Would it be possible to change proftpd decoder, i.e. from: <decoder name="proftpd-ip"> <parent>proftpd</parent> <regex>^\S+ \(\S+[(\S+)]\)</regex> <!--<regex>^\S+ \(\S+[\.*(\d+.\d+.\d+.\d+)]\)</regex>--> <order>srcip</order> </decoder>
to <decoder name="proftpd-ip"> <parent>proftpd</parent> <regex>^\S+ \(\S+[::ffff:(\S+)]\)|^\S+ \(\S+[(\S+)]\)</regex> <!--<regex>^\S+ \(\S+[\.*(\d+.\d+.\d+.\d+)]\)</regex>--> <order>srcip</order> </decoder> The reason I asked that is that on my Redhat 6.4 proftpd return error like: May 4 08:05:30 ns15 proftpd[22302]: 209.172.63.238 (::ffff:112.137.167.187[::ffff:112.137.167.187]) - USER webmaster: no such user found from ::ffff:112.137.167.187 [::ffff:112.137.167.187] to ::ffff:209.172.63.238:21 It adds "::ffff:" to indicate it is an IPv4-mapped Ipv6 address. I could turnoff ipv6, but IPv6 will be use more often I guess... Regards, -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
