program_name> > </decoder> > > <decoder name="hotplugd"> > <program_name>^hotplugd</program_name> > </decoder> >
