On Tue, May 7, 2013 at 11:02 AM, nicolaszin <[email protected]> wrote: > Would it be possible to change proftpd decoder, i.e. from: > <decoder name="proftpd-ip"> > <parent>proftpd</parent> > <regex>^\S+ \(\S+[(\S+)]\)</regex> > <!--<regex>^\S+ \(\S+[\.*(\d+.\d+.\d+.\d+)]\)</regex>--> > <order>srcip</order> > </decoder> > > > to > > <decoder name="proftpd-ip"> > <parent>proftpd</parent> > <regex>^\S+ \(\S+[::ffff:(\S+)]\)|^\S+ \(\S+[(\S+)]\)</regex> > <!--<regex>^\S+ \(\S+[\.*(\d+.\d+.\d+.\d+)]\)</regex>--> > <order>srcip</order> > </decoder> > > > > The reason I asked that is that on my Redhat 6.4 proftpd return error like: > > May 4 08:05:30 ns15 proftpd[22302]: 209.172.63.238 > (::ffff:112.137.167.187[::ffff:112.137.167.187]) - USER webmaster: no such > user found from ::ffff:112.137.167.187 [::ffff:112.137.167.187] to > ::ffff:209.172.63.238:21 > > > > It adds "::ffff:" to indicate it is an IPv4-mapped Ipv6 address. > > I could turnoff ipv6, but IPv6 will be use more often I guess... >
I don't have a problem with this, it doesn't affect the samples we have in the decoder.xml. Maybe post 2.7.1? > > > Regards, > > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
