[ossec-list] decoder can't cope with umlaute

Sun, 02 Mar 2014 09:47:32 -0800 

Hi,

it's March or März as it is called in Germany. The only month with an
umlaut in German. My proftpd installation on my German localized server
is now producing this log lines:
> Mär 02 17:30:52 server proftpd[11769] servername 
> (58.215.179.53[58.215.179.53]): USER root (Login failed): Incorrect password

Feeding it into logtest gives:

**Phase 1: Completed pre-decoding.
       full event: 'Mär 02 17:30:52 server proftpd[11769] servername
(58.215.179.53[58.215.179.53]): USER root (Login failed): Incorrect
password'
       hostname: 'server'
       program_name: '(null)'
       log: 'Mär 02 17:30:52 server proftpd[11769] servername
(58.215.179.53[58.215.179.53]): USER root (Login failed): Incorrect
password'

**Phase 2: Completed decoding.
       No decoder matched.

**Phase 3: Completed filtering (rules).
       Rule id: '2501'
       Level: '5'
       Description: 'User authentication failure.'
**Alert to be generated.

When I change the umlaut ä to a normal a I get:
**Phase 1: Completed pre-decoding.
       full event: 'Mar 02 17:30:52 server proftpd[11769] servername
(58.215.179.53[58.215.179.53]): USER root (Login failed): Incorrect
password'
       hostname: 'server'
       program_name: 'proftpd'
       log: 'servername (58.215.179.53[58.215.179.53]): USER root (Login
failed): Incorrect password'

**Phase 2: Completed decoding.
       decoder: 'proftpd'
       srcip: '58.215.179.53'

**Phase 3: Completed filtering (rules).
       Rule id: '100110'
       Level: '6'
       Description: 'Login failed accessing the FTP server using root user'
**Alert to be generated.

Of course I want the srcip to be decoded because my active-response
needs to block this. For now it seems that I can block the attackers by
hand but I would like to have a working solution for the rest of March.

I will look into the code a little bit more on Tuesday but if anyone
else has a quicker solution would be great.

Regards
Christian

-- 

--- 
You received this message because you are subscribed to the Google Groups 
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to