Hi, I have a problem on my mailserver with ossec: I have see some brute force attack but ossec don't react at this log. I have try with logtest tools.. and 'no decoder match' is returned.. but in my ossec installation have rules for dovecot..
Somebody have hint? see this: [root@mailserver bin]# ./ossec-logtest 2018/10/14 16:12:27 ossec-testrule: INFO: Reading local decoder file. 2018/10/14 16:12:27 ossec-testrule: INFO: Started (pid: 32967). ossec-testrule: Type one log per line. Oct 14 15:50:21 mailserver dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, me thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H> **Phase 1: Completed pre-decoding. full event: 'Oct 14 15:50:21 mailserver dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, me thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H>' hostname: 'mailserver' program_name: '(null)' log: 'dovecot Oct 14 15:50:17 imap-login: Info: Disconnected (auth failed, 1 attempts in 6 secs): user=<[email protected]>, me thod=PLAIN, rip=84.241.31.7, lip=10.12.14.11, TLS, session=<bwpymTB4VdBU8R8H>' **Phase 2: Completed decoding. No decoder matched. **Phase 3: Completed filtering (rules). Rule id: '1002' Level: '2' Description: 'Unknown problem somewhere in the system.' **Alert to be generated. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
