X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;ds=inline;f=etc%2Fdecoder.xml;h=669508edc65514e61f14c75783ff3fb719d75b11;hb=c41c816a22f0e06f1c2b0a91563f3d9a3bcdb82a;hp=cb07a9301bf4d675289fbaad0a0333a3c379bd44;hpb=301048b51990573e58a30dc4a5bb4ec285cad554;p=ossec-hids.git
diff --git a/etc/decoder.xml b/etc/decoder.xml
index cb07a93..669508e 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -1,4 +1,4 @@
-
+
pam
rhost=\S+\s+user=\S+
@@ -75,7 +83,6 @@
srcip
-
@@ -188,6 +215,55 @@
srcip
+
+ sshd
+ ^Connection closed
+ ^by (\S+)$
+ srcip
+
+
+
+ sshd
+ ^Received disconnect
+ ^from (\S+):
+ srcip
+
+
+
+
+
+ sshd
+ ^pam_ldap:
+ user "uid=(\S+),ou=\w+,dc=\w+,dc=\w+"
+ user
+
+
+
+
+
+ ^dropbear
+
+
+
+ dropbear
+ for '(\S+)' from (\S+):\d+$
+ dstuser,srcip
+
+
+ ^\S+ [(\d+.\d+.\d+.\d+)]$|^(\S+)
srcip
@@ -474,6 +575,8 @@
- arpwatch: new station 192.168.1.103 0:11:43:5e:5d:80 eth0
- arpwatch: bogon 172.16.150.149 0:2:b3:d6:e5:68 eth0
- arpwatch: new station 192.168.2.10 0:c0:4f:78:32:be
+ - arpwatch: pcap open re0: /dev/bpf0: Permission denied
+ - arpwatch: reused old ethernet address 192.168.17.248 0:e:3b:a:cb:67 (0:1e:8c:72:b0:d0)
-->
^arpwatch
@@ -675,11 +778,21 @@
- Examples:
- valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied
- named[12637]: client 1.2.3.4#32769: query (cache) 'somedomain.com/MX/IN' denied
+ - Oct 22 10:12:33 junction named[31687]: /etc/blocked.slave:9892: syntax error near ';'
+ - Oct 22 10:12:33 junction named[31687]: reloading configuration failed: unexpected token
-->
^named
+
+ named
+ : query:
+ client (\S+)#\d+: query: (\S+) IN
+ srcip,url
+
+
+
named
^client
@@ -693,6 +806,12 @@
srcip
+
+ named
+ for master
+ for master (\d+.\d+.\d+.\d+):(\d+) \S+ \(source (\d+.\d+.\d+.\d+)#d+\)$
+ dstip,dstport,srcip
+
+
+
+ smtpd
+
+
+
+ smtpd
+ ^client
+ ^client (\S+)
+ srcip
+
+
+
+ smtpd
+ relay=
+ relay=\S+ [(\S+)],
+ srcip
+
+
+
+
+
+
+ ^isakmpd
+
+
+
+ isakmpd
+ message from
+ from (\S+) port (\d+)
+ srcip,srcport
+
+
+
+ isakmpd
+ from peer
+ from peer (\S+):(\d+)$
+ srcip,srcport
+
+
+
+
web-log
- ^\d+.\d+.\d+.\d+
+ ^\d+.\d+.\d+.\d+ |^::ffff:\d+.\d+.\d+.\d+
^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+]
"\w+ (\S+) HTTP\S+ (\d+)
srcip, url, id
@@ -1640,12 +1829,30 @@
name, location, extra_data
+
+ ossec
+ ^ossec: Alert Level:
+ OSSECAlert_Decoder
+
+
^ossec$
OSSECAlert_Decoder
+
+
+ ^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /\.+/active-response
+ /bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)
+ action, status, srcip, id, extra_data
+
- ^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,
- ^(\d\d),
- id
+ ^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|
+ ^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,
+ ^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\d+.\d+.\d+.\d+)
+ id,extra_data,srcip
-11020,05/05/09,00:00:38,DHCPV6
^\d\d\d\d\d,\d\d/\d\d/\d\d,\d\d:\d\d:\d\d,
^(\d\d\d\d\d),
@@ -1935,5 +2161,272 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
+
+
+ ^/bsd
+
+
+
+ bsd_kernel
+ ^arp
+ for (\S+) by (\S+) on \S+
+ dstip, extra_data
+
+
+
+
+
+
+ ^mountd
+
+
+
+ mountd
+ from host
+ (\S+) port \d+$
+ srcip
+
+
+
+
+
+
+ ^bro
+
+
+
+ bro-ids
+ no=PortscanSummary
+ sa=(\S+) num=(\d+) msg=
+ srcip,extra_data
+
+
+
+ bro-ids
+ no=PortScan
+ sa=(\S+) p=(\d+)/(\S+) num=(\d+)
+ srcip,srcport,protocol,extra_data
+
+
+
+ bro-ids
+ na=NOTICE
+ sa=(\S+) sp=(\d+)/(\S+) da=(\S+) dp=(\d+)/\S+
+ srcip,srcport,protocol,dstip,dstport
+
+
+
+
+
+
+
+
+
+
+
+ groupdel
+ ^group deleted: name=(\S+)$
+ extra_data
+
+
+
+
+
+ ^portsentry
+
+
+
+ portsentry
+ attackalert: Connect from host:
+ (\S+)/\S+ to (\S+) port: (\d+)$
+ srcip,protocol,dstport
+
+
+
+ portsentry
+ is already blocked. Ignoring$
+ Host: (\S+) is
+ srcip
+
+
+
+
+
+ ^clamd
+
+
+
+ ^freshclam
+
+
+
+
+
+ ^slapd
+ ^conn=(\d+)
+ id
+
+
+
+
+
+
+ ^ntpd
+
+
+
+ ntpd
+ ^bad peer
+ ^bad peer \S+ \p(\S+)\p$|^bad peer from pool \S+ \p(\S+)\p$
+ srcip
+
+
+
+
+type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
+type=CRED_ACQ msg=audit(1305666154.831:51859): user pid=21250 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="username" : exe="/usr/sbin/sshd" (hostname=lala.example.com, addr=172.16.0.1, terminal=ssh res=success)'
+type=CRED_ACQ msg=audit(1273182001.226:148635): user pid=29770 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
+type=USER_AUTH msg=audit(1305666163.690:51871): user pid=21269 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
+type=USER_ACCT msg=audit(1306939201.750:67934): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=CRED_ACQ msg=audit(1306939201.751:67935): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_START msg=audit(1306939201.756:67937): user pid=4401 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_CHAUTHTOK msg=audit(1304523288.952:37394): user pid=7258 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='op=change password id=505 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1 res=success)'
+
+
+type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
+
+
+type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"
+type=SYSCALL msg=audit(1307045820.403:151): arch=c000003e syscall=59 success=no exit=-13 a0=de24c8 a1=de2408 a2=dc3008 a3=7fff1db3cc60 items=1 ppid=11719 pid=12347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="bash" exe="/bin/bash" key=(null)
+type=SYSCALL msg=audit(1306939143.715:67933): arch=40000003 syscall=94 success=yes exit=0 a0=5 a1=180 a2=8ebd360 a3=8ec4978 items=1 ppid=4383 pid=4388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8038 comm="less" exe="/usr/bin/less" subj=user_u:system_r:unconfined_t:s0 key="perm_mod"
+type=USER_ROLE_CHANGE msg=audit(1280266360.845:51): user pid=1978 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
+type=PATH msg=audit(1306967989.163:119): item=0 name="./ls" inode=261813 dev=fb:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
+
+
+type=PATH msg=audit(1273924468.947:179534): item=0 name=(null) inode=424783 dev=fd:07 mode=0100640 ouid=0 ogid=502 rdev=00:00 obj=user_u:object_r:file_t:s0
+
+-->
+
+
+ ^type=
+
+
+
+
+ auditd
+ ^AVC
+ ^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$
+ action,id,status,extra_data
+
+
+
+
+ auditd
+ ^SYSCALL
+ ^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"
+ action,id,status,extra_data
+
+
+
+
+ auditd
+ ^CONFIG_CHANGE
+ ^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$
+ action,id,extra_data
+
+
+
+
+ auditd
+ ^PATH
+ ^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+
+ action,id,extra_data
+
+
+
+
+ auditd
+ ^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|
+ ^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+
+ action,id
+
+
+
+ auditd
+ acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$
+ user,extra_data,srcip
+
+
+
+ auditd
+ ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$
+ user,extra_data,srcip,status
+
+
+
+ auditd
+ subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$
+ user,extra_data,srcip,status
+
+
+
+ auditd
+ subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$
+ extra_data,srcip,status
+