X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=etc%2Fdecoder.xml;h=cb07a9301bf4d675289fbaad0a0333a3c379bd44;hp=c809108565f180d0b87c71b69efa27a7b48bfea1;hb=301048b51990573e58a30dc4a5bb4ec285cad554;hpb=914feba5d54f979cd5d7e69c349c3d01f630042a

diff --git a/etc/decoder.xml b/etc/decoder.xml
index c809108..cb07a93 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -1,4 +1,4 @@
-<!-- @(#) $Id: decoder.xml,v 1.162 2009/11/09 20:32:29 dcid Exp $
+<!-- @(#) $Id$
   -  OSSEC log decoder.
   -  Author: Daniel B. Cid
   -  License: http://www.ossec.net/en/licensing.html
@@ -156,7 +156,7 @@
 <decoder name="ssh-reverse-mapping">
   <parent>sshd</parent>
   <prematch>^reverse mapping checking </prematch>
-  <regex offset="after_prematch">^\w+ for (\S+) </regex>
+  <regex offset="after_prematch">^\w+ for \S+ [(\S+)] |^\w+ for (\S+) </regex>
   <order>srcip</order>
 </decoder>       
 
@@ -181,6 +181,13 @@
   <order>srcip</order>
 </decoder>
 
+<decoder name="ssh-osx-refuse">
+  <parent>sshd</parent>
+  <prematch>^refused connect </prematch>
+  <regex offset="after_prematch">^from (\S+)$</regex>
+  <order>srcip</order>
+</decoder>
+
 
 
 <!--
@@ -208,6 +215,42 @@
 
 
 <!--
+ - rshd decoder
+ - Example message:
+ - Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port
+ -->
+<decoder name="rshd">
+  <program_name>^rshd$</program_name>
+</decoder>
+                          
+<decoder name="rshd-illegal-connection">
+  <parent>rshd</parent>
+  <regex>^Connection from (\S+) on illegal port$</regex>
+  <order>srcip</order>
+</decoder>
+
+
+
+<!--
+ - cimserver decoder
+ - Example messages:
+ - Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.
+ - Dec 18 18:06:29 hostname cimserver[18575]: PGS17200: Authentication failed for user domain\jones_b.
+ -->
+<decoder name="cimserver">
+  <program_name>^cimserver$</program_name>
+</decoder>
+
+<decoder name="cimserver-failed-authentication">
+  <parent>cimserver</parent>
+  <prematch>^\w+: Authentication failed for user </prematch>
+  <regex offset="after_prematch">^(\S+).$</regex>
+  <order>user</order>
+</decoder>
+
+
+
+<!--
  - Samba decoder.
  - Will extraxt the username/srcip
  - Examples:
@@ -389,6 +432,7 @@
   - ftpd[811166]: refused connect from 88.225.42.182
   - in.ftpd[18561]: [ID 484914 daemon.notice] gethostbyaddr: nameservices.net. != 216.117.134.168
   - ftpd[31918]: FTPD: EXPORT file local , remote
+  - Dec 21 12:21:20 hostname ftpd[323115]: login jones_b from client.example.org failed.
   -->
 <decoder name="ftpd">
   <program_name>^ftpd|^in.ftpd</program_name>
@@ -415,6 +459,13 @@
   <order>srcip</order>
 </decoder>
 
+<decoder name="ftpd-tru64">
+  <parent>ftpd</parent>
+  <prematch>^login \S+ from \S+ failed.</prematch>
+  <regex>^login (\S+) from (\S+) failed.$</regex>
+  <order>user, srcip</order>
+</decoder>
+
 
 
 <!-- Arpwatch decoder.
@@ -592,22 +643,29 @@
 <decoder name="dovecot-success">
   <parent>dovecot</parent>
   <prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch>
-  <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=(\S+), </regex>
-  <order>user, srcip</order>
+  <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=\S*(\d+.\d+.\d+.\d+), lip=\S*(\d+.\d+.\d+.\d+), (\S*)$</regex>
+  <order>user, srcip, dstip, protocol</order>
 </decoder>
 
 <decoder name="dovecot-aborted">
   <parent>dovecot</parent>
   <prematch offset="after_parent">^\w\w\w\w-login: Aborted login</prematch>
-  <regex offset="after_prematch"> user=\p\S+>, method=\w+, rip=(\S+), lip=\S+</regex>
-  <order>srcip</order>
+  <regex offset="after_prematch">: user=\p(\S+)\p, method=\S+, rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+)$</regex>
+  <order>user, srcip, dstip</order>
+</decoder> 
+
+<decoder name="dovecot-fail">
+  <parent>dovecot</parent>
+  <prematch offset="after_parent">^auth\(default\)|auth-worker\(default\)</prematch>
+  <regex offset="after_prematch">^: \S+\((\S+),(\d+.\d+.\d+.\d+)\)</regex>
+  <order>user, srcip</order>
 </decoder>
 
 <decoder name="dovecot-disconnect">
   <parent>dovecot</parent>
   <prematch offset="after_parent">^\w\w\w\w-login: Disconnected: </prematch>
-  <regex offset="after_prematch">^rip=(\S+), </regex>
-  <order>srcip</order>
+  <regex offset="after_prematch">^rip=(\S+), lip=(\d+.\d+.\d+.\d+)</regex>
+  <order>srcip, dstip</order>
 </decoder>
 
 
@@ -1513,7 +1571,7 @@
   -->
 <decoder name="windows-snare">
   <type>windows</type>
-  <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\w \w\w\w \d\d \d\d</prematch>
+  <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch>
   <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex>
   <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex>
   <order>id, extra_data, user, status, system_name</order>