X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?a=blobdiff_plain;f=etc%2Fdecoder.xml;h=1d73df8bdbacc766558eaa33661e6c65b3b126c7;hb=HEAD;hp=e4b0b984750a28772d8cd1adc2c84315c136ccd2;hpb=789cbc8e52da68eba3517b920ef22e000cf3c9fd;p=ossec-hids.git
diff --git a/etc/decoder.xml b/etc/decoder.xml
old mode 100755
new mode 100644
index e4b0b98..1d73df8
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -3,7 +3,7 @@
- Author: Daniel B. Cid
- License: http://www.ossec.net/en/licensing.html
-->
-
+
(pam_unix)$
@@ -51,7 +52,7 @@
- ^pam_unix|^\(pam_unix\)
+ ^pam_unix|^\(pam_unix\)|^pam_succeed_if
@@ -59,7 +60,7 @@
^session \w+
^for user (\S+)
user
-
+
+
+
+ sshd
+ ^Did not receive identification |^Bad protocol version
+ from (\S+)$| from (\S+) port (\d+)$
+ srcip,srcport
+
+
sshd
^refused connect
- ^from (\S+)$
+ ^from (\S+)$|^from \S+ \((\S+\w+)\)$|^from \S+ \((\S+::)\)$
srcip
@@ -252,25 +326,79 @@
user
+
+ sshd
+ fatal: Unable to negotiate with
+ ^(\S+) port (\d+): |^(\S+):
+ srcip, srcport
+
+
+
+ sshd
+ rhost=\S+\s+user=\S+
+ rhost=(\S+)\s+user=(\S+)
+ srcip, user
+
+
+
+
+
+ sshd
+ exceeded for
+ (\S+) from (\S+) port (\d+)
+ user, srcip, srcport
+
+
^dropbear
-
+
+
+
dropbear
- for '(\S+)' from (\S+):\d+$
- dstuser,srcip
+ password
+ for '(\S+)' from (\S+):\d+$
+ dstuser, srcip
+
+
+ dropbear
+ nonexistent
+ from (\S+):\d+$
+ srcip
+
+
+
+
+
+ dropbear
+ (\S+) for '(\S+)' with key \S+ (\S+) from (\S+):\d+$
+ status,dstuser,extra_data,srcip
+
@@ -349,7 +477,7 @@
smbd
- from \((\d+.\d+.\d+.\d+)\)
+ from \((\S+)\)
srcip
@@ -379,15 +507,16 @@
- Apr 27 15:25:08 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
- Apr 14 10:59:01 enigma sudo: dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudit ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin
- Apr 19 14:52:02 enigma sudo: dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid .
+ - Dec 30 19:36:11 rheltest sudo: cplummer : TTY=pts/2 ; PWD=/home/cplummer1 ; USER=root ; TSID=0000UM ; COMMAND=/bin/bash
-->
^sudo
- ^\s+(\S+)\s:
- user
- name,user,location
+ ^\s*(\S+)\s:\sTTY=\S+\s;\sPWD=(\S+)\s;\sUSER=(\S+)\s;\sCOMMAND=(\.+)$|
+ ^\s*(\S+)\s:\sTTY=\S+\s;\sPWD=(\S+)\s;\sUSER=(\S+)\s;\sTSID=\S+\s;\sCOMMAND=(\.+)$
+ dstuser,url,srcuser,status
+ name,dstuser,location
First time user executed the sudo command
-
-
+
-
+
^proftpd
- proftpd
+ proftpd
: Login successful
^\S+ \(\S+[(\S+)]\)\s*\S \w+ (\S+):
Login successful
@@ -464,7 +602,7 @@
proftpd
- ^\S+ \(\S+[(\S+)]\)|^\S+ \(\S+[::ffff:(\S+)]\)
+ ^\S+ \(\S+[(\S+)]\)
srcip
@@ -496,7 +634,7 @@
pure-ftpd
^\((\S+)@(\S+)\) [
user,srcip
-
+
- ^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d]
+ ^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d \S\d\d\d\d] "\w+ \S+"
^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$
extra_data,dstuser,action,url,status
@@ -520,24 +658,65 @@
- Sun Jun 4 22:08:39 2006 [pid 21611] [dcid] OK LOGIN: Client "192.168.2.10"
- Sun Jun 4 22:09:22 2006 [pid 21622] CONNECT: Client "192.168.2.10"
- Sun Jun 4 22:09:24 2006 [pid 21621] [lalal] FAIL LOGIN: Client "192.168.2.10"
- - Sat Jun 3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client
- "211.100.27.101"
+ - Sat Jun 3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client "211.100.27.101"
- Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec
- Jul 13 12:31:20 www vsftpd: Sun Jul 13 10:31:20 2008 [pid 27528] [anonymous] FAIL LOGIN: Client "84.140.234.76"
- -->
+ - Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"
+ - Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"
+ - Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"
+
^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+]
- Client "(\d+.\d+.\d+.\d+)"$
+ Client "(\S+)"$
srcip
^vsftpd
^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+]
- Client "(\d+.\d+.\d+.\d+)"$
+ Client "(\S+)"$
srcip
+-->
+
+
+
+ ^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+]
+
+
+
+ ^vsftpd
+ ^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+]
+
+
+
+ vsftpd
+ LOGIN:
+ [(\S+)] (\S+ LOGIN): Client "(\S+\w)"$
+ user,status,srcip
+
+
+
+ vsftpd
+ ^CONNECT:
+ (CONNECT): Client "(\S+\w+)"$
+ action,srcip
+
+
+
+ vsftpd
+ [(\S+)] (OK \S+): Client "(\S+)", "(\.+)"\.*
+ user,status,srcip,url
+
+
+
+ vsftpd
+ Client "(\S+\w)"$
+ srcip
+
- ^\S+ [(\d+.\d+.\d+.\d+)]$|^(\S+)
+ ^\S+ [(\S+)]$|^(\S+)
srcip
ftpd
^FTP LOGIN REFUSED
- [(\d+.\d+.\d+.\d+)]$
+ [(\S+)]$
srcip
ftpd
- from (\d+.\d+.\d+.\d+)$
+ from (\S+)$
srcip
@@ -598,7 +777,7 @@
arpwatch
^new station |^bogon
- ^(\d+.\d+.\d+.\d+) (\S+)
+ ^(\S+) (\S+)
srcip, extra_data
name, srcip, extra_data
@@ -627,7 +806,7 @@
^[\d\d\d\d-\d\d-\d\d \S+ \w+]
^\S+ (\w+):
status
-
+
@@ -638,11 +817,11 @@
- imapd[21040]: Login failed user=root domain=(null) auth=root host=host29-141.poo
l8249.interbusiness.it [82.49.141.29]
- imapd[27113]: Authenticated user=badyy host=a.resenet.com.br [1.2.3.4]
- - imapd[27113]: Logout user=badyy host=a.resenet.com.br [1.2.3.4]
+ - imapd[27113]: Logout user=badyy host=a.resenet.com.br [1.2.3.4]
-->
^imapd
- user=(\S+) \.+ [(\d+.\d+.\d+.\d+)]$
+ user=(\S+) \.+ [(\S+)]$
user,srcip
@@ -650,10 +829,10 @@
@@ -663,28 +842,28 @@
vpopmail
^vchkpw-\S+: password fail
- (\S+)@\S+:(\d+.\d+.\d+.\d+)$
+ (\S+)@\S+:(\S+)$
user, srcip
vpopmail
^vchkpw-\S+: vpopmail user not
- ^found (\S+):(\d+.\d+.\d+.\d+)$
+ ^found (\S+):(\S+)$
user, srcip
vpopmail
^vchkpw-\S+: null password
- ^given (\S+):(\d+.\d+.\d+.\d+)$
+ ^given (\S+):(\S+)$
user, srcip
vpopmail
^vchkpw-\S+: \(\S+\) login
- ^success (\S+):(\d+.\d+.\d+.\d+)$
+ ^success (\S+):(\S+)$
user, srcip
@@ -701,7 +880,7 @@
vm-pop3d
^User '
^(\S+)' - \w+ auth,
- from=(\d+.\d+.\d+.\d+)$
+ from=(\S+)$
user, srcip
@@ -722,13 +901,13 @@
courier
^LOGIN,
- ^user=(\S+), ip=[(\S+\d)]$
+ ^user=(\S+), ip=[(\S+)]$
user, srcip
courier
- , ip=[(\S+\d)]$|, ip=[::ffff:(\S+\d)]$
+ , ip=[(\S+)]$
srcip
@@ -744,12 +923,16 @@
- dovecot: Jan 07 14:46:28 Warn: auth(default): userdb(username,::ffff:127.0.0.1): user not found from userdb
- dovecot: Mar 13 15:25:07 Info: auth(default): pam(user@example.com,::ffff:1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
- dovecot: Mar 13 15:25:07 Info: auth(default): passwd-file(user@example.com,::ffff:1.2.3.4): unknown user
- - Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user
+ - Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user
- Jan 11 03:42:09 hostname dovecot: auth(default): pam(user@example.com,1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
- Jul 4 17:30:51 hostname dovecot[2992]: pop3-login: Disconnected: rip=1.2.3.4, lip=1.2.3.5
- dovecot: Jun 23 15:04:06 Info: IMAP(username): Disconnected: Logged out bytes=59/566
- dovecot: May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5, secured
- Jan 30 09:37:55 hostname dovecot: pop3-login: Aborted login: user=, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5
+ - Dec 19 17:40:57 ny dovecot: pop3-login: Disconnected (auth failed, 3 attempts in 51 secs): user=, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=
+ - Dec 19 17:30:39 ny dovecot: imap-login: Disconnected: Inactivity (auth failed, 7 attempts in 176 secs): user=<32>, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203,session=<7QTLPAZEXrhtycjJ>
+ - Dec 19 17:38:54 ny dovecot: pop3-login: Disconnected: Inactivity during authentication (auth failed, 13 attempts in 179 secs): user=, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=
+ - Dec 19 17:20:08 ny dovecot: imap-login: Aborted login (auth failed, 2 attempts in 18 secs): user=, method=PLAIN, rip=109.201.200.201, lip=67.205.141.203, session=
-->
@@ -759,31 +942,54 @@
dovecot
^\w\w\w\w-login: Login:
- ^user=\p(\S+)\p, method=\S+, rip=\S*(\d+.\d+.\d+.\d+), lip=\S*(\d+.\d+.\d+.\d+), (\S*)$
+ ^user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), mpid=\S+, (\S*)$
user, srcip, dstip, protocol
dovecot
^\w\w\w\w-login: Aborted login
- : user=\p(\S+)\p, method=\S+, rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+)$
- user, srcip, dstip
+ : user=\p(\S+)\p, method=\S+, rip=(\S+), lip=(\S+), (\S*)$
+ user, srcip, dstip, protocol
dovecot
^auth\(default\)|auth-worker\(default\)
- ^: \S+\((\S+),(\d+.\d+.\d+.\d+)\)
+ ^: \S+\((\S+),(\S+)\)
user, srcip
+
+ dovecot
+ ^\w\w\w\w-login:
+ \(auth failed, \d+ attempts in \d+ secs\): user=\p(\S+)\p, method=\w+, rip=(\S+), lip=(\S+)
+ user,srcip,dstip
+
+
dovecot
^\w\w\w\w-login: Disconnected:
- ^rip=(\S+), lip=(\d+.\d+.\d+.\d+)
+ ^rip=(\S+), lip=(\S+)
srcip, dstip
+
+ ^Info$|^Warn$
+
+
+
+ dovecot-info
+ imap-login
+ Login: user=(\S+), method=\.+, rip=(\S+), lip=(\S+)
+ user, srcip, dstip
+
+
+
+ dovecot-info
+ auth\(\.+\): \S+\((\S+),(\S+)\):
+ user, srcip
+
+ -->
^named
named
- : query:
- client (\S+)#\d+: query: (\S+) IN
+ : query
+ client (\S+)#\d+\s*\S*:
srcip,url
+
+ named
+ query: (\S+) IN|query \S+ '(\S+)/
+ url
+
- named
+ named
^client
- ^(\d+.\d+.\d+.\d+)#
+ ^(\S+)#
srcip
named
- from [(\d+.\d+.\d+.\d+)]
+ from [(\S+)]
srcip
named
for master
- for master (\d+.\d+.\d+.\d+):(\d+) \S+ \(source (\d+.\d+.\d+.\d+)#d+\)$
+ for master (\S+):(\d+) \S+ \(source (\S+)#d+\)$
dstip,dstport,srcip
@@ -842,25 +1053,25 @@
true
- postfix
+ postfix
^NOQUEUE: reject: \w\w\w\w from
- [(\d+.\d+.\d+.\d+)]: (\d+)
+ [(\S+)]:\d+: (\d+) |[(\S+)]:(\d+): |[(\S+)]: (\d+) |[(\S+)]:(\d+):
srcip,id
- postfix
+ postfix
^warning: \S+: SASL
- ^warning: \S+[(\d+.\d+.\d+.\d+)]:
+ ^warning: \S+[(\S+)]:
srcip
^sendmail|^sm-mta|^sm-msp-queue
-
+
sendmail-reject
^\S+: rejecting commands from
- ^ \S+ [(\d+.\d+.\d+.\d+)]
+ ^ \S+ [(\S+)]
srcip
sendmail-reject
relay=[
- ^(\d+.\d+.\d+.\d+)]
+ ^(\S+)]
srcip
sendmail-reject
relay=\S+ [
- ^(\d+.\d+.\d+.\d+)]
+ ^(\S+)]
srcip
@@ -910,8 +1121,8 @@
^smf-sav
^sender check failed|
^sender check tempfailed
- ^ \(cached\): \S+, (\d+.\d+.\d+.\d+),|
- ^: \S+, (\d+.\d+.\d+.\d+),
+ ^ \(cached\): \S+, (\S+),|
+ ^: \S+, (\S+),
srcip
@@ -920,12 +1131,12 @@
- smtpd
+ ^smtpd
@@ -962,6 +1173,18 @@
srcip
+
+ smtpd
+ ^smtp-in:
+ ^(\S+)
+ status
+
+
+
+ smtpd
+ => (\d+)
+ action
+
^kernel
-
+
iptables
firewall
^[\d+.\d+] \S+ IN=
-
+
^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)
\.+ PROTO=(\w+)
action,srcip,dstip,protocol
@@ -1004,7 +1227,7 @@
iptables
firewall
^\S+ IN=
-
+
^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+
PROTO=(\w+)
action,srcip,dstip,protocol
@@ -1021,7 +1244,7 @@
iptables
firewall
^Shorewall:\S+:
-
+
^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+
PROTO=(\w+)
action,srcip,dstip,protocol
@@ -1032,7 +1255,7 @@
firewall
^SPT=(\d+) DPT=(\d+)
srcport,dstport
-
+
iptables
@@ -1057,25 +1280,25 @@
firewall
^ipmon
- (\w) (\d+.\d+.\d+.\d+),(\d+) ->
- (\d+.\d+.\d+.\d+),(\d+) PR (\w+)
+ (\w) (\S+),(\d+) ->
+ (\S+),(\d+) PR (\w+)
action,srcip,srcport,dstip,dstport,protocol
-
+
firewall
^ipsec_logd
- R:(\w) \w:\S+ S:(\d+.\d+.\d+.\d+)
- D:(\d+.\d+.\d+.\d+) P:(\S+) SP:(\d+) DP:(\d+)
+ R:(\w) \w:\S+ S:(\S+)
+ D:(\S+) P:(\S+) SP:(\d+) DP:(\d+)
action,srcip,dstip,protocol,srcport,dstport
@@ -1088,7 +1311,7 @@
- Mar 30 15:47:05.522341 rule 4/(match) block in on lo0: 127.0.0.1.48784 > 127.0.0.1.23: S 1381529123:1381529123(0) win 16384 (DF) [tos 0x10]
- Mar 30 15:54:22.171929 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 73
- Mar 30 15:54:22.174412 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 89
-
+
-->
firewall
@@ -1096,7 +1319,7 @@
PF_Decoder
-
+
^NetScreen device_id
-
+
netscreenfw
firewall
-
+
system-notification-00257
\(traffic\):
-
+
proto=(\w+) \.+action=(\w+)
\.+src=(\S+) dst=(\S+) src_port=(\d+) dst_port=(\d+)
protocol, action, srcip, dstip, srcport, dstport
@@ -1144,17 +1367,18 @@
netscreenfw
system-critical-\.+ from |
- system-alert-\.+ from
-
+ system-alert-\.+ from |
+ system-emergency-\.+ From
+
system-(\w+)-(\d+): \.+
- from\.+(\d+.\d+.\d+.\d+)
+ from\.+(\S+)
action, id, srcip
netscreenfw
system-(\w+)-(\d+):
- action, id
+ action, id
@@ -1166,7 +1390,7 @@
- %PIX-3-106010: Deny inbound tcp src outside:213.98.79.233/2620 dst dmz:213.98.254.145/135
- %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.2.1/137
dst outside:192.168.2.14/137
- - %PIX-3-106011: Deny inbound (No xlate) tcp src inside:10.100.7.43/80 dst
+ - %PIX-3-106011: Deny inbound (No xlate) tcp src inside:10.100.7.43/80 dst
inside:10.100.4.71/2285
- %PIX-3-710003: TCP access denied by ACL from 216.39.220.130/54065 to outside:62.192.113.98/ssh
- %PIX-7-710001: TCP access requested from X.X.X.X/1292 to outside:Y.Y.Y.Y/ssh
@@ -1176,7 +1400,7 @@
- %PIX-2-106002: udp connection denied by outbound list 30 src 216.53.120.62 138 dest 169.132.10.82 138
- %PIX-4-106023: Deny tcp src inside:111.11.11.1/2143 dst YYY:172.11.1.11/139 by access-group "inside_inbound"
- %PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz
- - %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on
+ - %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on
interface vpn
- %PIX-7-710002: TCP access permitted from 10.0.0.1/60749 to db:10.0.0.2/ssh
- %PIX-6-305012: Teardown dynamic UDP translation from inside:1.1.1.1/12 to outside:1.2.1.2/11 duration 0:00:11.
@@ -1207,7 +1431,7 @@
pix
firewall
^3-710003|^7-710002|^7-710005
- ^(\S+): (\S+) \w+ (\w+)\.+from
+ ^(\S+): (\S+) \w+ (\w+) \.+from
(\S+)/(\S+) to \w+:(\S+)/(\S+)
id, protocol, action, srcip, srcport, dstip, dstport
@@ -1235,7 +1459,7 @@
firewall
^2-106006|^2-106007
^(\S+): (\w+) \S+ (\w+) from
- (\d+.\d+.\d+.\d+)/(\d+) to (\d+.\d+.\d+.\d+)/(\d+)
+ (\S+)/(\d+) to (\S+)/(\d+)
id, action, protocol, srcip, srcport, dstip, dstport
@@ -1269,9 +1493,9 @@
pix
^5-304001:
- ^(\S+): (\d+.\d+.\d+.\d+) Accessed URL
- (\d+.\d+.\d+.\d+):(http\w*://\.+)|
- ^(\S+): (\d+.\d+.\d+.\d+) Accessed URL (\d+.\d+.\d+.\d+):
+ ^(\S+): (\S+) Accessed URL
+ (\S+):(http\w*://\.+)|
+ ^(\S+): (\S+) Accessed URL (\S+):
id, srcip, dstip, url
@@ -1279,7 +1503,7 @@
pix
^5-304002:
^(\S+): Access (denied) URL (http\w*://\.+)
- SRC (\d+.\d+.\d+.\d+) DEST (\d+.\d+.\d+.\d+) on interface
+ SRC (\S+) DEST (\S+) on interface
id, action, url, srcip, dstip
@@ -1288,17 +1512,24 @@
^2-106012: |^2-106017: |
^2-106020|^1-106021|^1-106022|
^4-4000
- ^(\S+): \.+ from (\d+.\d+.\d+.\d+)
+ ^(\S+): \.+ from (\S+)
id, srcip
pix
- ^6-605004|^6-308001|^6-605005
- ^(\S+): \.+ (\d+.\d+.\d+.\d+)
+ ^6-308001
+ ^(\S+): \.+ (\S+)
id, srcip
+
+ pix
+ ^6-605004|^6-605005
+ ^(\S+): Login (\S+) from (\S+)/(\d+) \.+user "(\w+)"
+ id, action, srcip, srcport, user
+
+
pix
^(\S+):
@@ -1308,7 +1539,7 @@
^\d+ \d\d/\d\d/\d\d\d\d \S+ SEV=\d
- ^(\S+) RPT=\d+ (\d+.\d+.\d+.\d+)
+ ^(\S+) RPT=\d+ (\S+)
id, srcip
-
+
@@ -1348,18 +1579,28 @@
ids
^[**] [\d+:\d+:\d+]
-
+
snort
ids
^[**] |^[\d+:\d+:\d+]
- ^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* ->
- (\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+
- (\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)
+ ^[**] [(\d+:\d+:\d+)] \.+ (\S+)\p*\d* ->
+ (\S+)|^[(\d+:\d+:\d+)] \.+
+ (\S+)\p*\d* -> (\S+)
id,srcip,dstip
name,id,srcip,dstip
+
+ snort
+ ids
+ ^[Drop] [**] |^[\d+:\d+:\d+]
+ ^[Drop] [**] [(\d+:\d+:\d+)] \.+ (\S+)\p*\d* ->
+ (\S+)|^[(\d+:\d+:\d+)] \.+
+ (\S+)\p*\d* -> (\S+)
+ id,srcip,dstip
+ name,id,srcip,dstip
+
@@ -1389,12 +1630,12 @@
- Examples:
- suhosin[76366]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '200.139.164.149', file 'xyz')
- suhosin[24239]: ALERT - configured request variable value length limit exceeded - dropped variable 'introtext' (attacker '192.168.1.2', file '/var/www/site/administrator/index2.php')
- - suhosin[32150]: ALERT - configured POST variable limit exceeded - dropped variable 'setting[sg_allow_delete_empty_group]' (attacker '32.104.x.y', file '/home/htdocs/admincp/options.php')
+ - suhosin[32150]: ALERT - configured POST variable limit exceeded - dropped variable 'setting[sg_allow_delete_empty_group]' (attacker '32.104.x.y', file '/home/htdocs/admincp/options.php')
-->
^suhosin
ids
- ^ALERT - (\.+) \(attacker '(\d+.\d+.\d+.\d+)',
+ ^ALERT - (\.+) \(attacker '(\S+)',
id, srcip
name, location, id
@@ -1411,13 +1652,13 @@
ids
^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\|
^\S+\|(\S+)\|
- (\d+.\d+.\d+.\d+)\|(\d+.\d+.\d+.\d+)\|
+ (\S+)\|(\S+)\|
id, srcip, dstip
name, id, srcip, dstip
-
-
-
+
+
+
^[\w+] [imp] |^[\w+] [horde]
-
+
horde_imp
^Login success
- ^for (\S+) [(\d+.\d+.\d+.\d+)]
+ ^for (\S+) [(\S+)]
user, srcip
horde_imp
^FAILED LOGIN
- ^ (\d+.\d+.\d+.\d+) to \S+ as (\S+)
+ ^ (\S+) to \S+ as (\S+)
srcip, user
@@ -1449,11 +1690,12 @@
- Examples:
- WPsyslog[14382]: [127.0.0.1 na] Info: User authentication failed. User name: lala
- WPsyslog[14382]: [127.0.0.1 na] Info: User logged in. User name: admin (admin).
+ - wpcore[14554]: [127.0.0.1 na] http://megasite.com/wordpress Info: User authentication failed. User name: qwe.
-->
- ^WPsyslog
+ ^WPsyslog|^wpcore
^[
- ^(\d+.\d+.\d+.\d+)
+ ^(\S+)
srcip
@@ -1461,60 +1703,110 @@
+
^roundcube
+
+
+
^[\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d \S+]
roundcube
- ^: Successful login for
- ^(\S+) \(id \d+\) from (\d+.\d+.\d+.\d+)$
+ Successful login for
+ ^(\S+) \(id \d+\) from (\S+)$|^(\S+) \(ID: \d+\) from (\S+)
user, srcip
-
+
roundcube
- ^ \w+ Error: Authentication
- ^for (\.+) failed
+ ] \w+ Error: Authentication
+ ^for (\S+) failed
user
+
+ roundcube
+ > \w+ Error: Login failed |> Failed login
+ ^for (\S+) from (\S+)\. |^for (\S+) from (\S+) in session
+ user, srcip
+
+
+ - Without ID: Will extract the srcip and srcport (when it is available)
+ - [error] [client 80.230.208.105] Directory index forbidden by rule: /home/
+ - [error] [client 64.94.163.159] Client sent malformed Host header
+ - [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida
+ - [Sun Nov 23 18:49:01.713508 2014] [:error] [pid 15816] [client 141.8.147.9:51507] PHP Notice: A non well formed numeric value encountered in /path/to/file.php on line 123
+ - Feb 17 18:00:00 myhost httpd[18660]: [error] [client 12.34.56.78] File does not exist: /usr/local/htdocs/cache
+ - Feb 17 18:00:00 myhost httpd[23745]: [error] [client 12.34.56.78] PHP Notice:
+ - With IP + ID: Will extract the srcip, id, and srcport (when it is available)
+ - [Tue Sep 30 11:30:13.262255 2014] [core:error] [pid 20101] [client 99.47.227.95:34567] AH00037: Symbolic link not allowed or link target not accessible: /usr/share/awstats/icon/mime/document.png
+ - [Tue Sep 30 12:24:22.891366 2014] [proxy:warn] [pid 2331] [client 77.127.180.111:54082] AH01136: Unescaped URL path matched ProxyPass; ignoring unsafe nocanon, referer: http://www.easylinker.co.il/he/links.aspx?user=bguyb
+ - [Tue Sep 30 14:25:44.895897 2014] [authz_core:error] [pid 31858] [client 99.47.227.95:38870] AH01630: client denied by server configuration: /var/www/example.com/docroot/
+ - [Thu Oct 23 15:17:55.926067 2014] [ssl:info] [pid 18838] [client 36.226.119.49:2359] AH02008: SSL library error 1 in handshake (server www.example.com:443)
+ - ModSecurity
+ - [Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 10.10.10.10] ModSecurity: Access denied with code 403 (phase 2). Text...
+ - [Tue Feb 16 04:02:21.018764 2016] [:error] [pid 3223] [client 10.10.10.10:5555] ModSecurity: Access denied with code 403 (phase 2). Text...
+ - Others
+ - [notice] Apache configured
+ - [Thu Oct 23 15:17:55.926123 2014] [ssl:info] [pid 18838] SSL Library Error: error:1407609B:SSL routines:SSL23_GET_CLIENT_HELLO:https proxy request -- speaking HTTP to HTTPS port!?
+ - [Tue Sep 30 12:11:21.258612 2014] [ssl:error] [pid 30473] AH02032: Hostname www.example.com provided via SNI and hostname ssl://www.example.com provided via HTTP are different
+-->
+
+
+ ^httpd
+
+
- ^httpd
-
+ ^[warn] |^[notice] |^[error]
+
- ^[warn] |^[notice] |^[error]
-
+ ^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info]
+
-
- apache-errorlog
-
- ^[client
- ^ (\d+.\d+.\d+.\d+)]
- srcip
-
+
+ apache-errorlog
+ [client \S+:\d+] \S+:
+ [client (\S+):(\d+)] (\S+):
+ srcip,srcport,id
+
+
+
+ apache-errorlog
+ [client \S+] \S+:
+ [client (\S+)] (\S+):
+ srcip,id
+
+
+
+
+ apache-errorlog
+ [client
+ ^ (\S+):(\d+)] |^ (\S+)]
+ srcip,srcport
+
@@ -1531,7 +1823,7 @@
nginx-errorlog
, client: \S+, server: \S+, request: "\S+
- , client: (\d+.\d+.\d+.\d+),
+ , client: (\S+),
srcip
@@ -1545,19 +1837,19 @@
- Examples:
- 63.91.167.39 - - [03/Aug/2001:21:56:18 -0700] "GET /default.ida?NNNN
- 206.78.62.16 - - [06/Aug/2001:08:57:08 -0700] "GET /default.ida?XX
- - 5.211.112.6 - - [04/Feb/2003:16:17:30 -0500] "GET /mod_ssl:error:
+ - 5.211.112.6 - - [04/Feb/2003:16:17:30 -0500] "GET /mod_ssl:error:
- 192.168.2.190 - - [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
200 1732
- - 1.1.1.1 - username [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
+ - 1.1.1.1 - username [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
- 123.4.5.6 aa.xx.com - [05/Nov/2006:00:46:56 -0500] "GET / HTTP/1.1" 302 -
- ::ffff:202.194.15.192 190.7.138.180 - [18/Oct/2010:10:48:55 -0500] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
-->
web-log
- ^\d+.\d+.\d+.\d+ |^::ffff:\d+.\d+.\d+.\d+
- ^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+]
- "\w+ (\S+) HTTP\S+ (\d+)
- srcip, url, id
+ ^\S+ \S+ \S+ [\S+ \S\d+] "\w+ \S+ HTTP\S+"
+ ^(\S+) \S+ (\S+) [\S+ \S\d+]
+ "(\w+) (\S+) HTTP\S+" (\d+)
+ srcip, srcuser, action, url, id
@@ -1570,7 +1862,7 @@
^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d
-
+
^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d:
@@ -1694,9 +1986,9 @@
racoon
true
-
+
^ERROR: couldn't find the pskey
- ^for (\d+.\d+.\d+.\d+)
+ ^for (\S+)
srcip
@@ -1706,51 +1998,60 @@
action
-
-
-
-
- squid
- ^\d+ \d+.\d+.\d+.\d+
- ^\d+ (\d+.\d+.\d+.\d+) (\w+)/(\d+) \d+ \w+ (\S+)
- srcip,action,id,url
-
windows
- ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
- ^\.+: (\w+)\((\d+)\): (\.+):
+ ^WinEvtLog
+
+
+
+ windows
+ windows
+ ^\.+: (\w+)\((\d+)\): (\.+):
(\.+): \.+: (\S+):
status, id, extra_data, user, system_name
- name, location, user, system_name
-
+ name, location, system_name
+
+
+
+ windows
+ windows
+ Source Network Address: (\S+)
+ srcip
+
+
+
+ windows
+ windows
+ Account Name:\s+(\w+\.+)\s+Account
+ user
+
+
+
+ windows
+ windows
+ Account Domain:\s\s+(\w\.+)\s\s+Logon ID:
+ extra_data
+
-
+
^\w\w\w \w+\s+\d+ \d\d:\d\d:\d\d \w+ \d+ /\S+/active-response
- /bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)
- action, status, srcip, id, extra_data
+ /bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)
+ action, status, srcip, id, extra_data
^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d '\S+' \d+
-
+
vmware
^(\w+)] \S+ \S+
status
-
+
vmware
- ^: User (\w+)@(\d+.\d+.\d+.\d+)
- logged |^: Failed login \w+ for (\w+)@(\d+.\d+.\d+.\d+)
+ ^: User (\w+)@(\S+)
+ logged |^: Failed login \w+ for (\w+)@(\S+)
user, srcip
-
+
vmware
@@ -1940,7 +2249,7 @@ Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh del
^ \S+ for user (\S+) from (\S+)$
user, srcip
-
+
vmware-syslog
^login from
@@ -1957,7 +2266,7 @@ Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh del
- Nov 21 15:16:22 unknown audit: [ID 984917 audit.notice] login - telnet
failed session 2740580090 by root as root:root from 1.254.168.192
- failed session 2740580090 by root as root:root from 1.254.168.192
- - ok session 347344759 by 500959152 as root:root from 3.11.8.4 obj
+ - ok session 347344759 by 500959152 as root:root from 3.11.8.4 obj
-->
^audit$
@@ -1999,21 +2308,28 @@ Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh del
asterisk
^NOTICE[\d+]: \S+ in \S+: Registration from
- ^\S+ failed for '(\d+.\d+.\d+.\d+)'
- srcip
+ ^'\.+' failed for '(\S+):(\d+)'|^'\.+' failed for '(\S+)'
+ srcip,srcport
asterisk
Registration from
- failed for '(\d+.\d+.\d+.\d+)'
- srcip
+ failed for '(\S+):(\d+)'|failed for '(\S+)'
+ srcip,srcport
+
+
+
+ asterisk
+ ^NOTICE[\d+][\w+]: \S+ in \S+: Call from
+ ^'\S*' \((\S+):(\d+)\) to extension '(\S+)' rejected because extension not found in context '(\S+)'.$
+ srcip, srcport, extra_data, extra_data
asterisk
^NOTICE[\d+]: \S+ in \S+: Host
- ^(\d+.\d+.\d+.\d+) failed MD5 authentication for (\S+)
+ ^(\S+) failed MD5 authentication for (\S+)
srcip, user
@@ -2040,8 +2356,8 @@ Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh del
^%\w+-\d-\w+:
-
-
+
+
-
+
^Checkpoint
^\s+\S+ \d\d:\d\d:\d\d
@@ -2142,9 +2458,9 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
firewall
^drop|^accept|^reject
^(\w+)\s+\S+ \p\S+ rule:\.+
- src: (\d+.\d+.\d+.\d+); dst: (\d+.\d+.\d+.\d+); proto: (\S+);
+ src: (\S+); dst: (\S+); proto: (\S+);
action,srcip,dstip,protocol
-
+
checkpoint-syslog
@@ -2152,13 +2468,13 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
service: (\d+); s_port: (\d+);
dstport,srcport
-
+
checkpoint-syslog
ids
^monitor|^drop
attack: (\.+);
- src: (\d+.\d+.\d+.\d+); dst: (\d+.\d+.\d+.\d+);
+ src: (\S+); dst: (\S+);
proto: (\S+);
extra_data, srcip, dstip, protocol
name, extra_data, srcip, dstip
@@ -2170,7 +2486,7 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
-
+
- ^slapd
- ^conn=(\d+)
- id
+ ^slapd
+
+
+
+
+ openldap
+ ACCEPT
+ ^conn=(\d+) fd=\d+ ACCEPT from IP=(\S+):
+ id, srcip
+
+
+ openldap
+ BIND
+ ^conn=(\d+) op=\d+ BIND dn="\w+=(\w+),
+ id, dstuser
+
+
+
+
+ openldap
+ RESULT
+ ^conn=(\d+) op=\d+ RESULT
+ id
+
-
type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
@@ -2462,10 +2810,10 @@ Examples:
id,data,action,status
-
-
^HT286: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |
@@ -2501,4 +2849,523 @@ Author and (c): Michael Starks, 2014 -->
action, id
+
+
+
+
+ iptables
+ apparmor=
+ apparmor="(\S+)" operation="(\S+)"
+ status, extra_data
+
+
+
+
+ ^unix_chkpwd
+
+
+
+
+ unix_chkpwd
+ user \((\w+)\)$
+ srcuser
+
+
+
+
+
+ ^inbound/pass|^scan|^outbound/smtp
+
+
+
+ barracuda-svf-email
+ ^\S+[\S+]|
+ ^\S+
+ ^\S+[(\S+)] (\d+-\w+-\w+) \d+ \d+ |
+ ^(\S+) (\d+-\w+-\w+) \d+ \d+
+ srcip, id
+
+
+
+
+ barracuda-svf-email
+ (SCAN) (\S+ \S+ \S+ \S+ \d+ \d+ \.+ SUBJ:\.+)$
+ action, extra_data
+
+
+
+
+ barracuda-svf-email
+ (RECV) (\S+ \S+ \d+ \d+ \.+)$
+ action, extra_data
+
+
+
+
+ barracuda-svf-email
+ (SEND) (\S+ \d+ \S+ \.+)$
+ action, extra_data
+
+
+
+
+
+ ^web
+
+
+
+ barracuda-svf-admin
+ ^[\S+] global[] CHANGE
+ ^[(\S+)] global[] (CHANGE) (\S+ \(\S*)\)$
+ srcip,action,extra_data
+
+
+
+ barracuda-svf-admin
+ ^[\S+] LOGIN|
+ ^[\S+] FAILED_LOGIN|
+ ^[\S+] LOGOUT
+ ^[(\S+)] (\S+) \((\S+)\)\p*$
+ srcip,action,user
+
+
+
+
+
+
+windows
+INFORMATION\(1\)
+Image: (\.*) \s*CommandLine: \.* \s*User: (\.*) \s*LogonGuid: \S* \s*LogonId: \S* \s*TerminalSessionId: \S* \s*IntegrityLevel: \.*HashType: \S* \s*Hash: (\S*) \s*ParentProcessGuid: \S* \s*ParentProcessID: \S* \s*ParentImage: (\.*) \s*ParentCommandLine:
+status,user,url,data
+
+
+
+
+ squid
+ ^\d+ \S+
+ ^\d+ (\S+) (\w+)/(\d+) \d+ \w+ (\S+)
+ srcip,action,id,url
+
+
+
+
+
+
+ ^unbound
+
+
+
+ unbound
+ info: (\S+) (\S+). A IN$| info: (\S+) (\S+) AAAA IN$
+ srcip,url
+
+
+
+
+ ^doas
+
+
+
+ doas
+ ^(\S+) ran| for (\S+):
+ srcuser
+
+
+
+ doas
+ as (\S+):
+ dstuser
+
+
+
+
+
+ windows-date-format
+ authenticator failed
+ [(\S+)]:\d+: \d+ Incorrect authentication data \(set_id=(\w+)\)
+ srcip,user
+
+
+
+ windows-date-format
+ ^SMTP connection from
+ [(\S+)]:\d+ \(TCP/IP connection count
+ srcip
+
+
+
+ windows-date-format
+ ^SMTP connection from
+ [(\S+)]:\d+ lost
+ srcip
+
+
+
+ windows-date-format
+ ^SMTP call from
+ [(\S+)]:\d+ dropped: too many syntax or protocol errors
+ srcip
+
+
+
+
+
+ ^nsd
+
+
+
+ nsd
+ from (\S+)@| from (\S+)
+ srcip
+
+
+
+
+
+ ^{"reqId":"\S+","message":"\.+","level":\d,"time":"\.+"}$|^{"app":"\S+","message":"\.+","level":\d,"time":"\.+"}$|^{"reqId":"\S+","level":\d,"time":"\S+","message":"\.+"}$
+
+
+
+
+ ^ownCloud
+
+
+
+ owncloud
+ Login failed: user
+ ^'(\w+)' , wrong password, IP:(\d+.\d+.\d+.\d+)
+ user, srcip
+
+
+
+ owncloud
+ Login failed:
+ ^'(\w+)' \(Remote IP: '(\d+.\d+.\d+.\d+)
+ user, srcip
+
+
+
+ owncloud
+ Passed filename is not valid, might be malicious
+ ;ip:"(\d+.\d+.\d+.\d+)|;ip:\\"(\d+.\d+.\d+.\d+)
+ srcip
+
+
+
+ owncloud
+ ","level":
+ ^(\d),"
+ status
+
+
+
+
+
+ psad
+
+
+
+ psad
+ ^scan detected
+ (\S+) -> (\S+) \.+ DL: (\d)
+ srcip,dstip,status
+
+
+
+ psad
+ ^message repeated
+ (\S+) -> (\S+) \.+ DL: (\d)
+ srcip,dstip,status
+
+
+
+ psad
+ signature match:
+ src: (\S+) signature match: \.+ port: (\d+)
+ srcip,dstport
+
+
+
+
+
+ ^pvedaemon
+
+
+
+ ^pvestatd
+
+
+
+ ^pveproxy
+
+
+
+ ^pvepw-logger
+
+
+
+ pvedaemon
+ authentication failure;
+ ^rhost=(\S+) user=(\S+)@pam msg=|^rhost=(\S+) user=(\S+)@pve msg=
+ srcip, user
+
+
+
+ pvedaemon
+ successful auth for user '
+ ^(\S+)@pam'$|^(\S+)@pve'$
+ user
+
+
+
+ ^dhcpd$
+
+
+
+ dhcpd
+ ^(\S+) \S+ (\S+) \S+ (\S+) via (\S+)$
+ action, srcip, extra_data, extra_data
+
+
+
+ dhcpd
+ acking
+ already acking lease (\S+)
+ srcip
+
+
+
+ dhcpd
+ ^IP address
+ ^IP address (\S+)
+ srcip
+
+
+
+
+ [\d+/\w+/\d+:\d+:\d+:\d+ -\d+] "
+ ^(\S+) (\S+) \S+ \S+ [\d+/\w+/\d+:\d+:\d+:\d+ -\d+] "(\S+) (\S+) HTTP/\d.\d" (\d+) \d$
+ url, srcip, protocol, url, status
+ web-log
+
+
+
+
+
+ ^dnsmasq
+
+
+
+ dnsmasq
+ ^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) to (\S+)|
+ ^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) from (\S+)|
+ ^[\d+]: \d+ (\S+)/\d+ (\S+) (\S+) is (\S+)
+ srcip, action, url, extra_data
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ^kesl
+
+
+
+ kesl
+ ^\p\pEventType\p: \p\S+\p,\pEventId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pAVBasesDate\p: \p\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\p\p
+ ^\p\pEventType\p: \p(\S+)\p,\pEventId\p: \p(\d+)\p,\pTaskName\p: \p(\S+)\p,\pTaskId\p: \p\d+\p,\pAVBasesDate\p: \p(\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d)\p\p
+ status, id, action, extra_data
+
+
+
+ kesl
+ ^\p\pEventType\p: \p\S+\p,\pEventID\p: \p\d+\p,\pDetectName\p: \p\S+\p,\pDetectType\p: \p\S+\p,\pDetectCertainty\p: \p\S+\p,\pDetectSource\p: \p\S+\p,\pFileName\p: \p\S+,\pObjectName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pRuntimeTaskId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p\S+\p,\pAccessUser\p: \p\S+\p,\pAccessUserId\p: \p\d+\p,\pFileOwner\p: \p\S+\p,\pFileOwnerId\p: \p\d+\p\p
+ ^\p\pEventType\p: \p(\S+)\p,\pEventID\p: \p(\d+)\p,\pDetectName\p: \p\S+\p,\pDetectType\p: \p\S+\p,\pDetectCertainty\p: \p(\S+)\p,\pDetectSource\p: \p\S+\p,\pFileName\p: \S+,\pObjectName\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pRuntimeTaskId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p(\S+)\p,\pAccessUser\p: \p\S+\p,\pAccessUserId\p: \p\d+\p,\pFileOwner\p: \p\S+\p,\pFileOwnerId\p: \p\d+\p\p
+ status, id, extra_data, action
+
+
+
+ kesl
+ ^\p\pEventType\p: \p\S+\p,\pEventId\p: \p\d+\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p\S+\p,\pTaskId\p: \p\d+\p,\pTaskState\p: \p\S+\p,\pPrevTaskState\p: \p\S+\p,\pTaskRequestInitiator\p: \p\S+\p,\pRuntimeTaskId\p: \p\d+\p\p
+ ^\p\pEventType\p: \p(\S+)\p,\pEventId\p: \p(\d+)\p,\pTaskName\p: \p\S+\p,\pTaskType\p: \p(\S+)\p,\pTaskId\p: \p\d+\p,\pTaskState\p: \p(\S+)\p,\pPrevTaskState\p: \p\S+\p,\pTaskRequestInitiator\p: \p(\S+)\p,\pRuntimeTaskId\p: \p\d+\p\p
+ action, id, extra_data, status, srcuser
+
+
+
+
+
+
+ dionaea.connections
+ ^{\pdirection\p: \p(\S+)\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\.\d+\p, \pdionaea_action\p: \p(\S+)\p, \ptype\p: \pdionaea.connections\p, \papp\p: \pdionaea\p, \psrc_ip\p: "(\S+)", \pvendor_product\p: \pDionaea\p, \pdest_port\p: (\d+), \psignature\p: \p\.+\p, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p}
+ extra_data, protocol, action, srcip, dstport, srcport, dstip
+
+
+
+
+
+
+
+
+
+ cowrie.sessions
+
+
+
+ cowrie
+ "SSH login attempted
+ ^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \pssh_username\p: \p(\S+)\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pssh_password\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"}
+ protocol, extra_data, user, dstport, srcport, srcip, action, dstip
+
+
+
+ cowrie
+ "SSH session on cowrie honeypot
+ ^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \ptype\p: \pcowrie.sessions\p, \papp\p: \pcowrie\p, \psrc_ip\p: "(\S+)", \pdest_port\p: (\d+), \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p}
+ protocol, extra_data, srcip, dstport, action, srcport, dstip
+
+
+
+ cowrie
+ "command attempted on cowrie honeypot
+ ^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pcommand\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"}
+ protocol, extra_data, dstport, srcport, srcip, action, dstip
+
+