Yes , decoder pure-transfer I had defined in "local_decoder.xml" file but it was not detecting it. To fix the issue I have configured changed the log settings for my ftp server to log all the event in syslog file and enabled rule id 1304 to match upload and download. It worked for me.
I am not sure why it was not detecting the decoder "pure-transfer" defined in the file "local_decoder.xml" . On Thu, Mar 14, 2013 at 6:51 PM, S Pratap Singh <[email protected]> wrote: > Thanks for the help Dan.. I have fixed the issue and everything works > perfectly .. :) > > > On Thu, Mar 14, 2013 at 2:11 PM, S Pratap Singh <[email protected]>wrote: > >> Hi Dan, >> >> Things are working fine now. But I have another problem, now I am getting >> most of the alert for FTP activity excluding file upload and download >> alert. The rule which you have given works fine but when I restart Ossec I >> am getting the following error : >> >> 2013/03/14 12:38:18 ossec-analysisd: Invalid decoder name: >> 'pure-transfer'. >> 2013/03/14 12:38:18 ossec-analysisd(1220): ERROR: Error loading the >> rules: 'local_rules.xml'. >> 2013/03/14 12:38:21 ossec-remoted(1210): ERROR: Queue >> '/queue/ossec/queue' not accessible: 'Connection refused'. >> 2013/03/14 12:38:21 ossec-remoted(1211): ERROR: Unable to access queue: >> '/queue/ossec/queue'. Giving up.. >> >> So there is two problem I am facing currently : >> 1 Not getting alert for upload and download since this is getting logged >> into another file and not into syslog file. >> 2 facing the issue with restart of ossec server. >> >> Thanks for your input and help so far. >> >> On Thu, Mar 14, 2013 at 2:58 AM, dan (ddp) <[email protected]> wrote: >> >>> On Wed, Mar 13, 2013 at 7:43 AM, S Pratap Singh <[email protected]> >>> wrote: >>> > All fixed but I am not getting alert to my mail box for FTP activity as >>> > other alerts. >>> > >>> >>> Are you getting other alerts in your email? >>> Do you have access to the maillogs? If so, check to see if the mail is >>> being rejected or something. >>> If not, use tcpdump or something similar to watch mail traffic to see >>> if OSSEC even attempts to send the message. >>> >>> > -- >>> > >>> > --- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "ossec-list" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an >>> > email to [email protected]. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > >>> >>> -- >>> >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "ossec-list" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >>> >> >> >> -- >> Regards, >> Pratap Singh >> > > > > -- > Regards, > Pratap Singh > -- Regards, Pratap Singh -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
