<decoder name="proftpd-ip">
<parent>proftpd</parent>
- <regex>^\S+ \(\S+[(\S+)]\)</regex>
+ <regex>^\S+ \(\S+[(\S+)]\)|^\S+ \(\S+[::ffff:(\S+)]\)</regex>
<order>srcip</order>
</decoder>
<order>user,srcip</order>
</decoder>
+<!-- Pure-FTPd transfer log decoder
+ - Examples from ossec-list:
+ - example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220
+ - example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220
+ -->
+
+<decoder name="pure-transfer">
+ <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] </prematch>
+ <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$</regex>
+ <order>extra_data,dstuser,action,url,status</order>
+</decoder>
+
+
<!-- vsftpd decoder.
- Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]
-->
<decoder name="courier">
- <program_name>^pop3d|^courierpop3login|^imaplogin</program_name>
+ <program_name>^pop3d|^courierpop3login|^imaplogin|^courier-pop3|^courier-imap</program_name>
</decoder>
<decoder name="courier-login">
<decoder name="courier-generic">
<parent>courier</parent>
- <regex>, ip=[(\S+\d)]$</regex>
+ <regex>, ip=[(\S+\d)]$|, ip=[::ffff:(\S+\d)]$</regex>
<order>srcip</order>
</decoder>
<order>url, srcip, id</order>
</decoder>
+<!-- Windows IIS decoder for default settings
+ - Tested with IIS 7.5 and IIS 8.5 (Windows 2008R2 and Windows 2012R2)
+ - Will extract URL, Source IP, and HTTP response code
+ - Examples:
+ - IIS 7.5
+ - 2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624
+ - IIS 8.5
+ - 2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0
+ - 2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0
+ - 2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0
+-->
+
+<decoder name="web-accesslog-iis-default">
+ <parent>windows-date-format</parent>
+ <type>web-log</type>
+ <use_own_name>true</use_own_name>
+ <prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ POST </prematch>
+ <regex offset="after_prematch">(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex>
+ <order>url,srcip,id</order>
+</decoder>
+
<!-- IIS 5 W3C FTP log format.
- Examples:
Logon Type: 2 Logon Process: User32 Authentication
Package: Negotiate Workstation Name: ad
- WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff: User Name: lac Domain: OSSEC-HM Logon ID: (0x0,0x7C966E) Logon Type: 2
+ - 2013 Oct 09 17:09:04 WinEvtLog: Application: INFORMATION(1): My Script: (no user): no domain: demo1.foo.example.com: test
-->
<decoder name="windows">
<type>windows</type>
- <prematch>^WinEvtLog: </prematch>
+ <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: </prematch>
<regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
-->
<decoder name="ar_log">
- <prematch>^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /\.+/active-response</prematch>
- <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)</regex>
- <order>action, status, srcip, id, extra_data</order>
+ <prematch>^\w\w\w \w+\s+\d+ \d\d:\d\d:\d\d \w+ \d+ /\S+/active-response</prematch>
+ <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)</regex>
+ <order>action, status, srcip, id, extra_data</order>
</decoder>
<!-- Zeus decoder.
<order>dstip, extra_data</order>
</decoder>
+<!-- OpenBSD deluser
+ - 2014-02-21T10:22:55.134355-05:00 arrakis userdel[23023]: user removed: name=dac
+-->
+
+<decoder name="open-userdel">
+ <program_name>userdel</program_name>
+ <regex>user removed: name=(\S+)$</regex>
+ <order>srcuser</order>
+</decoder>
+
+
<!-- OpenBSD mountd decoder
- Apr 11 20:01:02 ix mountd[11618]: Refused mount RPC from host 192.168.17.10 port 45659
</decoder>
-<!-- bro-ids decoders
- - Aug 25 08:52:10 junction bro: no=PortScanSummary na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 num=988 msg=192.168.17.8\\\\ scanned\\\\ a\\\\ total\\\\ of\\\\ 988\\\\ ports tag=@ef-24ad-af
- - Aug 26 12:34:27 junction bro: no=PortScan na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 p=17/tcp num=250 msg=192.168.17.8\\ has\\ scanned\\ 250\\ ports\\ of\\ 192.168.17.17 tag=@11-68e9-5
- - junction bro: Starting incremental serialization...
- - junction bro: Finished incremental serialization.
- - ix bro: no=NoticeTally na=NOTICE_ALARM_ALWAYS es=bro num=307 msg=AckAboveHole\\ (307\\ times) tag=@81-2fd-1f9
- - ix bro: no=NoticeTally na=NOTICE_ALARM_ALWAYS es=bro num=7 msg=ContentGap\\ (7\\ times) tag=@81-2fd-1fa
- - ix bro: no=ResourceSummary na=NOTICE_ALARM_ALWAYS es=bro msg=elapsed\\ time\\ \\=\\ 376.0\\ msecs\\ 174.0\\ usecs,\\ total\\ CPU\\ \\=\\ 390.0\\ msecs,\\ maximum\\ memory\\ \\=\\ 0\\ KB,\\ peak\\ connections\\ \\=\\ 0,\\ peak\\ timers\\ \\=\\ 84,\\ peak\\ fragments\\ \\=\\ 0 tag=@69-1f25-1
- - junction bro: no=PortScanSummary na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 num=988 msg=192.168.17.8\\\\ scanned\\\\ a\\\\ total\\\\ of\\\\ 988\\\\ ports tag=@ef-24ad-af
- - junction bro: no=ZoneTransfer na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.1.9 sp=4175/tcp da=192.168.1.17 dp=53/tcp p=53/tcp msg=transfer\\ of\\example.com\\ requested\\ by\\ 192.168.1.9 tag=@61-3a46-d
- - ix bro: no=SensitivePortmapperAccess na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 sp=2957/tcp da=192.168.17.9 dp=111/tcp p=111/tcp msg=rpc:\\ 192.168.17.8/2957\\ >\\ 192.168.17.9/portmap\\ pm_dump:\\ (done) tag=@46-764d-5d
- - junction bro: no=PortScan na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 p=17/tcp num=250 msg=192.168.17.8\\ has\\ scanned\\ 250\\ ports\\ of\\ 192.168.17.17 tag=@11-68e9-5
--->
-
-<decoder name="bro-ids">
- <program_name>^bro</program_name>
-</decoder>
-
-<decoder name="bro-portscan">
- <parent>bro-ids</parent>
- <prematch>no=PortscanSummary</prematch>
- <regex>sa=(\S+) num=(\d+) msg=</regex>
- <order>srcip,extra_data</order>
-</decoder>
-
-<decoder name="bro-portscan2">
- <parent>bro-ids</parent>
- <prematch>no=PortScan </prematch>
- <regex>sa=(\S+) p=(\d+)/(\S+) num=(\d+)</regex>
- <order>srcip,srcport,protocol,extra_data</order>
-</decoder>
-
-<decoder name="bro-typical">
- <parent>bro-ids</parent>
- <prematch>na=NOTICE</prematch>
- <regex>sa=(\S+) sp=(\d+)/(\S+) da=(\S+) dp=(\d+)/\S+</regex>
- <order>srcip,srcport,protocol,dstip,dstport</order>
-</decoder>
-
-
-
<!-- nss ldap decoders
- Jun 26 08:19:25 servername sh: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
- Aug 16 10:58:12 client nscd: nss_ldap: failed to bind to LDAP server ldap://ldap.example.com: Can't contact LDAP server
</decoder>
<!-- SELinux -->
- <decoder name="auditd-selinux">
- <parent>auditd</parent>
- <prematch offset="after_parent">^AVC </prematch>
- <regex offset="after_parent">^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$</regex>
- <order>action,id,status,extra_data</order>
- </decoder>
+<decoder name="auditd-selinux">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^AVC </prematch>
+ <regex offset="after_parent">^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$</regex>
+ <order>action,id,status,extra_data</order>
+</decoder>
<!-- syscall -->
- <decoder name="auditd-syscall">
- <parent>auditd</parent>
- <prematch offset="after_parent">^SYSCALL </prematch>
- <regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"</regex>
- <order>action,id,status,extra_data</order>
- </decoder>
+<decoder name="auditd-syscall">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^SYSCALL </prematch>
+ <regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"</regex>
+ <order>action,id,status,extra_data</order>
+</decoder>
<!-- config -->
- <decoder name="auditd-config">
- <parent>auditd</parent>
- <prematch offset="after_parent">^CONFIG_CHANGE </prematch>
- <regex offset="after_parent">^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$</regex>
- <order>action,id,extra_data</order>
- </decoder>
+<decoder name="auditd-config">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^CONFIG_CHANGE </prematch>
+ <regex offset="after_parent">^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$</regex>
+ <order>action,id,extra_data</order>
+</decoder>
<!-- path (will only decode if name is not null)-->
- <decoder name="auditd-path">
- <parent>auditd</parent>
- <prematch offset="after_parent">^PATH </prematch>
- <regex offset="after_parent">^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
- <order>action,id,extra_data</order>
- </decoder>
+<decoder name="auditd-path">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^PATH </prematch>
+ <regex offset="after_parent">^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
+ <order>action,id,extra_data</order>
+</decoder>
<!-- user-related -->
- <decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
- <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
- <order>action,id</order>
- </decoder>
-
- <decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
- <order>user,extra_data,srcip</order>
- </decoder>
-
- <decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
- <order>user,extra_data,srcip,status</order>
- </decoder>
-
- <decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
- <order>user,extra_data,srcip,status</order>
- </decoder>
-
- <decoder name="auditd-user">
- <parent>auditd</parent>
- <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
- <order>extra_data,srcip,status</order>
- </decoder>
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
+ <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
+ <order>action,id</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
+ <order>user,extra_data,srcip</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
+ <order>user,extra_data,srcip,status</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+ <order>user,extra_data,srcip,status</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+ <order>extra_data,srcip,status</order>
+</decoder>
+
+<!--
+mptscsih \ mptbase decoder
+
+Description: module for SCSI controllers.
+
+Examples:
+[ 5008.286061] mptscsih: ioc0: task abort: FAILED (rv=2003) (sc=ffff88007a8a9f00)
+
+[ 6498.769248] mptbase: ioc0: RAID STATUS CHANGE for PhysDisk 1 id=8
+[ 6498.769252] mptbase: ioc0: PhysDisk is now failed, out of sync
+
+[ 6498.775783] mptbase: ioc0: RAID STATUS CHANGE for VolumeID 0
+[ 6498.775788] mptbase: ioc0: volume is now degraded, enabled
+-->
+<decoder name="mptscsih-1">
+ <parent>iptables</parent>
+ <prematch>^[\s\d+.\d+] mptscsih: </prematch>
+ <regex>^[\s\d+.\d+] (\w+): (\w+): task abort: (\w+)</regex>
+ <order>id,data,status</order>
+</decoder>
+
+<decoder name="mptbase-1">
+ <parent>iptables</parent>
+ <prematch>^[\s\d+.\d+] mptbase: </prematch>
+ <regex>^[\s\d+.\d+] (\w+): (\w+):\s+\w+ is now (\w+)\p\s(\D+)$</regex>
+ <order>id,data,action,status</order>
+</decoder>
+
+<!-- Grandstream HT502 VoIP gateway decoder
+Author and (c): Michael Starks, 2014 -->
+
+<!-- HT502: [00:0B:82:14:5B:94] Transport error (-1) for transaction 2677 -- >
+
+<decoder name="grandstream-ata">
+ <prematch>^HT286: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
+ <prematch>^HT502: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
+ <prematch>^HT503: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* </prematch>
+</decoder>
+
+<decoder name="grandstream-registration">
+ <parent>grandstream-ata</parent>
+ <prematch>Received </prematch>
+ <regex offset="after_prematch">^(\d+) response for transaction (\d+)\((\w+)\)$</regex>
+ <order>status, id, action</order>
+</decoder>
+
+<decoder name="grandstream-fts-registered">
+ <parent>grandstream-ata</parent>
+ <prematch>Account </prematch>
+ <regex offset="after_prematch">^(\d+) (registered), tried \d+; Next registration in \d+ seconds \(\d+/\d+\) on (\.+)$</regex>
+ <order>id, status, extra_data</order>
+ <fts>name, location, extra_data</fts>
+</decoder>
+
+<decoder name="grandstream-incoming-cid">
+ <parent>grandstream-ata</parent>
+ <prematch>Vinetic::</prematch>
+ <regex offset="after_prematch">^(startRing) with CID, Attempting to deliver CID (\d+) on port \d+$</regex>
+ <order>action, id</order>
+</decoder>
+
+<decoder name="grandstream-outgoing-call">
+ <parent>grandstream-ata</parent>
+ <regex offset="after_parent">^(Dialing) (\d+)$</regex>
+ <order>action, id</order>
+</decoder>
<!-- EOF -->
projects / ossec-hids.git / blobdiff