-<!-- @(#) $Id: decoder.xml,v 1.162 2009/11/09 20:32:29 dcid Exp $
+<!-- @(#) $Id: decoder.xml,v 1.166 2010/06/15 12:52:01 dcid Exp $
- OSSEC log decoder.
- Author: Daniel B. Cid
- License: http://www.ossec.net/en/licensing.html
<order>user</order>
</decoder>
+<!--XXXX<decoder name="pam-user2">
+ <parent>pam</parent>
+ <prematch>^session \S+ </prematch>
+ <regex>for user (\S+)</regex>
+ <order>user</order>
+</decoder>
+-->
+
<decoder name="pam-host-user">
<parent>pam</parent>
<prematch>rhost=\S+\s+user=\S+</prematch>
<order>srcip</order>
</decoder>
-
<!-- SSH decoder.
- Will extract username and srcip from the logs.
- Apr 23 07:03:53 machinename sshd[29961]: User root from 12.3.4.5
not allowed because not listed in AllowUsers
- sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
+ - Sep 4 23:58:33 junction sshd[9351]: fatal: Write failed: Broken pipe
+ - Sep 18 14:58:47 ix sshd[11816]: error: Could not load host key: /etc/ssh/ssh_host_ecdsa_key
+ - Sep 23 10:32:25 server sshd[25209]: pam_ldap: error trying to bind as user "uid=user123,ou=People,dc=domain,dc=com" (Invalid credentials)
+ - Aug 10 08:38:40 junction sshd[20013]: error: connect_to 192.168.179 port 8080: failed
+ - Jun 9 00:00:01 ix sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
+ - Jan 26 11:57:26 ix sshd[14879]: error: connect to ix.example.com port 7777 failed: Connection refused
+ - Oct 8 10:07:27 y sshd[7644]: debug1: attempt 2 failures 2
+ - Oct 8 08:58:37 y sshd[6956]: fatal: PAM: pam_setcred(): Authentication service cannot retrieve user credentials
+ - Oct 8 08:48:33 y sshd[6856]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
+ - Oct 8 11:18:26 172.16.51.132 sshd[7618]: error: PAM: Module is unknown for ddp from 172.16.51.1
+ - Jun 19 20:56:00 tiny sshd[11605]: fatal: Write failed: Host is down
+ - Jun 11 06:32:17 gorilla sshd[28293]: fatal: buffer_get_bignum2: buffer error
+ - Jun 11 06:32:17 gorilla sshd[28293]: error: buffer_get_bignum2_ret: negative numbers not supported
+ - Apr 14 19:28:21 gorilla sshd[31274]: Connection closed by 192.168.1.33
+ - Jun 22 12:01:13 junction sshd[11283]: Received disconnect from 212.14.228.46: 11: Bye Bye
+ - Nov 9 07:40:25 ginaz sshd[5973]: error: setsockopt SO_KEEPALIVE: Connection reset by peer
+ - Nov 2 12:08:27 192.168.17.7 sshd[9665]: fatal: Cannot bind any address.
+ - Nov 2 12:11:40 192.168.17.7 sshd[9814]: pam_loginuid(sshd:session): set_loginuid failed opening loginuid
+ - Nov 6 09:53:38 hagal sshd[697]: error: accept: Software caused connection abort
+ - Nov 9 11:36:55 ecaz sshd[26967]: pam_succeed_if(sshd:auth): error retrieving information about user _z9xxbBW
-->
<decoder name="sshd">
<decoder name="ssh-reverse-mapping">
<parent>sshd</parent>
<prematch>^reverse mapping checking </prematch>
- <regex offset="after_prematch">^\w+ for (\S+) </regex>
+ <regex offset="after_prematch">^\w+ for \S+ [(\S+)] |^\w+ for (\S+) </regex>
<order>srcip</order>
</decoder>
<order>srcip</order>
</decoder>
+<decoder name="ssh-osx-refuse">
+ <parent>sshd</parent>
+ <prematch>^refused connect </prematch>
+ <regex offset="after_prematch">^from (\S+)$</regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="ssh-closed">
+ <parent>sshd</parent>
+ <prematch>^Connection closed </prematch>
+ <regex offset="after_prematch">^by (\S+)$</regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="ssh-disconnect">
+ <parent>sshd</parent>
+ <prematch>^Received disconnect </prematch>
+ <regex offset="after_prematch">^from (\S+):</regex>
+ <order>srcip</order>
+</decoder>
+
+<!--XXX
+<decoder name="ssh-pam">
+ <parent>sshd</parent>
+ <prematch>PAM: Module</prematch>
+ <regex>for (\S+) from (\S+)$</regex>
+ <order>user, srcip</order>
+</decoder>
+
+<decoder name="ssh-connect-to">
+ <parent>sshd</parent>
+ <prematch>connect_to</prematch>
+ <regex>connect_to: (\S+) port (\d+):</regex>
+ <order>dstip,dstport</order>
+</decoder>
+-->
+
+<decoder name="sshd-ldap">
+ <parent>sshd</parent>
+ <prematch>^pam_ldap: </prematch>
+ <regex>user "uid=(\S+),ou=\w+,dc=\w+,dc=\w+"</regex>
+ <order>user</order>
+</decoder>
+
+
+<!-- Dropbear rules -->
+<decoder name="dropbear">
+ <program_name>^dropbear</program_name>
+</decoder>
+
+<decoder name="dropbear-from">
+ <parent>dropbear</parent>
+ <regex>for '(\S+)' from (\S+):\d+$</regex>
+ <order>dstuser,srcip</order>
+</decoder>
+
<!--
<!--
+ - rshd decoder
+ - Example message:
+ - Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port
+ -->
+<decoder name="rshd">
+ <program_name>^rshd$</program_name>
+</decoder>
+
+<decoder name="rshd-illegal-connection">
+ <parent>rshd</parent>
+ <regex>^Connection from (\S+) on illegal port$</regex>
+ <order>srcip</order>
+</decoder>
+
+
+
+<!--
+ - cimserver decoder
+ - Example messages:
+ - Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.
+ - Dec 18 18:06:29 hostname cimserver[18575]: PGS17200: Authentication failed for user domain\jones_b.
+ -->
+<decoder name="cimserver">
+ <program_name>^cimserver$</program_name>
+</decoder>
+
+<decoder name="cimserver-failed-authentication">
+ <parent>cimserver</parent>
+ <prematch>^\w+: Authentication failed for user </prematch>
+ <regex offset="after_prematch">^(\S+).$</regex>
+ <order>user</order>
+</decoder>
+
+
+
+<!--
- Samba decoder.
- Will extraxt the username/srcip
- Examples:
<order>srcip</order>
</decoder>
+<decoder name="smbd-from">
+ <parent>smbd</parent>
+ <prematch> from (\S+)$</prematch>
+ <regex> from (\S+)$</regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="smbd-client">
+ <parent>smbd</parent>
+ <prematch>to client \S+.</prematch>
+ <regex>to client (\S+). </regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="nmbd">
+ <program_name>^nmbd</program_name>
+</decoder>
<!-- Sudo decoder.
<fts>name, srcuser, location</fts>
</decoder>
+<decoder name="su-ldap">
+ <parent>su</parent>
+ <prematch>pam_ldap</prematch>
+ <regex>user "uid=(\S+),</regex>
+ <order>user</order>
+</decoder>
+
<decoder name="su-detail2">
<parent>su</parent>
<regex>^BAD SU (\S+) to (\S+) on|</regex>
<decoder name="proftpd-ip">
<parent>proftpd</parent>
- <regex>^\S+ \(\S+[(\S+)]\)</regex>
+ <regex>^\S+ \(\S+[(\S+)]\)|^\S+ \(\S+[::ffff:(\S+)]\)</regex>
<order>srcip</order>
</decoder>
<order>user,srcip</order>
</decoder>
+<!-- Pure-FTPd transfer log decoder
+ - Examples from ossec-list:
+ - example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220
+ - example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220
+ -->
+
+<decoder name="pure-transfer">
+ <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] </prematch>
+ <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$</regex>
+ <order>extra_data,dstuser,action,url,status</order>
+</decoder>
+
+
<!-- vsftpd decoder.
- ftpd[811166]: refused connect from 88.225.42.182
- in.ftpd[18561]: [ID 484914 daemon.notice] gethostbyaddr: nameservices.net. != 216.117.134.168
- ftpd[31918]: FTPD: EXPORT file local , remote
+ - Dec 21 12:21:20 hostname ftpd[323115]: login jones_b from client.example.org failed.
-->
<decoder name="ftpd">
<program_name>^ftpd|^in.ftpd</program_name>
<parent>ftpd</parent>
<prematch>^Failed authentication from: \S+ |</prematch>
<prematch>^repeated login failures from </prematch>
- <regex offset="after_prematch">[(\d+.\d+.\d+.\d+)]$</regex>
+ <!--<regex offset="after_prematch">(\S+)</regex>-->
+ <regex offset="after_prematch">^\S+ [(\d+.\d+.\d+.\d+)]$|^(\S+)</regex>
<order>srcip</order>
</decoder>
<order>srcip</order>
</decoder>
+<decoder name="ftpd-tru64">
+ <parent>ftpd</parent>
+ <prematch>^login \S+ from \S+ failed.</prematch>
+ <regex>^login (\S+) from (\S+) failed.$</regex>
+ <order>user, srcip</order>
+</decoder>
+
<!-- Arpwatch decoder.
- arpwatch: new station 192.168.1.103 0:11:43:5e:5d:80 eth0
- arpwatch: bogon 172.16.150.149 0:2:b3:d6:e5:68 eth0
- arpwatch: new station 192.168.2.10 0:c0:4f:78:32:be
+ - arpwatch: pcap open re0: /dev/bpf0: Permission denied
+ - arpwatch: reused old ethernet address 192.168.17.248 0:e:3b:a:cb:67 (0:1e:8c:72:b0:d0)
-->
<decoder name="arpwatch">
<program_name>^arpwatch</program_name>
- Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]
-->
<decoder name="courier">
- <program_name>^pop3d|^courierpop3login|^imaplogin</program_name>
+ <program_name>^pop3d|^courierpop3login|^imaplogin|^courier-pop3|^courier-imap</program_name>
</decoder>
<decoder name="courier-login">
<decoder name="courier-generic">
<parent>courier</parent>
- <regex>, ip=[(\S+\d)]$</regex>
+ <regex>, ip=[(\S+\d)]$|, ip=[::ffff:(\S+\d)]$</regex>
<order>srcip</order>
</decoder>
<decoder name="dovecot-success">
<parent>dovecot</parent>
<prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch>
- <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=(\S+), </regex>
- <order>user, srcip</order>
+ <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=\S*(\d+.\d+.\d+.\d+), lip=\S*(\d+.\d+.\d+.\d+), (\S*)$</regex>
+ <order>user, srcip, dstip, protocol</order>
</decoder>
<decoder name="dovecot-aborted">
<parent>dovecot</parent>
<prematch offset="after_parent">^\w\w\w\w-login: Aborted login</prematch>
- <regex offset="after_prematch"> user=\p\S+>, method=\w+, rip=(\S+), lip=\S+</regex>
- <order>srcip</order>
+ <regex offset="after_prematch">: user=\p(\S+)\p, method=\S+, rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+)$</regex>
+ <order>user, srcip, dstip</order>
+</decoder>
+
+<decoder name="dovecot-fail">
+ <parent>dovecot</parent>
+ <prematch offset="after_parent">^auth\(default\)|auth-worker\(default\)</prematch>
+ <regex offset="after_prematch">^: \S+\((\S+),(\d+.\d+.\d+.\d+)\)</regex>
+ <order>user, srcip</order>
</decoder>
<decoder name="dovecot-disconnect">
<parent>dovecot</parent>
<prematch offset="after_parent">^\w\w\w\w-login: Disconnected: </prematch>
- <regex offset="after_prematch">^rip=(\S+), </regex>
- <order>srcip</order>
+ <regex offset="after_prematch">^rip=(\S+), lip=(\d+.\d+.\d+.\d+)</regex>
+ <order>srcip, dstip</order>
</decoder>
- Examples:
- valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied
- named[12637]: client 1.2.3.4#32769: query (cache) 'somedomain.com/MX/IN' denied
+ - Oct 22 10:12:33 junction named[31687]: /etc/blocked.slave:9892: syntax error near ';'
+ - Oct 22 10:12:33 junction named[31687]: reloading configuration failed: unexpected token
-->
<decoder name="named">
<program_name>^named</program_name>
</decoder>
+<decoder name="named-query">
+ <parent>named</parent>
+ <prematch>: query: </prematch>
+ <regex>client (\S+)#\d+: query: (\S+) IN </regex>
+ <order>srcip,url</order>
+</decoder>
+
+
<decoder name="named_client">
<parent>named</parent>
<prematch>^client </prematch>
<order>srcip</order>
</decoder>
+<decoder name="named-master">
+ <parent>named</parent>
+ <prematch> for master</prematch>
+ <regex>for master (\d+.\d+.\d+.\d+):(\d+) \S+ \(source (\d+.\d+.\d+.\d+)#d+\)$</regex>
+ <order>dstip,dstport,srcip</order>
+</decoder>
<!-- Postfix decoder.
</decoder>
+<!-- OpenBSD smtpd decoders -->
+
+<decoder name="smtpd">
+ <program_name>smtpd</program_name>
+</decoder>
+
+<decoder name="smtpd-client">
+ <parent>smtpd</parent>
+ <prematch offset="after_parent">^client</prematch>
+ <regex>^client (\S+) </regex>
+ <order>srcip</order>
+</decoder>
+
+<decoder name="smtpd-relay">
+ <parent>smtpd</parent>
+ <prematch>relay=</prematch>
+ <regex>relay=\S+ [(\S+)], </regex>
+ <order>srcip</order>
+</decoder>
+
+
+
<!-- Iptables decoder.
- Will extract the srcip, dstip, srcport, dstport, protocol
- Examples:
<order>srcport,dstport</order>
</decoder>
+<decoder name="iptables-shorewall2">
+ <parent>iptables</parent>
+ <type>firewall</type>
+ <prematch>^\p\S+\p Shorewall:\S+:</prematch>
+ <regex offset="after_prematch">^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
+ <regex>PROTO=(\w+) </regex>
+ <order>action,srcip,dstip,protocol</order>
+</decoder>
<!-- Solaris IPFilter decoder.
<order>id, action, protocol, srcip, srcport, dstip, dstport</order>
</decoder>
+<decoder name="pix-url-success">
+ <parent>pix</parent>
+ <prematch offset="after_parent">^5-304001: </prematch>
+ <regex offset="after_parent">^(\S+): (\d+.\d+.\d+.\d+) Accessed URL </regex>
+ <regex>(\d+.\d+.\d+.\d+):(http\w*://\.+)|</regex>
+ <regex>^(\S+): (\d+.\d+.\d+.\d+) Accessed URL (\d+.\d+.\d+.\d+):</regex>
+ <order>id, srcip, dstip, url</order>
+</decoder>
+
+<decoder name="pix-url-deny">
+ <parent>pix</parent>
+ <prematch offset="after_parent">^5-304002: </prematch>
+ <regex offset="after_parent">^(\S+): Access (denied) URL (http\w*://\.+) </regex>
+ <regex>SRC (\d+.\d+.\d+.\d+) DEST (\d+.\d+.\d+.\d+) on interface</regex>
+ <order>id, action, url, srcip, dstip</order>
+</decoder>
+
<decoder name="pix-attacks">
<parent>pix</parent>
<prematch offset="after_parent">^2-106012: |^2-106017: |</prematch>
+<!-- OpenBSD isakmpd decoders -->
+
+<decoder name="isakmpd">
+ <program_name>^isakmpd</program_name>
+</decoder>
+
+<decoder name="isakmpd-from">
+ <parent>isakmpd</parent>
+ <prematch>message from </prematch>
+ <regex>from (\S+) port (\d+)</regex>
+ <order>srcip,srcport</order>
+</decoder>
+
+<decoder name="isakmpd-peer">
+ <parent>isakmpd</parent>
+ <prematch>from peer</prematch>
+ <regex>from peer (\S+):(\d+)$</regex>
+ <order>srcip,srcport</order>
+</decoder>
+
+
+
<!-- Suhosin decoder.
- Will extract the attack name and srcip.
- Examples:
200 1732
- 1.1.1.1 - username [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
- 123.4.5.6 aa.xx.com - [05/Nov/2006:00:46:56 -0500] "GET / HTTP/1.1" 302 -
+ - ::ffff:202.194.15.192 190.7.138.180 - [18/Oct/2010:10:48:55 -0500] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
-->
<decoder name="web-accesslog">
<type>web-log</type>
- <prematch>^\d+.\d+.\d+.\d+ </prematch>
+ <prematch>^\d+.\d+.\d+.\d+ |^::ffff:\d+.\d+.\d+.\d+ </prematch>
<regex>^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex>
<regex>"\w+ (\S+) HTTP\S+ (\d+) </regex>
<order>srcip, url, id</order>
<order>url, srcip, id</order>
</decoder>
+<!-- Windows IIS decoder for default settings
+ - Tested with IIS 7.5 and IIS 8.5 (Windows 2008R2 and Windows 2012R2)
+ - Will extract URL, Source IP, and HTTP response code
+ - Examples:
+ - IIS 7.5
+ - 2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624
+ - IIS 8.5
+ - 2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0
+ - 2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0
+ - 2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0
+-->
+
+<decoder name="web-accesslog-iis-default">
+ <parent>windows-date-format</parent>
+ <type>web-log</type>
+ <use_own_name>true</use_own_name>
+ <prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ POST </prematch>
+ <regex offset="after_prematch">(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex>
+ <order>url,srcip,id</order>
+</decoder>
+
<!-- IIS 5 W3C FTP log format.
- Examples:
Logon Type: 2 Logon Process: User32 Authentication
Package: Negotiate Workstation Name: ad
- WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff: User Name: lac Domain: OSSEC-HM Logon ID: (0x0,0x7C966E) Logon Type: 2
+ - 2013 Oct 09 17:09:04 WinEvtLog: Application: INFORMATION(1): My Script: (no user): no domain: demo1.foo.example.com: test
-->
<decoder name="windows">
<type>windows</type>
- <prematch>^WinEvtLog: </prematch>
+ <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: </prematch>
<regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
<regex>(\.+): \.+: (\S+): </regex>
<order>status, id, extra_data, user, system_name</order>
-->
<decoder name="windows-snare">
<type>windows</type>
- <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\w \w\w\w \d\d \d\d</prematch>
+ <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch>
<regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex>
<regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex>
<order>id, extra_data, user, status, system_name</order>
<fts>name, location, extra_data</fts>
</decoder>
+<decoder name="ossec-alert1">
+ <parent>ossec</parent>
+ <prematch>^ossec: Alert Level:</prematch>
+ <plugin_decoder>OSSECAlert_Decoder</plugin_decoder>
+</decoder>
+
<decoder name="ossec-alert">
<program_name>^ossec$</program_name>
<plugin_decoder>OSSECAlert_Decoder</plugin_decoder>
</decoder>
+<!-- decoder for active responses as logged by an OSSEC agent or server
+- Examples
+Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/host-deny.sh add - 172.16.0.1 1304756247.60385 31151
+Sat May 7 03:17:27 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh add - 172.16.0.1 1304756247.60385 31151
+Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/host-deny.sh delete - 172.16.0.1 1304756247.60385 31151
+Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh delete - 172.16.0.1 1304756247.60385 31151
+-->
+<decoder name="ar_log">
+ <prematch>^\w\w\w \w+\s+\d+ \d\d:\d\d:\d\d \w+ \d+ /\S+/active-response</prematch>
+ <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)</regex>
+ <order>action, status, srcip, id, extra_data</order>
+</decoder>
<!-- Zeus decoder.
- Will extract the severity and the srcip/username when available.
<program_name>^asterisk</program_name>
</decoder>
+<decoder name="asterisk-hijacking">
+ <parent>asterisk</parent>
+ <prematch>^WARNING[\d+]: \S+ in \S+: Don't know </prematch>
+ <regex offset="after_prematch">^\S+ how to respond via '(\w+/\d.\d/\w+)'</regex>
+ <order>user</order>
+</decoder>
+
<decoder name="asterisk-denied">
<parent>asterisk</parent>
<prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
<order>srcip</order>
</decoder>
+<decoder name="asterisk-denied2">
+ <parent>asterisk</parent>
+ <prematch>Registration from </prematch>
+ <regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex>
+ <order>srcip</order>
+</decoder>
+<decoder name="asterisk-iax-authentication-denied">
+ <parent>asterisk</parent>
+ <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch>
+ <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) failed MD5 authentication for (\S+)</regex>
+ <order>srcip, user</order>
+</decoder>
<!-- Cisco IOS
- Group for Cisco IOS messages.
-->
<decoder name="ms-dhcp-ipv4">
- <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,</prematch>
- <regex>^(\d\d),</regex>
- <order>id</order>
+ <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,|</prematch>
+ <prematch>^\d\d,\d+/\d+/\d\d,\d+:\d+:\d+,</prematch>
+ <regex>^(\d\d),\d+/\d+/\d\d\d*,\d+:\d+:\d+,(\w+),(\d+.\d+.\d+.\d+)</regex>
+ <order>id,extra_data,srcip</order>
</decoder>
<!--
- Server 2008 DHCP IPv6 Decoder (must go second)
- ID,Date,Time,Description,IPV6 Address,Host Name,Error Code, Duid Length, Duid Bytes(Hex),User Name.
-->
-11020,05/05/09,00:00:38,DHCPV6
<decoder name="ms-dhcp-ipv6">
<prematch>^\d\d\d\d\d,\d\d/\d\d/\d\d,\d\d:\d\d:\d\d,</prematch>
<regex>^(\d\d\d\d\d),</regex>
</decoder>
+<!-- OpenBSD kernel messages -->
+<decoder name="bsd_kernel">
+ <program_name>^/bsd</program_name>
+</decoder>
+
+<decoder name="bsd_arp">
+ <parent>bsd_kernel</parent>
+ <prematch offset="after_parent">^arp </prematch>
+ <regex offset="after_prematch"> for (\S+) by (\S+) on \S+</regex>
+ <order>dstip, extra_data</order>
+</decoder>
+
+<!-- OpenBSD deluser
+ - 2014-02-21T10:22:55.134355-05:00 arrakis userdel[23023]: user removed: name=dac
+-->
+
+<decoder name="open-userdel">
+ <program_name>userdel</program_name>
+ <regex>user removed: name=(\S+)$</regex>
+ <order>srcuser</order>
+</decoder>
+
+
+
+<!-- OpenBSD mountd decoder
+- Apr 11 20:01:02 ix mountd[11618]: Refused mount RPC from host 192.168.17.10 port 45659
+-->
+
+<decoder name="mountd">
+ <program_name>^mountd</program_name>
+</decoder>
+
+<decoder name="mountd-host">
+ <parent>mountd</parent>
+ <prematch>from host </prematch>
+ <regex offset="after_prematch">(\S+) port \d+$</regex>
+ <order>srcip</order>
+</decoder>
+
+
+<!-- nss ldap decoders
+- Jun 26 08:19:25 servername sh: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
+- Aug 16 10:58:12 client nscd: nss_ldap: failed to bind to LDAP server ldap://ldap.example.com: Can't contact LDAP server
+-->
+<!--
+<decoder name="nss-ldap">
+ <program_name>^sh$|^nscd$</program_name>
+ <prematch>^nss_ldap</prematch>
+</decoder>
+
+<decoder name="ldap-server">
+ <parent>nss-ldap</parent>
+ <prematch> server </prematch>
+ <regex offset="after_prematch">ldap://(\S+):</regex>
+ <order>system_name</order>
+</decoder>
+-->
+
+
+
+<!-- OpenBSD groupdel
+ - May 28 09:15:43 ix groupdel[25984]: group deleted: name=_dbus
+-->
+<decoder name="groupdel">
+ <program_name>groupdel</program_name>
+ <regex>^group deleted: name=(\S+)$</regex>
+ <order>extra_data</order>
+</decoder>
+
+
+<!-- Portsentry -->
+<decoder name="portsentry">
+ <program_name>^portsentry</program_name>
+</decoder>
+
+<decoder name="portsentry-attackalert">
+ <parent>portsentry</parent>
+ <prematch>attackalert: Connect from host: </prematch>
+ <regex offset="after_prematch">(\S+)/\S+ to (\S+) port: (\d+)$</regex>
+ <order>srcip,protocol,dstport</order>
+</decoder>
+
+<decoder name="portsentry-blocked">
+ <parent>portsentry</parent>
+ <prematch>is already blocked. Ignoring$</prematch>
+ <regex>Host: (\S+) is</regex>
+ <order>srcip</order>
+</decoder>
+
+
+<!-- Clamav and Freshclam decoder
+ - Nov 5 22:59:19 ix freshclam[32349]: Incremental update failed, trying to download daily.cvd
+-->
+<decoder name="clamd">
+ <program_name>^clamd</program_name>
+</decoder>
+
+<decoder name="freshclam">
+ <program_name>^freshclam</program_name>
+</decoder>
+
+
+<!-- OpenLDAP decoder.
+ - Jan 11 09:26:57 hostname slapd2.4[20872]: conn=999999 fd=64 ACCEPT from IP=10.10.248.27:33957 (IP=10.10.241.77:389)
+ -->
+<decoder name="openldap">
+ <program_name>^slapd</program_name>
+ <regex>^conn=(\d+) </regex>
+ <order>id</order>
+</decoder>
+
+
+
+<!-- NTP decoder
+ - gorilla ntpd[27379]: bad sensor nmea0
+ - tiny ntpd[25875]: bad peer 192.168.1.233 (192.168.1.233)
+ - gorilla ntpd[29719]: bind on 192.168.1.233 failed, skipping: Can't assign requested address
+ - ix ntpd[8392]: bind on 192.168.17.9 failed, skipping: Address already in use
+ - ix ntpd[11685]: bad peer from pool pool.ntp.org (64.73.32.135)
+ - richese ntpd[3465]: bad peer ix (192.168.17.9)
+ - ix ntpd[11685]: bad peer from pool pool.ntp.org (69.50.219.51)
+ - ix ntpd[7045]: recvmsg 192.168.17.17: Connection refused
+ - ix ntpd[29411]: 2 out of 3 peers valid
+ - bridge ntpd[5877]: logconfig: illegal argument - ignored
+ - bridge ntpd[5902]: offset 0.000000 sec freq 0.000 ppm error 0.000011 poll 6
+-->
+<decoder name="ntpd">
+ <program_name>^ntpd</program_name>
+</decoder>
+
+<decoder name="ntpd-bad-peer">
+ <parent>ntpd</parent>
+ <prematch offset="after_parent">^bad peer </prematch>
+ <regex>^bad peer \S+ \p(\S+)\p$|^bad peer from pool \S+ \p(\S+)\p$</regex>
+ <order>srcip</order>
+</decoder>
+
+
+<!-- Auditd
+163
+164 - Will extract action, id, status, extra_data, srcip
+165 - Author and (c): Michael Starks, 2011
+166 - Future enhancements should ensure that all log samples regress properly due to the complexity of these decoders
+167 - Examples:
+
+<!-- CentOS 5.5 -->
+type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
+type=CRED_ACQ msg=audit(1305666154.831:51859): user pid=21250 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: setcred acct="username" : exe="/usr/sbin/sshd" (hostname=lala.example.com, addr=172.16.0.1, terminal=ssh res=success)'
+type=CRED_ACQ msg=audit(1273182001.226:148635): user pid=29770 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
+type=USER_AUTH msg=audit(1305666163.690:51871): user pid=21269 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='PAM: authentication acct="root" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/0 res=success)'
+type=USER_ACCT msg=audit(1306939201.750:67934): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=CRED_ACQ msg=audit(1306939201.751:67935): user pid=4401 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_START msg=audit(1306939201.756:67937): user pid=4401 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
+type=USER_CHAUTHTOK msg=audit(1304523288.952:37394): user pid=7258 uid=0 auid=500 subj=user_u:system_r:unconfined_t:s0 msg='op=change password id=505 exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1 res=success)'
+
+<!-- Unknown source -->
+type=USER_ACCT msg=audit(1310592861.936:1222): user pid=24675 uid=0 auid=501 ses=188 subj=system_u:system_r:unconfined_t:s0 msg='op=PAM:accounting acct="username" exe="/usr/bin/sudo" (hostname=?, addr=?, terminal=pts/5 res=success)'
+
+<!-- Ubuntu 10.04 LTS -->
+type=SYSCALL msg=audit(1307045440.943:148): arch=c000003e syscall=59 success=yes exit=0 a0=de1fa8 a1=de23a8 a2=dc3008 a3=7fff1db3cc60 items=2 ppid=11719 pid=12140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="wget" exe="/tmp/wget" key="webserver-watch-tmp"
+type=SYSCALL msg=audit(1307045820.403:151): arch=c000003e syscall=59 success=no exit=-13 a0=de24c8 a1=de2408 a2=dc3008 a3=7fff1db3cc60 items=1 ppid=11719 pid=12347 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts8 ses=4294967295 comm="bash" exe="/bin/bash" key=(null)
+type=SYSCALL msg=audit(1306939143.715:67933): arch=40000003 syscall=94 success=yes exit=0 a0=5 a1=180 a2=8ebd360 a3=8ec4978 items=1 ppid=4383 pid=4388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8038 comm="less" exe="/usr/bin/less" subj=user_u:system_r:unconfined_t:s0 key="perm_mod"
+type=USER_ROLE_CHANGE msg=audit(1280266360.845:51): user pid=1978 uid=0 auid=500 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='pam: default-context=user_u:system_r:unconfined_t:s0 selected-context=user_u:system_r:unconfined_t:s0: exe="/bin/login" (hostname=?, addr=?, terminal=tty1 res=success)'
+type=PATH msg=audit(1306967989.163:119): item=0 name="./ls" inode=261813 dev=fb:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
+
+<!-- Will not decode due to null name, that's OK -->
+type=PATH msg=audit(1273924468.947:179534): item=0 name=(null) inode=424783 dev=fd:07 mode=0100640 ouid=0 ogid=502 rdev=00:00 obj=user_u:object_r:file_t:s0
+
+-->
+
+<decoder name="auditd">
+ <prematch>^type=</prematch>
+</decoder>
+
+<!-- SELinux -->
+<decoder name="auditd-selinux">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^AVC </prematch>
+ <regex offset="after_parent">^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$</regex>
+ <order>action,id,status,extra_data</order>
+</decoder>
+
+<!-- syscall -->
+<decoder name="auditd-syscall">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^SYSCALL </prematch>
+ <regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"</regex>
+ <order>action,id,status,extra_data</order>
+</decoder>
+
+<!-- config -->
+<decoder name="auditd-config">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^CONFIG_CHANGE </prematch>
+ <regex offset="after_parent">^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$</regex>
+ <order>action,id,extra_data</order>
+</decoder>
+
+<!-- path (will only decode if name is not null)-->
+<decoder name="auditd-path">
+ <parent>auditd</parent>
+ <prematch offset="after_parent">^PATH </prematch>
+ <regex offset="after_parent">^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
+ <order>action,id,extra_data</order>
+</decoder>
+
+<!-- user-related -->
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
+ <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
+ <order>action,id</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
+ <order>user,extra_data,srcip</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
+ <order>user,extra_data,srcip,status</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+ <order>user,extra_data,srcip,status</order>
+</decoder>
+
+<decoder name="auditd-user">
+ <parent>auditd</parent>
+ <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+ <order>extra_data,srcip,status</order>
+</decoder>
+
+<!--
+mptscsih \ mptbase decoder
+
+Description: module for SCSI controllers.
+
+Examples:
+[ 5008.286061] mptscsih: ioc0: task abort: FAILED (rv=2003) (sc=ffff88007a8a9f00)
+
+[ 6498.769248] mptbase: ioc0: RAID STATUS CHANGE for PhysDisk 1 id=8
+[ 6498.769252] mptbase: ioc0: PhysDisk is now failed, out of sync
+
+[ 6498.775783] mptbase: ioc0: RAID STATUS CHANGE for VolumeID 0
+[ 6498.775788] mptbase: ioc0: volume is now degraded, enabled
+-->
+<decoder name="mptscsih-1">
+ <parent>iptables</parent>
+ <prematch>^[\s\d+.\d+] mptscsih: </prematch>
+ <regex>^[\s\d+.\d+] (\w+): (\w+): task abort: (\w+)</regex>
+ <order>id,data,status</order>
+</decoder>
+
+<decoder name="mptbase-1">
+ <parent>iptables</parent>
+ <prematch>^[\s\d+.\d+] mptbase: </prematch>
+ <regex>^[\s\d+.\d+] (\w+): (\w+):\s+\w+ is now (\w+)\p\s(\D+)$</regex>
+ <order>id,data,action,status</order>
+</decoder>
+
+<!-- Grandstream HT502 VoIP gateway decoder
+Author and (c): Michael Starks, 2014 -->
+
+<!-- HT502: [00:0B:82:14:5B:94] Transport error (-1) for transaction 2677 -- >
+
+<decoder name="grandstream-ata">
+ <prematch>^HT286: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
+ <prematch>^HT502: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
+ <prematch>^HT503: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* </prematch>
+</decoder>
+
+<decoder name="grandstream-registration">
+ <parent>grandstream-ata</parent>
+ <prematch>Received </prematch>
+ <regex offset="after_prematch">^(\d+) response for transaction (\d+)\((\w+)\)$</regex>
+ <order>status, id, action</order>
+</decoder>
+
+<decoder name="grandstream-fts-registered">
+ <parent>grandstream-ata</parent>
+ <prematch>Account </prematch>
+ <regex offset="after_prematch">^(\d+) (registered), tried \d+; Next registration in \d+ seconds \(\d+/\d+\) on (\.+)$</regex>
+ <order>id, status, extra_data</order>
+ <fts>name, location, extra_data</fts>
+</decoder>
+
+<decoder name="grandstream-incoming-cid">
+ <parent>grandstream-ata</parent>
+ <prematch>Vinetic::</prematch>
+ <regex offset="after_prematch">^(startRing) with CID, Attempting to deliver CID (\d+) on port \d+$</regex>
+ <order>action, id</order>
+</decoder>
+
+<decoder name="grandstream-outgoing-call">
+ <parent>grandstream-ata</parent>
+ <regex offset="after_parent">^(Dialing) (\d+)$</regex>
+ <order>action, id</order>
+</decoder>
<!-- EOF -->
projects / ossec-hids.git / blobdiff