Hi All, I just wondering why ossec 1.4 did not parse the Destination IP, Source Port and Destination Port and throw in the database? I have this alert....
OSSEC HIDS Notification. 2008 Jan 11 10:20:39 Received From: sdnasim->192.168.32.1 Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same source." Portion of the log(s): %PIX-7-710005: UDP request discarded from 192.168.32.43/138 to inside:192.168.32.255/netbios-dgm %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to inside:192.168.32.255/netbios-ns %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to inside:192.168.32.255/netbios-ns %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to inside:192.168.32.255/netbios-ns %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to inside:192.168.32.255/netbios-ns %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to inside:192.168.32.255/netbios-ns %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to inside:192.168.32.255/netbios-ns %PIX-7-710005: UDP request discarded from 192.168.32.43/138 to inside:192.168.32.255/netbios-dgm %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to inside:192.168.32.255/netbios-ns %PIX-7-710005: UDP request discarded from 192.168.32.43/137 to inside:192.168.32.255/netbios-ns --END OF NOTIFICATION ------------------- Is it the design of the ossec that it wont parse those info? Why there are such fields in the database and the values always NULL? Sherwin
