Yeah, 2.8.3 from wazuh apt ubuntu repository. Let's look on this commit in master and 2.8.3 tag: https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801 As as understand code, this type of log was added in file src/analysisd/cleanevent.c Master branch: code is there. On 106 line. https://github.com/ddpbsd/ossec-hids/blob/master/src/analysisd/cleanevent.c#L106 2.8.3 tag: Code is not there're https://github.com/ddpbsd/ossec-hids/blob/2.8.3/src/analysisd/cleanevent.c#L116
Unfortunatly, wazuh repo haven't deb-src packages, so i can't look to its code. I've also just tried atomic stable repo for centos 6.7 Rules still not recognized. What repo are using to build ossec ? Btw: my question was "Is there any plan on new release" If new release coming soon - i'll wait for it. If not - i will try to build debian packages for my private repo. вторник, 12 апреля 2016 г., 19:08:41 UTC+4 пользователь dan (ddpbsd) написал: > > On Tue, Apr 12, 2016 at 10:23 AM, <[email protected] <javascript:>> > wrote: > > 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com > > (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect > > password. > > 2016-04-12 10:15:30,894 next-test.com proftpd[29431] next-test.com > > (hostname.com[78.131.92.4]): USER testnext: Login successful. > > > > I forgot to ask which version you're using. 2.8.3? My logtests were on > the current code. > > > root@next-test:/var/ossec# /var/ossec/bin/ossec-logtest > > 2016/04/12 10:22:21 ossec-testrule: INFO: Reading local decoder file. > > 2016/04/12 10:22:21 ossec-testrule: INFO: Started (pid: 29992). > > ossec-testrule: Type one log per line. > > > > 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com > > (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect > > password. > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2016-04-12 10:15:11,756 next-test.com > proftpd[29403] > > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login > failed): > > Incorrect password.' > > hostname: 'next-test' > > program_name: '(null)' > > log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] > > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login > failed): > > Incorrect password.' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > **Phase 3: Completed filtering (rules). > > Rule id: '2501' > > Level: '5' > > Description: 'User authentication failure.' > > **Alert to be generated. > > > > > > 2016-04-12 10:15:11,756 next-test.com proftpd[29403] next-test.com > > (hostname.com[78.131.92.4]): USER testnext (Login failed): Incorrect > > password. > > > > > > **Phase 1: Completed pre-decoding. > > full event: '2016-04-12 10:15:11,756 next-test.com > proftpd[29403] > > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login > failed): > > Incorrect password.' > > hostname: 'next-test' > > program_name: '(null)' > > log: '2016-04-12 10:15:11,756 next-test.com proftpd[29403] > > next-test.com (hostname.com[78.131.92.4]): USER testnext (Login > failed): > > Incorrect password.' > > > > **Phase 2: Completed decoding. > > No decoder matched. > > > > **Phase 3: Completed filtering (rules). > > Rule id: '2501' > > Level: '5' > > Description: 'User authentication failure.' > > **Alert to be generated. > > > > вторник, 12 апреля 2016 г., 15:31:34 UTC+4 пользователь dan (ddpbsd) > > написал: > >> > >> On Tue, Apr 12, 2016 at 7:17 AM, <[email protected]> wrote: > >> > Sorry, i missed the commit > >> > > >> > > https://github.com/ddpbsd/ossec-hids/commit/a7b69e873e070ea01e346d79c43b403920029801 > > >> > Now my proftpd logs are not processed by ossec. > >> > > >> > >> Can you provide log samples? > >> > >> > Also, if possible, please add to apt-repo deb-src packages to help > >> > recompile > >> > ossec. > >> > I tried to rebuild deb packages, but failed. > >> > > >> > четверг, 7 апреля 2016 г., 22:14:19 UTC+4 пользователь Jesus Linares > >> > написал: > >> >> > >> >> What commit do you mean? > >> >> > >> >> On Tuesday, April 5, 2016 at 8:06:17 PM UTC+2, [email protected] > wrote: > >> >>> > >> >>> Hello! > >> >>> I very interested in this commit for support proftpd logs. > >> >>> > >> >>> Is there're any plans on new ossec deb packages, that will include > >> >>> this > >> >>> commit ? > >> >>> Or better way is build ossec myself ? > >> >>> > >> >>> Thank you! > >> > > >> > -- > >> > > >> > --- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "ossec-list" group. > >> > To unsubscribe from this group and stop receiving emails from it, > send > >> > an > >> > email to [email protected]. > >> > For more options, visit https://groups.google.com/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups > > "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
