X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=etc%2Fdecoder.xml;fp=etc%2Fdecoder.xml;h=e4b0b984750a28772d8cd1adc2c84315c136ccd2;hp=669508edc65514e61f14c75783ff3fb719d75b11;hb=789cbc8e52da68eba3517b920ef22e000cf3c9fd;hpb=ef70704f0b31b59bb719b884d6a99cb9e3e2044a

diff --git a/etc/decoder.xml b/etc/decoder.xml
index 669508e..e4b0b98 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -464,7 +464,7 @@
 
 <decoder name="proftpd-ip">
   <parent>proftpd</parent>
-  <regex>^\S+ \(\S+[(\S+)]\)</regex>
+  <regex>^\S+ \(\S+[(\S+)]\)|^\S+ \(\S+[::ffff:(\S+)]\)</regex>
   <order>srcip</order>
 </decoder>
 
@@ -498,6 +498,19 @@
   <order>user,srcip</order>
 </decoder>  
 
+<!-- Pure-FTPd transfer log decoder
+  - Examples from ossec-list:
+  - example.com - user1 [11/Mar/2013:12:10:23 -0000] "PUT /ftpdrive/user1/FinalBackup.zip" 200 25268220
+  - example.com - user1 [11/Mar/2013:12:24:57 -0000] "GET /ftpdrive/user1/FinalBackup.zip" 200 25268220
+  -->
+
+<decoder name="pure-transfer">
+  <prematch>^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] </prematch>
+  <regex>^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$</regex>
+  <order>extra_data,dstuser,action,url,status</order>
+</decoder>
+
+
 
 
 <!-- vsftpd decoder.
@@ -703,7 +716,7 @@
   - Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]
   -->
 <decoder name="courier">
-  <program_name>^pop3d|^courierpop3login|^imaplogin</program_name>
+  <program_name>^pop3d|^courierpop3login|^imaplogin|^courier-pop3|^courier-imap</program_name>
 </decoder>
 
 <decoder name="courier-login">
@@ -715,7 +728,7 @@
 
 <decoder name="courier-generic">
   <parent>courier</parent>
-  <regex>, ip=[(\S+\d)]$</regex>
+  <regex>, ip=[(\S+\d)]$|, ip=[::ffff:(\S+\d)]$</regex>
   <order>srcip</order>
 </decoder>
 
@@ -1613,6 +1626,27 @@
   <order>url, srcip, id</order>
 </decoder>
 
+<!-- Windows IIS decoder for default settings
+  -  Tested with IIS 7.5 and IIS 8.5 (Windows 2008R2 and Windows 2012R2)
+  -  Will extract URL, Source IP, and HTTP response code
+  -  Examples:
+  -  IIS 7.5
+  -  2015-07-28 15:07:26 1.2.3.4 GET /QOsa/Browser/Default.aspx UISessionId=SN1234123&DeviceId=SN12312232SHARP+MX-4111N 80 - 31.3.3.7 OpenSystems/1.0;+product-family="85";+product-version="123ER123" 302 0 0 624
+  -  IIS 8.5
+  -  2015-03-11 20:28:21 1.2.3.4 GET /certsrv/Default.asp - 80 - 31.3.3.7 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+WOW64;+Trident/7.0) - 401 2 5 0
+  -  2015-03-11 21:59:09 1.2.3.4 GET /console/faces/com_sun_web_ui/jsp/version/version_30.jsp - 80 - 31.3.3.7 Sun+Web+Console+Fingerprinter/7.15 - 404 0 2 0
+  -  2015-03-11 22:01:58 1.2.3.4 GET /IISADMPWD/aexp.htr - 80 - 31.3.3.7 - - 404 0 2 0
+-->
+
+<decoder name="web-accesslog-iis-default">
+  <parent>windows-date-format</parent>
+  <type>web-log</type>
+  <use_own_name>true</use_own_name>
+  <prematch offset="after_parent">^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ POST </prematch>
+  <regex offset="after_prematch">(\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+</regex>
+  <order>url,srcip,id</order>
+</decoder>
+
 
 <!-- IIS 5 W3C FTP log format.
   - Examples:
@@ -1707,10 +1741,11 @@
     Logon Type: 2       Logon Process:  User32          Authentication 
     Package: Negotiate       Workstation Name:   ad
   - WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff:        User Name:      lac     Domain:         OSSEC-HM        Logon ID:               (0x0,0x7C966E)          Logon Type:     2  
+  - 2013 Oct 09 17:09:04 WinEvtLog: Application: INFORMATION(1): My Script: (no user): no domain: demo1.foo.example.com: test
   -->
 <decoder name="windows">
   <type>windows</type>
-  <prematch>^WinEvtLog: </prematch>
+  <prematch>^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog: </prematch>
   <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
   <regex>(\.+): \.+: (\S+): </regex>
   <order>status, id, extra_data, user, system_name</order>
@@ -1849,9 +1884,9 @@ Sat May  7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh del
 -->
 
 <decoder name="ar_log"> 
-        <prematch>^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /\.+/active-response</prematch>
-        <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)</regex> 
-        <order>action, status, srcip, id, extra_data</order> 
+  <prematch>^\w\w\w \w+\s+\d+ \d\d:\d\d:\d\d \w+ \d+ /\S+/active-response</prematch>
+  <regex offset="after_prematch">/bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)</regex> 
+  <order>action, status, srcip, id, extra_data</order> 
 </decoder>
 
 <!-- Zeus decoder.
@@ -2173,6 +2208,17 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
   <order>dstip, extra_data</order>
 </decoder>
 
+<!-- OpenBSD deluser
+  -  2014-02-21T10:22:55.134355-05:00 arrakis userdel[23023]: user removed: name=dac
+-->
+
+<decoder name="open-userdel">
+  <program_name>userdel</program_name>
+  <regex>user removed: name=(\S+)$</regex>
+  <order>srcuser</order>
+</decoder>
+
+
 
 <!-- OpenBSD mountd decoder
 - Apr 11 20:01:02 ix mountd[11618]: Refused mount RPC from host 192.168.17.10 port 45659
@@ -2190,47 +2236,6 @@ in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
 </decoder>
 
 
-<!-- bro-ids decoders
-  - Aug 25 08:52:10 junction bro: no=PortScanSummary na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 num=988 msg=192.168.17.8\\\\ scanned\\\\ a\\\\ total\\\\ of\\\\ 988\\\\ ports tag=@ef-24ad-af
-  - Aug 26 12:34:27 junction bro: no=PortScan na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 p=17/tcp num=250 msg=192.168.17.8\\ has\\ scanned\\ 250\\ ports\\ of\\ 192.168.17.17 tag=@11-68e9-5
-  - junction bro: Starting incremental serialization...
-  - junction bro: Finished incremental serialization.
-  - ix bro: no=NoticeTally na=NOTICE_ALARM_ALWAYS es=bro num=307 msg=AckAboveHole\\ (307\\ times) tag=@81-2fd-1f9
-  - ix bro: no=NoticeTally na=NOTICE_ALARM_ALWAYS es=bro num=7 msg=ContentGap\\ (7\\ times) tag=@81-2fd-1fa
-  - ix bro: no=ResourceSummary na=NOTICE_ALARM_ALWAYS es=bro msg=elapsed\\ time\\ \\=\\ 376.0\\ msecs\\ 174.0\\ usecs,\\ total\\ CPU\\ \\=\\ 390.0\\ msecs,\\ maximum\\ memory\\ \\=\\ 0\\ KB,\\ peak\\ connections\\ \\=\\ 0,\\ peak\\ timers\\ \\=\\ 84,\\ peak\\ fragments\\ \\=\\ 0 tag=@69-1f25-1
-  - junction bro: no=PortScanSummary na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 num=988 msg=192.168.17.8\\\\ scanned\\\\ a\\\\ total\\\\ of\\\\ 988\\\\ ports tag=@ef-24ad-af
-  - junction bro: no=ZoneTransfer na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.1.9 sp=4175/tcp da=192.168.1.17 dp=53/tcp p=53/tcp msg=transfer\\ of\\example.com\\ requested\\ by\\ 192.168.1.9 tag=@61-3a46-d
-  - ix bro: no=SensitivePortmapperAccess na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 sp=2957/tcp da=192.168.17.9 dp=111/tcp p=111/tcp msg=rpc:\\ 192.168.17.8/2957\\ >\\ 192.168.17.9/portmap\\ pm_dump:\\ (done) tag=@46-764d-5d
-  - junction bro: no=PortScan na=NOTICE_ALARM_ALWAYS es=bro sa=192.168.17.8 p=17/tcp num=250 msg=192.168.17.8\\ has\\ scanned\\ 250\\ ports\\ of\\ 192.168.17.17 tag=@11-68e9-5
--->
-
-<decoder name="bro-ids">
-  <program_name>^bro</program_name>
-</decoder>
-
-<decoder name="bro-portscan">
-  <parent>bro-ids</parent>
-  <prematch>no=PortscanSummary</prematch>
-  <regex>sa=(\S+) num=(\d+) msg=</regex>
-  <order>srcip,extra_data</order>
-</decoder>
-
-<decoder name="bro-portscan2">
-  <parent>bro-ids</parent>
-  <prematch>no=PortScan </prematch>
-  <regex>sa=(\S+) p=(\d+)/(\S+) num=(\d+)</regex>
-  <order>srcip,srcport,protocol,extra_data</order>
-</decoder>
-
-<decoder name="bro-typical">
-  <parent>bro-ids</parent>
-  <prematch>na=NOTICE</prematch>
-  <regex>sa=(\S+) sp=(\d+)/(\S+) da=(\S+) dp=(\d+)/\S+</regex>
-  <order>srcip,srcport,protocol,dstip,dstport</order>
-</decoder>
-
-
-
 <!-- nss ldap decoders
 - Jun 26 08:19:25 servername sh: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
 - Aug 16 10:58:12 client nscd: nss_ldap: failed to bind to LDAP server ldap://ldap.example.com: Can't contact LDAP server
@@ -2366,67 +2371,134 @@ type=PATH msg=audit(1273924468.947:179534): item=0 name=(null) inode=424783 dev=
 </decoder>
 
 <!-- SELinux -->
-  <decoder name="auditd-selinux">
-    <parent>auditd</parent>
-    <prematch offset="after_parent">^AVC </prematch>
-    <regex offset="after_parent">^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc:  (\S+)  { \.+ } for  pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$</regex>
-    <order>action,id,status,extra_data</order>
-  </decoder>
+<decoder name="auditd-selinux">
+  <parent>auditd</parent>
+  <prematch offset="after_parent">^AVC </prematch>
+  <regex offset="after_parent">^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc:  (\S+)  { \.+ } for  pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$</regex>
+  <order>action,id,status,extra_data</order>
+</decoder>
 
 <!-- syscall -->
-  <decoder name="auditd-syscall">
-    <parent>auditd</parent>
-    <prematch offset="after_parent">^SYSCALL </prematch>
-    <regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"</regex>
-    <order>action,id,status,extra_data</order>
-  </decoder>
+<decoder name="auditd-syscall">
+  <parent>auditd</parent>
+  <prematch offset="after_parent">^SYSCALL </prematch>
+  <regex offset="after_parent">^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"</regex>
+  <order>action,id,status,extra_data</order>
+</decoder>
 
 <!-- config -->
-  <decoder name="auditd-config">
-    <parent>auditd</parent>
-    <prematch offset="after_parent">^CONFIG_CHANGE </prematch>
-    <regex offset="after_parent">^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$</regex>
-    <order>action,id,extra_data</order>
-  </decoder>
+<decoder name="auditd-config">
+  <parent>auditd</parent>
+  <prematch offset="after_parent">^CONFIG_CHANGE </prematch>
+  <regex offset="after_parent">^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$</regex>
+  <order>action,id,extra_data</order>
+</decoder>
 
 <!-- path (will only decode if name is not null)-->
-  <decoder name="auditd-path">
-    <parent>auditd</parent>
-    <prematch offset="after_parent">^PATH </prematch>
-    <regex offset="after_parent">^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
-    <order>action,id,extra_data</order>
-  </decoder>
+<decoder name="auditd-path">
+  <parent>auditd</parent>
+  <prematch offset="after_parent">^PATH </prematch>
+  <regex offset="after_parent">^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+</regex>
+  <order>action,id,extra_data</order>
+</decoder>
 
 <!-- user-related -->
-  <decoder name="auditd-user">
-    <parent>auditd</parent>
-    <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
-    <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
-    <order>action,id</order>
-  </decoder>
-
-  <decoder name="auditd-user">
-    <parent>auditd</parent>
-    <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
-    <order>user,extra_data,srcip</order>
-  </decoder>
-
-  <decoder name="auditd-user">
-    <parent>auditd</parent>
-    <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
-    <order>user,extra_data,srcip,status</order>
-  </decoder>
-
-   <decoder name="auditd-user">
-    <parent>auditd</parent>
-    <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
-    <order>user,extra_data,srcip,status</order>
-  </decoder>
-
-  <decoder name="auditd-user">
-    <parent>auditd</parent>
-    <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
-    <order>extra_data,srcip,status</order>
-  </decoder>
+<decoder name="auditd-user">
+  <parent>auditd</parent>
+  <regex offset="after_parent">^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|</regex>
+  <regex>^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+</regex>
+  <order>action,id</order>
+</decoder>
+
+<decoder name="auditd-user">
+  <parent>auditd</parent>
+  <regex offset="after_regex"> acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$</regex>
+  <order>user,extra_data,srcip</order>
+</decoder>
+
+<decoder name="auditd-user">
+  <parent>auditd</parent>
+  <regex offset="after_regex"> ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$</regex>
+  <order>user,extra_data,srcip,status</order>
+</decoder>
+
+<decoder name="auditd-user">
+  <parent>auditd</parent>
+  <regex offset="after_regex"> subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+  <order>user,extra_data,srcip,status</order>
+</decoder>
+
+<decoder name="auditd-user">
+  <parent>auditd</parent>
+  <regex offset="after_regex"> subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$</regex>
+  <order>extra_data,srcip,status</order>
+</decoder>
+
+<!--
+mptscsih \ mptbase decoder
+
+Description: module for SCSI controllers.
+
+Examples:
+[ 5008.286061] mptscsih: ioc0: task abort: FAILED (rv=2003) (sc=ffff88007a8a9f00)
+
+[ 6498.769248] mptbase: ioc0: RAID STATUS CHANGE for PhysDisk 1 id=8
+[ 6498.769252] mptbase: ioc0:   PhysDisk is now failed, out of sync
+
+[ 6498.775783] mptbase: ioc0: RAID STATUS CHANGE for VolumeID 0
+[ 6498.775788] mptbase: ioc0:   volume is now degraded, enabled
+-->
+<decoder name="mptscsih-1">
+  <parent>iptables</parent>
+  <prematch>^[\s\d+.\d+] mptscsih: </prematch>
+  <regex>^[\s\d+.\d+] (\w+): (\w+): task abort: (\w+)</regex>
+  <order>id,data,status</order>
+</decoder>
+
+<decoder name="mptbase-1">
+  <parent>iptables</parent>
+  <prematch>^[\s\d+.\d+] mptbase: </prematch>
+  <regex>^[\s\d+.\d+] (\w+): (\w+):\s+\w+ is now (\w+)\p\s(\D+)$</regex>
+  <order>id,data,action,status</order>
+</decoder>
+
+<!-- Grandstream HT502 VoIP gateway decoder 
+Author and (c): Michael Starks, 2014 -->
+
+<!-- HT502: [00:0B:82:14:5B:94] Transport error (-1) for transaction 2677 -- >
+
+<decoder name="grandstream-ata">
+ <prematch>^HT286: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
+ <prematch>^HT502: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* |</prematch>
+ <prematch>^HT503: [\w\w:\w\w:\w\w:\w\w:\w\w:\w\w]\p*\.+\p* </prematch>
+</decoder>
+
+<decoder name="grandstream-registration">
+ <parent>grandstream-ata</parent>
+ <prematch>Received </prematch>
+ <regex offset="after_prematch">^(\d+) response for transaction (\d+)\((\w+)\)$</regex>
+ <order>status, id, action</order>
+</decoder>
+
+<decoder name="grandstream-fts-registered">
+ <parent>grandstream-ata</parent>
+ <prematch>Account </prematch>
+ <regex offset="after_prematch">^(\d+) (registered), tried \d+; Next registration in \d+ seconds \(\d+/\d+\) on (\.+)$</regex>
+ <order>id, status, extra_data</order>
+ <fts>name, location, extra_data</fts>
+</decoder>
+
+<decoder name="grandstream-incoming-cid">
+ <parent>grandstream-ata</parent>
+ <prematch>Vinetic::</prematch>
+ <regex offset="after_prematch">^(startRing) with CID, Attempting to deliver CID (\d+) on port \d+$</regex>
+ <order>action, id</order>
+</decoder>
+
+<decoder name="grandstream-outgoing-call">
+ <parent>grandstream-ata</parent>
+ <regex offset="after_parent">^(Dialing) (\d+)$</regex>
+ <order>action, id</order>
+</decoder>
 
 <!-- EOF -->