On Tue, Apr 12, 2016 at 10:23 AM, <[email protected]> wrote:
> 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com
> (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect
> password.
> 2016-04-12 10:15:30,894 next-test.com proftpd[29431] next-test.com
> (hostname.com[78.131.92.4]): USER testnext: Login successful.
>
> root@next-test:/var/ossec# /var/ossec/bin/ossec-logtest
> 2016/04/12 10:22:21 ossec-testrule: INFO: Reading local decoder file.
> 2016/04/12 10:22:21 ossec-testrule: INFO: Started (pid: 29992).
> ossec-testrule: Type one log per line.
>
> 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com
> (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect
> password.
>
>
> **Phase 1: Completed pre-decoding.
> full event: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
> hostname: 'next-test'
> program_name: '(null)'
> log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '2501'
> Level: '5'
> Description: 'User authentication failure.'
> **Alert to be generated.
>
>
> 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com
> (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect
> password.
>
>
> **Phase 1: Completed pre-decoding.
> full event: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
> hostname: 'next-test'
> program_name: '(null)'
> log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403]
> next-test.com (hostname.com[78.131.92.4]): USER testnext (Login failed):
> Incorrect password.'
>
> **Phase 2: Completed decoding.
> No decoder matched.
>
> **Phase 3: Completed filtering (rules).
> Rule id: '2501'
> Level: '5'
> Description: 'User authentication failure.'
> **Alert to be generated.
>
And strangely enough, this is what I get:
**Phase 1: Completed pre-decoding.
full event: '2016-04-12 10:15:11,756 next-test.com
proftpd[29403] next-test.com (hostname.com[78.131.92.4]): USER
testnext (Login failed): Incorrect password.'
hostname: 'next-test.com'
program_name: 'proftpd'
log: 'next-test.com (hostname.com[78.131.92.4]): USER testnext
(Login failed): Incorrect password.'
**Phase 2: Completed decoding.
decoder: 'proftpd'
srcip: '78.131.92.4'
**Phase 3: Completed filtering (rules).
Rule id: '11204'
Level: '5'
Description: 'Login failed accessing the FTP server'
**Alert to be generated.
**Phase 1: Completed pre-decoding.
full event: '2016-04-12 10:15:30,894 next-test.com
proftpd[29431] next-test.com (hostname.com[78.131.92.4]): USER
testnext: Login successful.'
hostname: 'next-test.com'
program_name: 'proftpd'
log: 'next-test.com (hostname.com[78.131.92.4]): USER testnext:
Login successful.'
**Phase 2: Completed decoding.
decoder: 'proftpd'
srcip: '78.131.92.4'
dstuser: 'testnext'
**Phase 3: Completed filtering (rules).
Rule id: '11205'
Level: '3'
Description: 'FTP Authentication success.'
**Alert to be generated.
It must be time to remove my installation and start over for testing.
> вторник, 12 апреля 2016 г., 15:31:34 UTC+4 пользователь dan (ddpbsd)
> написал:
>>
>> On Tue, Apr 12, 2016 at 7:17 AM, <[email protected]> wrote:
>> > Sorry, i missed the commit
>> >
>> > https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801
>> > Now my proftpd logs are not processed by ossec.
>> >
>>
>> Can you provide log samples?
>>
>> > Also, if possible, please add to apt-repo deb-src packages to help
>> > recompile
>> > ossec.
>> > I tried to rebuild deb packages, but failed.
>> >
>> > четверг, 7 апреля 2016 г., 22:14:19 UTC+4 пользователь Jesus Linares
>> > написал:
>> >>
>> >> What commit do you mean?
>> >>
>> >> On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, [email protected] wrote:
>> >>>
>> >>> Hello!
>> >>> I very interested in this commit for support proftpd logs.
>> >>>
>> >>> Is there're any plans on new ossec deb packages, that will include
>> >>> this
>> >>> commit ?
>> >>> Or better way is build ossec myself ?
>> >>>
>> >>> Thank you!
>> >
>> > --
>> >
>> > ---
>> > You received this message because you are subscribed to the Google
>> > Groups
>> > "ossec-list" group.
>> > To unsubscribe from this group and stop receiving emails from it, send
>> > an
>> > email to [email protected].
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
>
> ---
> You received this message because you are subscribed to the Google Groups
> "ossec-list" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
