3 - Author: Daniel B. Cid
4 - License: http://www.ossec.net/en/licensing.html
10 - location - where the log came from (only on FTS)
11 - srcuser - extracts the source username
12 - dstuser - extracts the destination (target) username
13 - user - an alias to dstuser (only one of the two can be used)
16 - srcport - source port
17 - dstport - destination port
20 - url - url of the event
21 - action - event action (deny, drop, accept, etc)
22 - status - event status (success, failure, etc)
23 - extra_data - Any extra data
28 - Will extract username and srcip whenever is possible.
30 - su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
31 - su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
32 - vsftpd(pam_unix)[25073]: authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=211.100.27.101
33 - vsftpd(pam_unix)[25073]: check pass; user unknown
34 - sshd(pam_unix)[16660]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=202.110.184.100 user=root
35 - su(pam_unix)[14592]: session opened for user news by (uid=0)
36 - su(pam_unix)[14592]: session closed for user news
37 - sshd(pam_unix)[13025]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=210.70.129.207 user=nobody
38 - sshd(pam_unix)[18987]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=languedoc-2-81-56-82-49.fbx.proxad.net user=root
39 - sshd(pam_unix)[17365]: session opened for user test by (uid=508)
40 - sshd(pam_unix)[1345]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=222.237.79.237 user=root
41 - sshd(pam_unix)[15794]: 2 more authentication failures; logname= uid=0
42 euid=0 tty=ssh ruser= rhost=10.0.3.1 user=root
43 - Nov 17 21:41:22 localhost su[8060]: (pam_unix) session opened for user root by (uid=0)
44 - Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4
45 - Sep 28 15:28:58 server login: pam_unix(login:session): session opened for user carl by LOGIN(uid=0)
46 - Sep 28 15:35:18 server sshd[123]: pam_unix(sshd:session): session opened for user carl by (uid=0)
49 <program_name>(pam_unix)$</program_name>
53 <program_name></program_name>
54 <prematch>^pam_unix|^\(pam_unix\)</prematch>
57 <decoder name="pam-user">
59 <prematch>^session \w+ </prematch>
60 <regex offset="after_prematch">^for user (\S+)</regex>
64 <decoder name="pam-host-user">
66 <prematch>rhost=\S+\s+user=\S+</prematch>
67 <regex>rhost=(\S+)\s+user=(\S+)</regex>
68 <order>srcip, user</order>
71 <decoder name="pam-host">
73 <prematch> rhost</prematch>
74 <regex offset="after_prematch">^=(\S+)</regex>
81 - Will extract username and srcip from the logs.
82 - Only add to the FTS if the login was successful
83 - If the login failed, just extract the username/srcip for correlation
85 - sshd[8813]: Accepted password for root from 192.168.10.1 port 1066 ssh2
86 - sshd[2404]: Accepted password for root from 192.168.11.1 port 2011 ssh2
87 - sshd[21405]: Accepted password for root from 192.1.1.1 port 6023 ssh2
88 - sshd[21487]: Failed password for root from 192.168.1.1 port 1045 ssh2
89 - sshd[8813]: Failed none for root from 192.168.10.161 port 1066 ssh2
90 - sshd[12675]: Failed password for invalid user lala11 from x.x.x.x ..
91 - sshd[12914]: Failed password for invalid user lala6 from ...
92 - sshd[8267]: Failed password for illegal user test from 62.67.45.4 port 39141 ssh2
93 - sshd[11259]: Invalid user abc from 127.0.0.1
94 - "" Failed keyboard-interactive for root from 192.1.1.1 port 1066 ssh2
95 - sshd[23857]: [ID 702911 auth.notice] User xxx, coming from zzzz,
97 - sshd[23578]: reverse mapping checking getaddrinfo for pib4.catv-bauer.at failed - POSSIBLE BREAKIN ATTEMPT!
98 - sshd[61834]: reverse mapping checking getaddrinfo for sv.tvcm.ch
99 - failed - POSSIBLE BREAKIN ATTEMPT!
100 - sshd[3251]: User root not allowed because listed in DenyUsers
101 - [Time 2006.12.28 15:53:55 UTC] [Facility auth] [Sender sshd] [PID 483] [Message error: PAM: Authentication failure for username from 192.168.0.2] [Level 3] [UID -2] [GID -2] [Host Hostname]
102 - [Time 2006.11.02 11:41:44 UTC] [Facility auth] [Sender sshd] [PID 800] [Message refused connect from 51.124.44.34] [Level 4] [UID -2] [GID -2] [Host test2-emac]
103 - Apr 23 07:03:53 machinename sshd[29961]: User root from 12.3.4.5
104 not allowed because not listed in AllowUsers
105 - sshd[9815]: scanned from 127.0.0.1 with SSH-1.99-AKASSH_Version_Mapper1. Don't panic.
108 <decoder name="sshd">
109 <program_name>^sshd</program_name>
112 <decoder name="sshd-success">
113 <parent>sshd</parent>
114 <prematch>^Accepted</prematch>
115 <regex offset="after_prematch">^ \S+ for (\S+) from (\S+) port </regex>
116 <order>user, srcip</order>
117 <fts>name, user, location</fts>
120 <decoder name="ssh-denied">
121 <parent>sshd</parent>
122 <prematch>^User \S+ from </prematch>
123 <regex offset="after_parent">^User (\S+) from (\S+) </regex>
124 <order>user, srcip</order>
127 <decoder name="sshd-success-solaris">
128 <parent>sshd</parent>
129 <prematch>^User </prematch>
130 <regex offset="after_prematch">^(\S+), coming from (\S+), </regex>
131 <order>user, srcip</order>
132 <fts>name, user, location</fts>
135 <decoder name="ssh-invfailed">
136 <parent>sshd</parent>
137 <prematch>^Failed \S+ for invalid user|^Failed \S+ for illegal user</prematch>
138 <regex offset="after_prematch">from (\S+) port \d+ \w+$</regex>
142 <decoder name="ssh-failed">
143 <parent>sshd</parent>
144 <prematch>^Failed \S+ </prematch>
145 <regex offset="after_prematch">^for (\S+) from (\S+) port \d+ \w+$</regex>
146 <order>user, srcip</order>
149 <decoder name="ssh-error">
150 <parent>sshd</parent>
151 <prematch>^error: PAM: Authentication \w+ </prematch>
152 <regex offset="after_prematch">^for (\S+) from (\S+)$</regex>
153 <order>user, srcip</order>
156 <decoder name="ssh-reverse-mapping">
157 <parent>sshd</parent>
158 <prematch>^reverse mapping checking </prematch>
159 <regex offset="after_prematch">^\w+ for \S+ [(\S+)] |^\w+ for (\S+) </regex>
163 <decoder name="ssh-invalid-user">
164 <parent>sshd</parent>
165 <prematch>^Invalid user|^Illegal user</prematch>
166 <regex offset="after_prematch"> from (\S+)$</regex>
170 <decoder name="ssh-scan">
171 <parent>sshd</parent>
172 <prematch>^scanned from</prematch>
173 <regex offset="after_prematch"> (\S+) </regex>
177 <decoder name="ssh-scan2">
178 <parent>sshd</parent>
179 <prematch>^Did not receive identification|^Bad protocol version</prematch>
180 <regex offset="after_prematch"> from (\S+)$</regex>
184 <decoder name="ssh-osx-refuse">
185 <parent>sshd</parent>
186 <prematch>^refused connect </prematch>
187 <regex offset="after_prematch">^from (\S+)$</regex>
195 - Will extract the srcip
197 - May 31 12:33:44 queen telnetd[9876]: warning: can't verify hostname:
198 gethostbyname(131.1.satis-tl.ru) failed
199 - May 29 21:12:18 queen telnetd[6474]: refused connect from 81.215.42.27
200 - Jun 1 23:02:07 queen telnetd[62948]: connect from external.example.net
201 - Jun 1 23:02:07 queen telnetd[62948]: ttloop: read: A connection with a remote socket was reset by that socket.
202 - Jun 2 09:54:28 valhalla in.telnetd[19723]: [ID 927837 local2.info] connect from external.example.net
203 - Jun 2 09:54:28 valhalla telnetd[19723]: [ID 485252 daemon.info] ttloop: peer died: Error 0
205 <decoder name="telnetd">
206 <program_name>^telnetd|^in.telnetd</program_name>
209 <decoder name="telnetd-ip">
210 <parent>telnetd</parent>
211 <regex>from (\d+.\d+.\d+.\d+)$</regex>
220 - Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port
222 <decoder name="rshd">
223 <program_name>^rshd$</program_name>
226 <decoder name="rshd-illegal-connection">
227 <parent>rshd</parent>
228 <regex>^Connection from (\S+) on illegal port$</regex>
237 - Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.
238 - Dec 18 18:06:29 hostname cimserver[18575]: PGS17200: Authentication failed for user domain\jones_b.
240 <decoder name="cimserver">
241 <program_name>^cimserver$</program_name>
244 <decoder name="cimserver-failed-authentication">
245 <parent>cimserver</parent>
246 <prematch>^\w+: Authentication failed for user </prematch>
247 <regex offset="after_prematch">^(\S+).$</regex>
255 - Will extraxt the username/srcip
257 - smbd[832]: Denied connection from (192.168.3.23)
258 - smbd[832]: Connection denied from 0.0.0.0
259 - smbd[17535]: Permission denied\-\- user not allowed to delete,
260 pause, or resume print job. User name: ahmet. Printer name: prnq1.
263 <decoder name="smbd">
264 <program_name>^smbd</program_name>
267 <decoder name="smbd-user">
268 <parent>smbd</parent>
269 <prematch>User name:</prematch>
270 <regex offset="after_prematch">^ (\S+).</regex>
274 <decoder name="smbd-ip">
275 <parent>smbd</parent>
276 <regex> from \((\d+.\d+.\d+.\d+)\)</regex>
283 - Will extract the username
285 - Apr 27 15:22:23 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
286 - Apr 27 15:25:08 niban sudo: dcid : TTY=pts/4 ; PWD=/home/dcid ; USER=root ; COMMAND=/usr/bin/tail /var/log/snort/alert.fast
287 - Apr 14 10:59:01 enigma sudo: dcid : TTY=ttyp3 ; PWD=/home/dcid/ossec-hids.0.1a/src/analysisd ; USER=root ; COMMAND=/bin/cp -pr ../../bin/addagent ../../bin/osaudit-logaudit ../../bin/ossec-execd ../../bin/ossec-logcollector ../../bin/ossec-maild ../../bin/ossec-remoted /var/ossec/bin
288 - Apr 19 14:52:02 enigma sudo: dcid : TTY=ttyp3 ; PWD=/var/www/alex ; USER=root ; COMMAND=/sbin/chown dcid.dcid .
290 <decoder name="sudo">
291 <program_name>^sudo</program_name>
292 <regex>^\s+(\S+)\s:</regex>
294 <fts>name,user,location</fts>
295 <ftscomment>First time user executed the sudo command</ftscomment>
300 - Will extract the username.
302 - su[2921936]: failed: ttyq4 changing from ldap to root
303 - su[234]: BAD SU ger to fwmaster on /dev/ttyp0
304 - su(pam_unix)[23164]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=osaudit
305 - su(pam_unix)[2298]: authentication failure; logname= uid=1342 euid=0 tty= ruser=dcid rhost= user=root
306 - Jul 5 12:17:38 lili su[2702]: - pts/5 ab-dc-root
307 - Jul 5 12:13:15 lili su[2614]: - pts/6 dcid-root
308 - su[29149]: + pts/5 dcid:root
309 - SU 07/23 01:24 + pts/4 lcid-root
310 - Apr 22 17:51:51 enigma su: dcid to root on /dev/ttyp1
311 - 'su root' failed for chapman on /dev/pts/1
314 <program_name>^su$</program_name>
317 <decoder name="su-detail">
319 <prematch>^'su </prematch>
320 <regex>^'su (\S+)' \S+ for (\S+) on \S+$</regex>
321 <order>dstuser, srcuser</order>
322 <fts>name, srcuser, location</fts>
325 <decoder name="su-detail2">
327 <regex>^BAD SU (\S+) to (\S+) on|</regex>
328 <regex>^failed: \S+ changing from (\S+) to (\S+)|</regex>
329 <regex>^\S \S+ (\S+)\p(\S+)$|^(\S+) to (\S+) on </regex>
330 <order>srcuser, dstuser</order>
331 <fts>name, srcuser, location</fts>
335 <prematch>^SU \S+ \S+ </prematch>
336 <regex offset="after_prematch">^\S \S+ (\S+)-(\S+)$</regex>
337 <order>srcuser, dstuser</order>
338 <fts>name, srcuser, location</fts>
343 <!-- ProFTPD decoder.
344 - Will extract the username/srcip
346 - proftpd[26916]: hayaletgemi (85.101.218.135[85.101.218.135]) - ANON anonymous: Login successful.
347 - proftpd[12564]: juf01 (pD9EE35B1.dip.t-dialin.net[217.238.53.177]) - USER jufu: Login successful
348 - proftpd[30362] xx.yy.zz (aa.bb.cc[aa.bb.vv.dd]): USER backup: Login successful.
349 - proftpd[2344]: refused connect from 192.168.1.2 (192.168.1.2)
350 - proftpd[15181]: valhalla (crawl-66-249-66-80.googlebot.com[66.249.66.80]) - Connection from crawl-66-249-66-80.googlebot.com [66.249.66.80] denied.
352 <decoder name="proftpd">
353 <program_name>^proftpd</program_name>
356 <decoder name="proftpd-success">
357 <parent>proftpd</parent>
358 <prematch>: Login successful</prematch>
359 <regex>^\S+ \(\S+[(\S+)]\)\s*\S \w+ (\S+): </regex>
360 <regex>Login successful</regex>
361 <order>srcip, user</order>
362 <fts>name, user, srcip, location</fts>
365 <decoder name="proftpd-ip">
366 <parent>proftpd</parent>
367 <regex>^\S+ \(\S+[(\S+)]\)</regex>
373 <!-- Pure-FTPd decoder.
374 - Will extract the username/srcip whenever possible.
375 - Samples by Peter Ahlert <peter@ifup.de> (thanks!)
377 - pure-ftpd-wrapper[926]: connect from 1.1.0.1 (1.1.0.1)
378 - pure-ftpd: (?@1.1.0.1) [INFO] New connection from 1.1.0.1
379 - pure-ftpd: (abcde@1.1.0.1) [INFO] Can't change directory to /.test: Permission denied
380 - pure-ftpd: (abcde@1.1.0.1) [INFO] Logout.
381 - pure-ftpd: (?@59.150.14.54) [WARNING] Authentication failed for user [newuser]
383 <decoder name="pure-ftpd">
384 <program_name>^pure-ftpd</program_name>
387 <decoder name="pure-ftpd-login">
388 <parent>pure-ftpd</parent>
389 <prematch>^\S+ [INFO] \S+ is now logged in</prematch>
390 <regex>^\(?@(\S+)\) [INFO] (\S+) is now logged in</regex>
391 <order>srcip, user</order>
392 <fts>name, user, srcip, location</fts>
395 <decoder name="pure-ftpd-generic">
396 <parent>pure-ftpd</parent>
397 <regex>^\((\S+)@(\S+)\) [</regex>
398 <order>user,srcip</order>
404 - Will extract the srcip.
406 - Sun Jun 4 22:08:04 2006 [pid 21612] CONNECT: Client "192.168.2.10"
407 - Sun Jun 4 22:08:39 2006 [pid 21611] [dcid] OK LOGIN: Client "192.168.2.10"
408 - Sun Jun 4 22:09:22 2006 [pid 21622] CONNECT: Client "192.168.2.10"
409 - Sun Jun 4 22:09:24 2006 [pid 21621] [lalal] FAIL LOGIN: Client "192.168.2.10"
410 - Sat Jun 3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client
412 - Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec
413 - Jul 13 12:31:20 www vsftpd: Sun Jul 13 10:31:20 2008 [pid 27528] [anonymous] FAIL LOGIN: Client "84.140.234.76"
415 <decoder name="vsftpd">
416 <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
417 <regex offset="after_prematch">Client "(\d+.\d+.\d+.\d+)"$</regex>
421 <decoder name="vsftpd">
422 <program_name>^vsftpd</program_name>
423 <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
424 <regex offset="after_prematch">Client "(\d+.\d+.\d+.\d+)"$</regex>
430 <!-- FTPD decoder - Solaris, MacOS and Wu-ftpd).
432 - ftpd[811166]: refused connect from 88.225.42.182
433 - in.ftpd[18561]: [ID 484914 daemon.notice] gethostbyaddr: nameservices.net. != 216.117.134.168
434 - ftpd[31918]: FTPD: EXPORT file local , remote
435 - Dec 21 12:21:20 hostname ftpd[323115]: login jones_b from client.example.org failed.
437 <decoder name="ftpd">
438 <program_name>^ftpd|^in.ftpd</program_name>
441 <decoder name="ftpd-mac-failure">
442 <parent>ftpd</parent>
443 <prematch>^Failed authentication from: \S+ |</prematch>
444 <prematch>^repeated login failures from </prematch>
445 <regex offset="after_prematch">[(\d+.\d+.\d+.\d+)]$</regex>
449 <decoder name="ftpd-refused">
450 <parent>ftpd</parent>
451 <prematch>^FTP LOGIN REFUSED </prematch>
452 <regex offset="after_prematch">[(\d+.\d+.\d+.\d+)]$</regex>
456 <decoder name="ftpd-ip">
457 <parent>ftpd</parent>
458 <regex>from (\d+.\d+.\d+.\d+)$</regex>
462 <decoder name="ftpd-tru64">
463 <parent>ftpd</parent>
464 <prematch>^login \S+ from \S+ failed.</prematch>
465 <regex>^login (\S+) from (\S+) failed.$</regex>
466 <order>user, srcip</order>
471 <!-- Arpwatch decoder.
472 - Will extract srcip/mac for "new station" messages.
474 - arpwatch: new station 192.168.1.103 0:11:43:5e:5d:80 eth0
475 - arpwatch: bogon 172.16.150.149 0:2:b3:d6:e5:68 eth0
476 - arpwatch: new station 192.168.2.10 0:c0:4f:78:32:be
478 <decoder name="arpwatch">
479 <program_name>^arpwatch</program_name>
482 <decoder name="arpwatch-new">
483 <parent>arpwatch</parent>
484 <prematch>^new station |^bogon </prematch>
485 <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) (\S+)</regex>
486 <order>srcip, extra_data</order>
487 <fts>name, srcip, extra_data</fts>
494 - MySQL log: 060516 22:38:46 mysqld started
495 - MySQL log: 060516 22:38:46 mysqld ended
496 - MySQL log: 070823 21:23:08 2 Query INSERT INTO signature(id, rule_id, level, description) VALUES (NULL, '18103','5','Windows error event.') ON DUPLICATE KEY UPDATE level='5'
497 - 070824 11:33:51 6 Connect Access denied for user 'roota'@'localhost' (using password: YES)
499 <decoder name="mysql_log">
500 <prematch>^MySQL log:</prematch>
505 <!-- PostgreSQL decoder.
507 - [2007-08-31 18:37:09.454 ADT] 192.168.2.99: LOG: connection authorized: user=ossec_user database=ossecdb
508 - [2007-08-31 18:37:15.525 ADT] 192.168.2.99: ERROR: relation "alert2" does not exist
510 <decoder name="postgresql_log">
511 <prematch>^[\d\d\d\d-\d\d-\d\d \S+ \w+] </prematch>
512 <regex offset="after_prematch">^\S+ (\w+): </regex>
513 <order>status</order>
519 - Will extract the username/srcip
521 - imapd[26888]: Login failed user=babadosfashion auth=babadosfashion host=bahiana.resenet.com.br [200.255.5.8]
522 - imapd[21040]: Login failed user=root domain=(null) auth=root host=host29-141.poo
523 l8249.interbusiness.it [82.49.141.29]
524 - imapd[27113]: Authenticated user=badyy host=a.resenet.com.br [1.2.3.4]
525 - imapd[27113]: Logout user=badyy host=a.resenet.com.br [1.2.3.4]
527 <decoder name="imapd">
528 <program_name>^imapd</program_name>
529 <regex offset="after_prematch">user=(\S+) \.+ [(\d+.\d+.\d+.\d+)]$</regex>
530 <order>user,srcip</order>
535 <!-- Vpopmail decoder. (by Ceg Ryan <cegryan ( at ) gmail.com>)
537 - vpopmail[32485]: vchkpw-pop3: password fail abc@xxx.com:x.x.x.x
538 - vpopmail[32485]: vchkpw-2110 password fail abc@xxx.com:x.x.x.x
539 - vchkpw-pop3: password fail (pass: 'test') user@my_domain:1.2.3.4
540 - vpopmail[2100]: vchkpw-pop3: vpopmail user not found abc@xxx.com:x.x.x.x
541 - vpopmail[4162]: vchkpw-pop3: vpopmail user not found support@:69.3.64.3
543 <decoder name="vpopmail">
544 <program_name>^vpopmail</program_name>
547 <decoder name="vpopmail-fail">
548 <parent>vpopmail</parent>
549 <prematch>^vchkpw-\S+: password fail</prematch>
550 <regex offset="after_prematch"> (\S+)@\S+:(\d+.\d+.\d+.\d+)$</regex>
551 <order>user, srcip</order>
554 <decoder name="vpopmail-notfound">
555 <parent>vpopmail</parent>
556 <prematch>^vchkpw-\S+: vpopmail user not </prematch>
557 <regex offset="after_prematch">^found (\S+):(\d+.\d+.\d+.\d+)$</regex>
558 <order>user, srcip</order>
561 <decoder name="vpopmail-empty">
562 <parent>vpopmail</parent>
563 <prematch>^vchkpw-\S+: null password </prematch>
564 <regex offset="after_prematch">^given (\S+):(\d+.\d+.\d+.\d+)$</regex>
565 <order>user, srcip</order>
568 <decoder name="vpopmail-success">
569 <parent>vpopmail</parent>
570 <prematch>^vchkpw-\S+: \(\S+\) login </prematch>
571 <regex offset="after_prematch">^success (\S+):(\d+.\d+.\d+.\d+)$</regex>
572 <order>user, srcip</order>
577 <!-- VM-POP3 - Virtual Mail Pop3
580 <decoder name="vm-pop3d">
581 <program_name>^vm-pop3d</program_name>
584 <decoder name="vm-pop3d-fail">
585 <parent>vm-pop3d</parent>
586 <prematch>^User '</prematch>
587 <regex offset="after_prematch">^(\S+)' - \w+ auth, </regex>
588 <regex>from=(\d+.\d+.\d+.\d+)$</regex>
589 <order>user, srcip</order>
596 - pop3d-ssl: LOGIN FAILED, ip=[::ffff:192.168.0.200]
597 - courierpop3login: LOGIN, user=web10_mauricio, ip=[::ffff:192.168.0.100]
598 - courierpop3login: LOGIN FAILED, ip=[::ffff:192.168.0.188]
599 - imaplogin: DISCONNECTED, ip=[::ffff:127.0.0.1], time=0
600 - Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]
602 <decoder name="courier">
603 <program_name>^pop3d|^courierpop3login|^imaplogin</program_name>
606 <decoder name="courier-login">
607 <parent>courier</parent>
608 <prematch>^LOGIN, </prematch>
609 <regex offset="after_prematch">^user=(\S+), ip=[(\S+\d)]$</regex>
610 <order>user, srcip</order>
613 <decoder name="courier-generic">
614 <parent>courier</parent>
615 <regex>, ip=[(\S+\d)]$</regex>
622 - Will extract username, srcip and dstip when available.
623 - Jun 17 10:15:24 hostname dovecot: Dovecot v1.2.rc3 starting up (core dumps disabled)
624 - Jun 17 10:15:24 hostname dovecot: Fatal: auth(default): Support not compiled in for passdb driver 'ldap'
625 - Jun 17 10:15:24 hostname dovecot: Fatal: Auth process died too early - shutting down
626 - dovecot: Jun 23 15:04:05 Info: imap-login: Login: user=<username>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.5 Authentication Failure:
627 - Jan 11 03:42:09 hostname dovecot: auth-worker(default): sql(user@example.com,1.2.3.4): Password mismatch
628 - dovecot: Jan 07 14:46:28 Warn: auth(default): userdb(username,::ffff:127.0.0.1): user not found from userdb
629 - dovecot: Mar 13 15:25:07 Info: auth(default): pam(user@example.com,::ffff:1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
630 - dovecot: Mar 13 15:25:07 Info: auth(default): passwd-file(user@example.com,::ffff:1.2.3.4): unknown user
631 - Jan 11 03:45:09 hostname dovecot: auth-worker(default): sql(username,1.2.3.4): unknown user
632 - Jan 11 03:42:09 hostname dovecot: auth(default): pam(user@example.com,1.2.3.4): pam_authenticate() failed: User not known to the underlying authentication module
633 - Jul 4 17:30:51 hostname dovecot[2992]: pop3-login: Disconnected: rip=1.2.3.4, lip=1.2.3.5
634 - dovecot: Jun 23 15:04:06 Info: IMAP(username): Disconnected: Logged out bytes=59/566
635 - dovecot: May 31 09:43:57 Info: pop3-login: Aborted login (1 authentication attempts): user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5, secured
636 - Jan 30 09:37:55 hostname dovecot: pop3-login: Aborted login: user=<username>, method=PLAIN, rip=::ffff:1.2.3.4, lip=::ffff:1.2.3.5
639 <decoder name="dovecot">
640 <program_name>^dovecot</program_name>
643 <decoder name="dovecot-success">
644 <parent>dovecot</parent>
645 <prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch>
646 <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=\S*(\d+.\d+.\d+.\d+), lip=\S*(\d+.\d+.\d+.\d+), (\S*)$</regex>
647 <order>user, srcip, dstip, protocol</order>
650 <decoder name="dovecot-aborted">
651 <parent>dovecot</parent>
652 <prematch offset="after_parent">^\w\w\w\w-login: Aborted login</prematch>
653 <regex offset="after_prematch">: user=\p(\S+)\p, method=\S+, rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+)$</regex>
654 <order>user, srcip, dstip</order>
657 <decoder name="dovecot-fail">
658 <parent>dovecot</parent>
659 <prematch offset="after_parent">^auth\(default\)|auth-worker\(default\)</prematch>
660 <regex offset="after_prematch">^: \S+\((\S+),(\d+.\d+.\d+.\d+)\)</regex>
661 <order>user, srcip</order>
664 <decoder name="dovecot-disconnect">
665 <parent>dovecot</parent>
666 <prematch offset="after_parent">^\w\w\w\w-login: Disconnected: </prematch>
667 <regex offset="after_prematch">^rip=(\S+), lip=(\d+.\d+.\d+.\d+)</regex>
668 <order>srcip, dstip</order>
674 - Will extract the srcip
676 - valhalla named[7885]: client 192.168.1.231#1142: update 'hayaletgemi.edu/IN' denied
677 - named[12637]: client 1.2.3.4#32769: query (cache) 'somedomain.com/MX/IN' denied
679 <decoder name="named">
680 <program_name>^named</program_name>
683 <decoder name="named_client">
684 <parent>named</parent>
685 <prematch>^client </prematch>
686 <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)#</regex>
690 <decoder name="named_from">
691 <parent>named</parent>
692 <regex offset="after_parent"> from [(\d+.\d+.\d+.\d+)]</regex>
698 <!-- Postfix decoder.
699 - Will extract the srcip
701 - postfix/smtpd[32297]: NOQUEUE: reject: RCPT from unknown[213.255.237.245]: 554
702 <ce101@ce.metu.edu.tr>: Relay access denied; from=<kryonomm@yahoo.com>
703 to=<e10445@jubiipost.dk> proto=SMTP helo=<SM01.net>
704 - postfix/smtpd[27712]: NOQUEUE: reject: MAIL from localhost[127.0.0.1]: 452 Insufficient system storage
707 <decoder name="postfix">
708 <program_name>^postfix</program_name>
711 <decoder name="postfix-reject">
712 <use_own_name>true</use_own_name>
713 <parent>postfix</parent>
714 <prematch>^NOQUEUE: reject: \w\w\w\w from </prematch>
715 <regex offset="after_prematch">[(\d+.\d+.\d+.\d+)]: (\d+) </regex>
716 <order>srcip,id</order>
719 <decoder name="postfix-sasl">
720 <parent>postfix</parent>
721 <prematch>^warning: \S+: SASL </prematch>
722 <regex>^warning: \S+[(\d+.\d+.\d+.\d+)]:</regex>
727 <!-- Sendmail decoder.
728 - Will extract the srcip
730 - sendmail[15806618]: k1SN9pkK15806618: ruleset=check_mail, arg1=<rtreter@qffff.com>,
731 - relay=dsl.static81215198185.ttnet.net.tr [81.215.198.185] (may be forged), reject=553 5.1.8
732 - <rtreter@qffff.com>... Domain of sender address rtreter@qffff.com does not exist
733 - sm-msp-queue[13484]: k5TKj6L5012934: to=root, ctladdr=root (0/0), delay=00:04:00, xdelay=00:00:00, mailer=relay, pri=120112, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
734 - sendmail[7735]: [ID 801593 mail.notice] k856Hah0007735: ruleset=check_rcpt, arg1=<sc@sd.com>, relay=[216.22.33.7], reject=553 5.3.0 <sc@sd.com>... Spammer 216.22.33.7 usergl@displaytoward.net rejected by RBL:http://www.spamhaus.org/
735 - sm-mta[23868]: k9BEQK0c023868: rejecting commands
736 from [200.121.73.169] [200.121.73.169] due to pre-greeting traffic
737 - sendmail[7818]: j6KKHo2d007818: rejecting commands from sv.e103gng.com [66.62.19.10] due to pre-greeting traffic
739 <decoder name="sendmail-reject">
740 <program_name>^sendmail|^sm-mta|^sm-msp-queue</program_name>
743 <decoder name="sendmail-pre-greeting">
744 <parent>sendmail-reject</parent>
745 <prematch>^\S+: rejecting commands from</prematch>
746 <regex offset="after_prematch">^ \S+ [(\d+.\d+.\d+.\d+)]</regex>
750 <decoder name="sendmail-reject-nodns">
751 <parent>sendmail-reject</parent>
752 <prematch>relay=[</prematch>
753 <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)]</regex>
757 <decoder name="sendmail-reject-dns">
758 <parent>sendmail-reject</parent>
759 <prematch>relay=\S+ [</prematch>
760 <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)]</regex>
767 <!-- SMF-SAV Sendmail Milter decoder.
768 - Will extract the srcip
770 - smf-sav[513]: [ID 987462 mail.notice] sender check failed: <xkyjywqvophshu@mypersonalemail.com>, 125.133.22.112, [125.133.22.112], [00:00:01]
771 - smf-sav[513]: [ID 407019 mail.info] sender check succeeded (cached): <asterisk-users-bounces@lists.digium.com>, 216.207.245.17, lists.digium.com
772 - smf-sav[513]: [ID 987894 mail.notice] sender check tempfailed: <31363****-org@targetedpages.com>, 69.8.190.101, smtp101.tramailer.info, [00:00:05]
773 - smf-sav[1883]: sender check tempfailed (cached): <k@vooC7b>, 87.103.236.97, [87.103.236.97]
774 - smf-sav[1883]: sender check failed (cached): <clahaiclahai@email.iis.com.br
775 >, 91.146.176.140, pool176-140.cable.tolna.net
777 <decoder name="smf-sav-reject">
778 <program_name>^smf-sav</program_name>
779 <prematch>^sender check failed|</prematch>
780 <prematch>^sender check tempfailed</prematch>
781 <regex offset="after_prematch">^ \(cached\): \S+, (\d+.\d+.\d+.\d+),|</regex>
782 <regex>^: \S+, (\d+.\d+.\d+.\d+),</regex>
789 - Will extract the srcip/action
791 - MailScanner[24112]: Message k7B9Mc6b015925 from
792 68.171.145.34 (nilsenator@hotmail.com) to yyyyy.no is spam, SpamAssassin
793 - May 3 16:28:40 jarjar MailScanner[4732]: Message k436SX2M005191 from
794 111.222.111.222 (david@our.domain.org) to our.domain.org is spam
796 - MailScanner[5317]: Message k436dCIW005370 from
797 111.222.111.222 (david@our.domain.org) to another.domain.org is not s
799 - MailScanner[29107]: Message j0EMandY027564 from xxx.xxx.xxx.xxx(xxxxx@xxxxx.ie) to xxxxx.ie is not spam
801 <decoder name="mailscanner">
802 <program_name>^MailScanner</program_name>
805 <decoder name="mailscanner-ip">
806 <parent>mailscanner</parent>
807 <prematch>^Message \S+ from </prematch>
808 <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) \S+ to \S+ is (\w+)</regex>
809 <order>srcip, action</order>
813 <!-- Iptables decoder.
814 - Will extract the srcip, dstip, srcport, dstport, protocol
816 - kernel: FIREWALL_OUT IN= OUT=eth0
817 SRC=192.168.6.57 DST=216.161.248.225 LEN=40 TOS=0x00 PREC=0x00 TTL=64
818 ID=18547 DF PROTO=TCP SPT=46388 DPT=37628 WINDOW=6930 RES=0x00 ACK RST
820 - kernel: IPTABLE IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:93:db:2e:b4:08:00
821 SRC=10.4.11.40 DST=255.255.255.255 LEN=180 TOS=0x00 PREC=0x00 TTL=64
822 ID=4753 PROTO=UDP SPT=49320 DPT=2222 LEN=160
823 - kernel: [4475569.016000] IN= OUT=lo SRC=192.168.2.11 DST=192.168.2.11
824 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=49546 DF PROTO=TCP SPT=43068
825 DPT=22 WINDOW=8192 RES=0x00 ACK URGP=0
826 - Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=60200 PROTO=ICMP TYPE=8 CODE=0 ID=10466 SEQ=21229
828 <decoder name="iptables">
829 <program_name>^kernel</program_name>
832 <decoder name="iptables-1">
833 <parent>iptables</parent>
834 <type>firewall</type>
835 <prematch>^[\d+.\d+] \S+ IN=</prematch>
837 <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex>
838 <regex> \.+ PROTO=(\w+) </regex>
839 <order>action,srcip,dstip,protocol</order>
842 <decoder name="iptables-1">
843 <parent>iptables</parent>
844 <type>firewall</type>
845 <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
846 <order>srcport,dstport</order>
849 <decoder name="iptables-2">
850 <parent>iptables</parent>
851 <type>firewall</type>
852 <prematch>^\S+ IN=</prematch>
854 <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex>
855 <regex>PROTO=(\w+) </regex>
856 <order>action,srcip,dstip,protocol</order>
859 <decoder name="iptables-2">
860 <parent>iptables</parent>
861 <type>firewall</type>
862 <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
863 <order>srcport,dstport</order>
866 <decoder name="iptables-shorewall">
867 <parent>iptables</parent>
868 <type>firewall</type>
869 <prematch>^Shorewall:\S+:</prematch>
871 <regex offset="after_prematch">^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
872 <regex>PROTO=(\w+) </regex>
873 <order>action,srcip,dstip,protocol</order>
876 <decoder name="iptables-shorewall">
877 <parent>iptables</parent>
878 <type>firewall</type>
879 <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
880 <order>srcport,dstport</order>
885 <!-- Solaris IPFilter decoder.
886 - Will extract the action, srcip, srcport, dstip, dstport
888 - ipmon[11523]: [ID 702911 local0.warning] 09:30:39.300795 3x ce0 @0:1
889 b 10.4.0.25,43873 -> 10.4.122.243,22 PR tcp len 20 100 -AP IN
890 - ipmon[11523]: [ID 702911 local0.warning] 09:31:53.285032 hme0 @0:1
891 b 10.4.122.243,138 -> 255.255.255.255,138 PR udp len 20 229 IN mbcast
892 - ipmon[11523]: [ID 702911 local0.notice] 09:30:40.398290 ce0 @0:14
893 p 10.4.122.243,123 -> 10.4.122.16,123 PR udp len 20 76 K-S OUT
895 <decoder name="ipfilter">
896 <type>firewall</type>
897 <program_name>^ipmon</program_name>
898 <regex> (\w) (\d+.\d+.\d+.\d+),(\d+) -> </regex>
899 <regex>(\d+.\d+.\d+.\d+),(\d+) PR (\w+) </regex>
900 <order>action,srcip,srcport,dstip,dstport,protocol</order>
904 <!-- AIX IPSec decoder.
905 - Will extract the action,srcip,dstip,protocol,srcport,dstport
907 - ipsec_logd: #:3 R:p I:10.0.0.99 S:10.0.0.82 D:10.0.0.99
908 P:tcp/ack SP:50349 DP:22 R:l I:en0 F:n T:0 L:88
909 - ipsec_logd: #:1 R:p O:10.0.0.99. S:10.0.0.99 D:10.0.0.25
910 P:udp SP:2063 DP:53 R:l I:en0 F:n T:0 L:81
912 <decoder name="aix-ipsec">
913 <type>firewall</type>
914 <program_name>^ipsec_logd</program_name>
915 <regex> R:(\w) \w:\S+ S:(\d+.\d+.\d+.\d+) </regex>
916 <regex>D:(\d+.\d+.\d+.\d+) P:(\S+) SP:(\d+) DP:(\d+) </regex>
917 <order>action,srcip,dstip,protocol,srcport,dstport</order>
922 <!-- OpenBSD pf decoder (as a plugin - compiled).
923 - Will extract the action,srcip,dstip,protocol,srcport,dstport
925 - Mar 30 15:33:26 enigma pf: Mar 30 15:32:33.483712 rule 2/(match) pass in on xl0: 140.211.166.3.6667 > 192.168.2.10.16290: P 7408:7677(269) ack 1773 win 2520 <nop,nop,timestamp 3960674784 2860123562> (DF)
926 - Mar 30 15:47:05.522341 rule 4/(match) block in on lo0: 127.0.0.1.48784 > 127.0.0.1.23: S 1381529123:1381529123(0) win 16384 <mss 33184,nop,nop,sackOK,nop,wscale 0,[|tcp]> (DF) [tos 0x10]
927 - Mar 30 15:54:22.171929 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 73
928 - Mar 30 15:54:22.174412 rule 3/(match) pass out on xl0: 192.168.2.10.1514 > 192.168.2.190.1030: udp 89
932 <type>firewall</type>
933 <program_name>^pf$</program_name>
934 <plugin_decoder>PF_Decoder</plugin_decoder>
939 <!-- SonicWall decoder.
940 - Will extract action, srcip, dstip, protocol, srcport and dstport
942 - Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:06" fw=1.1.1.1 pri=6 c=262144 m=98 msg="Connection Opened" n=23419 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN proto=tcp/50000
943 - Jan 3 13:45:36 192.168.5.1 id=firewall sn=000SERIAL time="2007-01-03 14:48:07" fw=1.1.1.1 pri=1 c=32 m=30 msg="Administrator login denied due to bad credentials" n=7 src=2.2.2.2:36701:WAN dst=1.1.1.1:50000:WAN
944 - id=firewall sn=00301E0526B1 time="2004-04-01 10:39:35"
945 fw=67.32.44.2 pri=5 c=64 m=36 msg="TCP connection dropped" n=2686 src=67.101.200.27:4507:WAN dst=67.32.44.2:445:LAN rule=0
947 <decoder name="sonicwall">
948 <type>firewall</type>
949 <prematch>^id=\w+ sn=\w+ time=\S+ \S+ fw=\S+ pri=\d </prematch>
950 <plugin_decoder>SonicWall_Decoder</plugin_decoder>
955 <!-- Netscreen Firewall decoder.
956 - Will extract the action,srcip,dstip,protocol,srcport,dstport
958 - Jan 1 10:02:11 xx ns5gt: NetScreen device_id=ns5gt [No Name]system-notification-00257(traffic): start_time="2006-01-01 10:09:38" duration=0 policy_id=310101 service=tcp/port:1526 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=38 src=10.1.2.3 dst=10.1.1.1 src_port=51350 dst_port=1426
959 - <13>Mar 16 15:27:56 192.168.2.1 ns5gt: NetScreen device_id=ns5gt [No Name]system-notification-00257(traffic): start_time=\"2004-03-16 16:31:22\" duration=0 policy_id=310001 service=tcp/port:120 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=60 src=10.1.1.1 dst=10.1.2.1 src_port=32047 dst_port=22
960 - Jun 2 11:24:16 fire00 sav00: NetScreen device_id=sav00 [Root]system-critical-00436: Large ICMP packet! From 210.232.20.7 to 148.100.114.126, proto 1 (zone Untrust, int ethernet1/2). Occurred 1 times. (2006-06-02 11:24:16)
961 - NetScreen device_id=ns5gt [Root]system-critical-00027: Multiple login failures occurred for user netscreen from IP address 1.2.3.4:1567 (2004-10-07)
963 - ** Program name for netscreen is empty, since it is the hostname.
965 <decoder name="netscreenfw">
967 <prematch>^NetScreen device_id</prematch>
970 <decoder name="netscreenfw-traffic">
971 <parent>netscreenfw</parent>
972 <type>firewall</type>
974 <prematch offset="after_parent">system-notification-00257</prematch>
975 <prematch>\(traffic\): </prematch>
977 <regex offset="after_prematch"> proto=(\w+) \.+action=(\w+) </regex>
978 <regex>\.+src=(\S+) dst=(\S+) src_port=(\d+) dst_port=(\d+)</regex>
979 <order>protocol, action, srcip, dstip, srcport, dstport</order>
982 <decoder name="netscreenfw-critical">
983 <parent>netscreenfw</parent>
984 <prematch offset="after_parent">system-critical-\.+ from |</prematch>
985 <prematch>system-alert-\.+ from </prematch>
987 <regex offset="after_parent">system-(\w+)-(\d+): \.+ </regex>
988 <regex>from\.+(\d+.\d+.\d+.\d+)</regex>
989 <order>action, id, srcip</order>
992 <decoder name="netscreenfw-admin">
993 <parent>netscreenfw</parent>
994 <regex offset="after_parent">system-(\w+)-(\d+):</regex>
995 <order>action, id</order>
1000 - Will extract the srcip, srcport, dstip and dstport whenever possible.
1002 - %PIX-6-106015: Deny TCP (no connection) from 161.58.238.151/110 to a.b.c.d/3782 flags RST ACK
1003 - %PIX-2-106001: Inbound TCP connection denied from 165.139.46.7/3854 to 165.189.27.70/139 flags
1004 - %PIX-3-106010: Deny inbound tcp src outside:213.98.79.233/2620 dst dmz:213.98.254.145/135
1005 - %PIX-3-106011: Deny inbound (No xlate) udp src outside:192.168.2.1/137
1006 dst outside:192.168.2.14/137
1007 - %PIX-3-106011: Deny inbound (No xlate) tcp src inside:10.100.7.43/80 dst
1008 inside:10.100.4.71/2285
1009 - %PIX-3-710003: TCP access denied by ACL from 216.39.220.130/54065 to outside:62.192.113.98/ssh
1010 - %PIX-7-710001: TCP access requested from X.X.X.X/1292 to outside:Y.Y.Y.Y/ssh
1011 - %PIX-7-710002: UDP access permitted from 33.33.33.4/943 to inside:33.33.33.15/snmp
1012 - %PIX-7-710005: UDP request discarded from <public IP of 525>/4500 to outside:192.168.69.137/4500
1013 - %PIX-2-106002 protocol Connection denied by outbound list acl_ID src inside_address dest outside_address
1014 - %PIX-2-106002: udp connection denied by outbound list 30 src 216.53.120.62 138 dest 169.132.10.82 138
1015 - %PIX-4-106023: Deny tcp src inside:111.11.11.1/2143 dst YYY:172.11.1.11/139 by access-group "inside_inbound"
1016 - %PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz
1017 - %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on
1019 - %PIX-7-710002: TCP access permitted from 10.0.0.1/60749 to db:10.0.0.2/ssh
1020 - %PIX-6-305012: Teardown dynamic UDP translation from inside:1.1.1.1/12 to outside:1.2.1.2/11 duration 0:00:11.
1021 - %PIX-3-305005: No translation group found for icmp src outside:x.x.x.x dst inside:x.x.x.x (type 3, code 0)
1022 - %ASA-2-106001: Inbound TCP connection denied from 1.2.3.4/1234 to 213.207.99.248/445 flags SYN on interface outside (Message repeated 2 times)
1023 - %PIX-6-605005: Login permitted from 192.168.1.2/2953 to inside:192.168.1.1/telnet for user ""
1024 - %PIX-6-605004: Login denied from 192.168.2.10/32597 to outside:192.168.2.14/ssh for user "root"
1025 - %PIX-6-305011: Built dynamic UDP translation from inside:192.168.1.2/1026 to outside:192.168.2.14/1163
1026 - %PIX-6-305011: Built dynamic TCP translation from inside:192.168.1.3/54946 to outside:192.168.2.14/1033
1027 - %PIX-6-302015: Built outbound UDP connection 156 for outside:192.168.2.10/1514 (192.168.2.10/1514) to inside:192.168.1.2/1026 (192.168.2.14/1163)
1029 <decoder name="pix">
1030 <prematch>^%PIX-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %PIX-|</prematch>
1031 <prematch>^%ASA-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %ASA-|</prematch>
1032 <prematch>^%FWSM-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %FWSM-</prematch>
1035 <decoder name="pix-fw1">
1036 <parent>pix</parent>
1037 <type>firewall</type>
1038 <prematch offset="after_parent">^2-106001</prematch>
1039 <regex offset="after_parent">^(\S+): \w+ (\w+) \S+ (\S+) from </regex>
1040 <regex>(\S+)/(\S+) to (\S+)/(\S+)</regex>
1041 <order>id, protocol, action, srcip, srcport, dstip, dstport</order>
1044 <decoder name="pix-fw2">
1045 <parent>pix</parent>
1046 <type>firewall</type>
1047 <prematch offset="after_parent">^3-710003|^7-710002|^7-710005</prematch>
1048 <regex offset="after_parent">^(\S+): (\S+) \w+ (\w+)\.+from </regex>
1049 <regex>(\S+)/(\S+) to \w+:(\S+)/(\S+)</regex>
1050 <order>id, protocol, action, srcip, srcport, dstip, dstport</order>
1053 <decoder name="pix-fw3">
1054 <parent>pix</parent>
1055 <type>firewall</type>
1056 <prematch offset="after_parent">^4-106023</prematch>
1057 <regex offset="after_parent">^(\S+): (\w+) (\w+) src \w+:</regex>
1058 <regex>(\S+)/(\S+) dst \w+:(\S+)/(\S+)</regex>
1059 <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
1062 <decoder name="pix-fw4">
1063 <parent>pix</parent>
1064 <type>firewall</type>
1065 <prematch offset="after_parent">^4-106019</prematch>
1066 <regex offset="after_parent">^(\S+): IP packet from (\S+) to </regex>
1067 <regex>(\S+), protocol (\w+) (\w+) </regex>
1068 <order>id, srcip, dstip, protocol, action</order>
1071 <decoder name="pix-fw5">
1072 <parent>pix</parent>
1073 <type>firewall</type>
1074 <prematch offset="after_parent">^2-106006|^2-106007</prematch>
1075 <regex offset="after_parent">^(\S+): (\w+) \S+ (\w+) from </regex>
1076 <regex>(\d+.\d+.\d+.\d+)/(\d+) to (\d+.\d+.\d+.\d+)/(\d+) </regex>
1077 <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
1080 <decoder name="pix-fw6">
1081 <parent>pix</parent>
1082 <type>firewall</type>
1083 <prematch offset="after_parent">^6-106015</prematch>
1084 <regex offset="after_parent">^(\S+): (\w+) (\w+) \S+ \S+ (\S+) from </regex>
1085 <regex>(\S+)/(\S+) to (\S+)/(\S+)</regex>
1086 <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
1089 <decoder name="pix-fw7">
1090 <parent>pix</parent>
1091 <type>firewall</type>
1092 <prematch offset="after_parent">^6-305012</prematch>
1093 <regex offset="after_parent">^(\S+): (\w+) \w+ (\w+) translation </regex>
1094 <regex>from \w+:(\S+)/(\d+) to \w+:(\S+)/(\d+) </regex>
1095 <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
1098 <decoder name="pix-fw8">
1099 <parent>pix</parent>
1100 <type>firewall</type>
1101 <prematch offset="after_parent">^3-106011|^3-106010</prematch>
1102 <regex offset="after_parent">^(\S+): (\w+) \.+ (\w+) src </regex>
1103 <regex>\w+:(\S+)/(\d+) dst \w+:(\S+)/(\d+)</regex>
1104 <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
1107 <decoder name="pix-attacks">
1108 <parent>pix</parent>
1109 <prematch offset="after_parent">^2-106012: |^2-106017: |</prematch>
1110 <prematch>^2-106020|^1-106021|^1-106022|</prematch>
1111 <prematch>^4-4000</prematch>
1112 <regex offset="after_parent">^(\S+): \.+ from (\d+.\d+.\d+.\d+) </regex>
1113 <order>id, srcip</order>
1116 <decoder name="pix-srcip">
1117 <parent>pix</parent>
1118 <prematch offset="after_parent">^6-605004|^6-308001|^6-605005</prematch>
1119 <regex offset="after_parent">^(\S+): \.+ (\d+.\d+.\d+.\d+)</regex>
1120 <order>id, srcip</order>
1123 <decoder name="pix-generic">
1124 <parent>pix</parent>
1125 <regex offset="after_parent">^(\S+): </regex>
1131 <!-- Cisco VPN Concentrator
1132 - Will exatract srcip and username.
1135 - Jan 8 09:10:37 vpn.example.com 11504 01/08/2007 09:10:37.780 SEV=3 AUTH/5 RPT=124 192.168.0.1 Authentication rejected: Reason = Unspecified handle = 805, server = auth.example.com, user = testuser, domain = <not specified>
1136 11504 01/08/2007 09:10:37.780 SEV=3
1138 <decoder name="cisco-vpn-concentrator">
1139 <prematch>^\d+ \d\d/\d\d/\d\d\d\d \S+ SEV=\d </prematch>
1140 <regex offset="after_prematch">^(\S+) RPT=\d+ (\d+.\d+.\d+.\d+) </regex>
1141 <order>id, srcip</order>
1147 - Will extract the id, srcip and dstip
1149 - snort: [1:469:3] ICMP PING NMAP [Classification: Attempted Information
1150 Leak] [Priority: 2]: {ICMP} 10.4.12.26 -> 10.4.10.231
1151 - snort: [1:1420:11] SNMP trap tcp [Classification: Attempted Information
1152 Leak] [Priority: 2]: {TCP} 10.4.12.26:37020 -> 10.4.10.231:162
1153 - [**] [1:1054:7] WEB-MISC weblogic/tomcat .jsp view source attempt [**]
1154 [Classification: Web Application Attack]
1155 [Priority: 1] 10.4.12.26:34041 -> 66.179.53.37:80
1156 - [**] [1:1421:11] SNMP AgentX/tcp request [**]
1157 [Classification: Attempted Information Leak] [Priority: 2]
1158 10.4.3.20:626 -> 10.4.10.161:705
1159 - [**] [1:1882:10] ATTACK-RESPONSES id check returned userid [**]
1160 [Classification: Potentially Bad Traffic] [Priority: 2]
1161 {UDP} 192.168.20.32 -> 192.168.20.2
1164 <decoder name="snort">
1165 <program_name>^snort</program_name>
1168 <decoder name="snort">
1170 <prematch>^[**] [\d+:\d+:\d+] </prematch>
1173 <decoder name="snort2">
1174 <parent>snort</parent>
1176 <prematch>^[**] |^[\d+:\d+:\d+] </prematch>
1177 <regex>^[**] [(\d+:\d+:\d+)] \.+ (\d+.\d+.\d+.\d+)\p*\d* -> </regex>
1178 <regex>(\d+.\d+.\d+.\d+)|^[(\d+:\d+:\d+)] \.+ </regex>
1179 <regex>(\d+.\d+.\d+.\d+)\p*\d* -> (\d+.\d+.\d+.\d+)</regex>
1180 <order>id,srcip,dstip</order>
1181 <fts>name,id,srcip,dstip</fts>
1186 <!-- Suhosin decoder.
1187 - Will extract the attack name and srcip.
1189 - suhosin[76366]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '200.139.164.149', file 'xyz')
1190 - suhosin[24239]: ALERT - configured request variable value length limit exceeded - dropped variable 'introtext' (attacker '192.168.1.2', file '/var/www/site/administrator/index2.php')
1191 - suhosin[32150]: ALERT - configured POST variable limit exceeded - dropped variable 'setting[sg_allow_delete_empty_group]' (attacker '32.104.x.y', file '/home/htdocs/admincp/options.php')
1193 <decoder name="suhosin">
1194 <program_name>^suhosin</program_name>
1196 <regex>^ALERT - (\.+) \(attacker '(\d+.\d+.\d+.\d+)', </regex>
1197 <order>id, srcip</order>
1198 <fts>name, location, id</fts>
1204 - Will extract srcip, dstip and id
1206 - 2007-02-24 00:07:30|xx-ids|MS:MDTC-DOS|1.2.3.4|5.6.7.8|123|456|I||6|tcp,xx
1209 <decoder name="dragon-nids">
1211 <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d\|</prematch>
1212 <regex offset="after_prematch">^\S+\|(\S+)\|</regex>
1213 <regex>(\d+.\d+.\d+.\d+)\|(\d+.\d+.\d+.\d+)\|</regex>
1214 <order>id, srcip, dstip</order>
1215 <fts>name, id, srcip, dstip</fts>
1221 - Will extract: username and srcip.
1223 - [notice] [imp] Login success for raphaelv@xx [100.121.170.41] to {a.b.c:143} [on line 92 of "/home/webmail/horde/imp/redirect.php"]
1224 - [error] [imp] FAILED LOGIN 210.179.154.213 to xxx:143[imap] as mala1
1226 <decoder name="horde_imp">
1227 <prematch>^[\w+] [imp] |^[\w+] [horde] </prematch>
1230 <decoder name="horde_imp_success">
1231 <parent>horde_imp</parent>
1232 <prematch offset="after_parent">^Login success </prematch>
1233 <regex offset="after_prematch">^for (\S+) [(\d+.\d+.\d+.\d+)] </regex>
1234 <order>user, srcip</order>
1237 <decoder name="horde_imp_failed">
1238 <parent>horde_imp</parent>
1239 <prematch offset="after_parent">^FAILED LOGIN</prematch>
1240 <regex offset="after_prematch">^ (\d+.\d+.\d+.\d+) to \S+ as (\S+) </regex>
1241 <order>srcip, user</order>
1246 <!-- Wordpress decoder.
1247 - It needs the WPsyslog2 plugin.
1249 - WPsyslog[14382]: [127.0.0.1 na] Info: User authentication failed. User name: lala
1250 - WPsyslog[14382]: [127.0.0.1 na] Info: User logged in. User name: admin (admin).
1252 <decoder name="wordpress">
1253 <program_name>^WPsyslog</program_name>
1254 <prematch>^[</prematch>
1255 <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) </regex>
1256 <order>srcip</order>
1261 <!-- Roundcube decoder
1262 - Will extract username and src IP from the logs, when available.
1264 - Apr 10 22:45:20 hostname roundcube: [10-Apr-2009 22:45:20 -0500] IMAP
1265 Error: Authentication for username failed (LOGIN): "a001 NO Authentication
1266 failed." (POST /roundcube/?_task=&_action=login)
1267 - Apr 10 23:01:23 hostname roundcube: [10-Apr-2009 23:01:23 -0500]:
1268 Successful login for username (id 1) from 127.0.0.1
1270 <decoder name="roundcube">
1271 <program_name>^roundcube</program_name>
1272 <prematch>^[\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d \S+]</prematch>
1275 <decoder name="roundcube-success">
1276 <parent>roundcube</parent>
1277 <prematch>^: Successful login for </prematch>
1278 <regex offset="after_prematch">^(\S+) \(id \d+\) from (\d+.\d+.\d+.\d+)$</regex>
1279 <order>user, srcip</order>
1282 <decoder name="roundcube-denied">
1283 <parent>roundcube</parent>
1284 <prematch>^ \w+ Error: Authentication </prematch>
1285 <regex offset="after_prematch">^for (\.+) failed</regex>
1291 <!-- Apache decoder.
1292 - Will extract the srcip
1294 - [error] [client 80.230.208.105] Directory index forbidden by rule: /home/
1295 - [error] [client 64.94.163.159] Client sent malformed Host header
1296 - [error] [client 66.31.142.16] File does not exist: /var/www/html/default.ida
1297 - [notice] Apache configured
1298 - httpd[18660]: [error] [client 12.34.56.78] File does not exist: /usr/local/htdocs/cache
1299 - httpd[23745]: [error] [client 12.34.56.78] PHP Notice:
1301 <decoder name="apache-errorlog">
1302 <program_name>^httpd</program_name>
1305 <decoder name="apache-errorlog">
1306 <prematch>^[warn] |^[notice] |^[error] </prematch>
1309 <decoder name="apache-errorlog-ip">
1310 <parent>apache-errorlog</parent>
1312 <prematch offset="after_parent">^[client</prematch>
1313 <regex offset="after_prematch">^ (\d+.\d+.\d+.\d+)] </regex>
1314 <order>srcip</order>
1320 <!-- Nginx error log decoder.
1321 - Will extract the srcip.
1323 - 2009/09/15 20:55:40 [error] 63858#0: *3663 open() "/srv/www/ossec.net/robots.txt" failed (2: No such file or directory), client: 1.2.3.4, server: ossec.net, request: "GET /robots.txt HTTP/1.1", host: "www.ossec.net"
1324 - 2009/09/15 19:51:07 [error] 37992#0: accept() failed (53: Software caused connection abort)
1326 <decoder name="nginx-errorlog">
1327 <prematch>^20\d\d/\d\d/\d\d \d\d:\d\d:\d\d [</prematch>
1330 <decoder name="nginx-errorlog-ip">
1331 <parent>nginx-errorlog</parent>
1332 <prematch offset="after_parent">, client: \S+, server: \S+, request: "\S+ </prematch>
1333 <regex offset="after_parent">, client: (\d+.\d+.\d+.\d+), </regex>
1334 <order>srcip</order>
1340 <!-- NCSA common log decoder (used by apache, Lotus Domino and IIS NCSA).
1341 - Will extract the srcip, url and id.
1342 - Every web access log must use "web-log" as their
1343 - type if they want to be matched against the web rules.
1345 - 63.91.167.39 - - [03/Aug/2001:21:56:18 -0700] "GET /default.ida?NNNN
1346 - 206.78.62.16 - - [06/Aug/2001:08:57:08 -0700] "GET /default.ida?XX
1347 - 5.211.112.6 - - [04/Feb/2003:16:17:30 -0500] "GET /mod_ssl:error:
1348 - 192.168.2.190 - - [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
1350 - 1.1.1.1 - username [18/Jan/2006:13:10:06 -0500] "GET /xxx.html HTTP/1.1"
1351 - 123.4.5.6 aa.xx.com - [05/Nov/2006:00:46:56 -0500] "GET / HTTP/1.1" 302 -
1353 <decoder name="web-accesslog">
1354 <type>web-log</type>
1355 <prematch>^\d+.\d+.\d+.\d+ </prematch>
1356 <regex>^(\d+.\d+.\d+.\d+) \S+ \S+ [\S+ \S\d+] </regex>
1357 <regex>"\w+ (\S+) HTTP\S+ (\d+) </regex>
1358 <order>srcip, url, id</order>
1362 <!-- Windows date format.
1363 - Pre match for windows date format. Used on Windows firewall,
1366 - 2006-07-23 04:40:02 xxx
1368 <decoder name="windows-date-format">
1369 <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d </prematch>
1374 <!-- Windows firewall decoder.
1375 - Will extract action, protocol, srcip, dstip, srcport and dstport.
1377 - 2006-09-18 22:25:30 OPEN TCP 11.12.72.10 12.252.71.6 3311 445 - - - - - - - - -
1378 - 2006-09-18 22:26:23 DROP UDP 11.152.183.14 239.255.255.250 65299 1900 310 - - - - - - - RECEIVE
1379 - 2006-09-18 22:26:23 DROP UDP 11.152.183.14 239.255.255.250 65299 1900 310 - - - - - - - RECEIVE
1380 - 2006-09-18 22:26:23 DROP UDP 11.152.183.14 239.255.255.250 65298 1900 319 - - - - - - - RECEIVE
1382 <decoder name="windows-firewall">
1383 <parent>windows-date-format</parent>
1384 <type>firewall</type>
1385 <use_own_name>true</use_own_name>
1386 <prematch offset="after_parent">^OPEN|^CLOSE|^DROP</prematch>
1387 <regex offset="after_parent">^(\w+) (\w+) </regex>
1388 <regex>(\S+) (\S+) (\d+) (\d+) </regex>
1389 <order>action, protocol, srcip, dstip, srcport, dstport</order>
1393 <!-- IIS 5 WWW W3C log format.
1394 - #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs-host cs(User-Agent) cs(Referer)
1396 - 2006-07-23 04:40:02 1.2.3.4 - W3SVC3 CIN1WEB03 1.2.3.4 443 GET /Default.asp - 200 hiden.com Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+Avant+Browser;+Avant+Browser;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727) -
1398 <decoder name="web-accesslog-iis5">
1399 <parent>windows-date-format</parent>
1400 <type>web-log</type>
1401 <use_own_name>true</use_own_name>
1402 <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ W3SVC</prematch>
1403 <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \S+ \S+ \S+ \S+ </regex>
1404 <regex>\d+ \S+ (\S+ \S+) (\d+) </regex>
1405 <order>srcip,url,id</order>
1409 <!-- IIS6 WWW W3C log format.
1410 - #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem
1411 cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent)
1412 cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status
1413 sc-bytes cs-bytes time-taken
1415 - 2007-01-22 05:00:11 W3SVC1 HOSTNAME 1.1.1.1 POST /SimpleAuthWebService/SimpleAuth.asmx - 80 - 2.2.2.2 HTTP/1.1 Windows-Update-Agent - - hostname 200 0 0 1467 841 31
1417 <decoder name="web-accesslog-iis6">
1418 <parent>windows-date-format</parent>
1419 <type>web-log</type>
1420 <use_own_name>true</use_own_name>
1421 <prematch offset="after_parent">^W3SVC\d+ \S+ \S+ \S+ </prematch>
1422 <regex offset="after_prematch">^(\S+ \S+) \d+ \S+ (\d+.\d+.\d+.\d+) </regex>
1423 <regex>\S+ \S+ \S+ \S+ \S+ (\d+) </regex>
1424 <order>url, srcip, id</order>
1428 <!-- IIS 5 W3C FTP log format.
1430 - #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
1431 - 2006-07-23 17:57:59 192.168.3.64 Administrator MSFTPSVC1 HAIJO2 192.168.1.12 21 [144]USER Administrator - 331 0 0 0 0 FTP - - - -
1432 - 2006-07-23 17:57:59 192.168.3.64 Administrator MSFTPSVC1 HAIJO2 192.168.1.12 21 [144]PASS - - 230 0 0 0 16 FTP - - - -
1434 <decoder name="msftp">
1435 <parent>windows-date-format</parent>
1436 <use_own_name>true</use_own_name>
1437 <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ MSFTPSVC</prematch>
1438 <regex offset="after_parent">^(\d+.\d+.\d+.\d+) (\S+) \S+ \S+ \S+ </regex>
1439 <regex>\d+ [\d+](\S+) \S+ \S+ (\d+) </regex>
1440 <order>srcip,user,action,id</order>
1445 <!-- IIS 5 W3C SMTP log format (Exchange).
1447 - #Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status sc-bytes cs-bytes time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
1448 - 2006-10-09 14:04:46 69.217.186.117 - SMTPSVC1 MEE-PDC 192.168.X.X 0 xxxx -
1449 > +hupylaw.hupy.local 500 0 32 23 0 SMTP - - - -
1451 <decoder name="msexchange">
1452 <parent>windows-date-format</parent>
1453 <use_own_name>true</use_own_name>
1454 <prematch offset="after_parent">^\d+.\d+.\d+.\d+ \S+ SMTPSVC</prematch>
1455 <regex offset="after_parent">^(\d+.\d+.\d+.\d+) \S+ \S+ \S+ \S+ </regex>
1456 <regex>\d+ (\S+) \S+ \S+ (\d+) </regex>
1457 <order>srcip, action, id</order>
1463 - Extract id (error or info) and ip address whenever possible.
1464 - 2006-08-08 01:42:09: ERROR: couldn't find the pskey for 222.155.15.88.
1467 <decoder name="racoon">
1468 <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d: </prematch>
1471 <decoder name="racoon-failed">
1472 <parent>racoon</parent>
1473 <use_own_name>true</use_own_name>
1475 <prematch offset="after_parent">^ERROR: couldn't find the pskey </prematch>
1476 <regex offset="after_prematch">^for (\d+.\d+.\d+.\d+)</regex>
1477 <order>srcip</order>
1480 <decoder name="racoon-action">
1481 <parent>racoon</parent>
1482 <regex offset="after_parent">^(\w+): </regex>
1483 <order>action</order>
1488 <!-- Squid access log decoder.
1489 - Will extract the srcip.
1490 - Author: Ahmet Ozturk
1492 - 1140701044.525 1231 192.168.1.201 TCP_DENIED/400 1536
1493 GET ahmet - NONE/- text/html
1494 - 1140701230.827 781 192.168.1.210 TCP_DENIED/407 1785
1495 GET http://www.ossec.net oahmet NONE/- text/html
1497 <decoder name="squid-accesslog">
1499 <prematch>^\d+ \d+.\d+.\d+.\d+ </prematch>
1500 <regex>^\d+ (\d+.\d+.\d+.\d+) (\w+)/(\d+) \d+ \w+ (\S+) </regex>
1501 <order>srcip,action,id,url</order>
1505 <!-- Windows decoder
1506 - Will extract extra_data (as win source),action (as win category), id,
1507 - username and computer name (as system_name).
1509 - WinEvtLog: Application: INFORMATION(0x00000064): ESENT:
1510 (no user)(no domain):
1511 - WinEvtLog: Security: AUDIT_FAILURE(0x000002A9): Security:
1512 SYSTEM: NT AUTHORITY: The logon to account: xyz by:
1513 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: la failed.
1514 The error code was: 3221225572
1515 - WinEvtLog: Security: AUDIT_FAILURE(0x00000211): Security:
1516 SYSTEM: NT AUTHORITY: Logon Failure: Reason: Unknown user
1517 name or bad password User Name: ab Domain: cd
1518 Logon Type: 2 Logon Process: User32 Authentication
1519 Package: Negotiate Workstation Name: ad
1520 - WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff: User Name: lac Domain: OSSEC-HM Logon ID: (0x0,0x7C966E) Logon Type: 2
1522 <decoder name="windows">
1523 <type>windows</type>
1524 <prematch>^WinEvtLog: </prematch>
1525 <regex offset="after_prematch">^\.+: (\w+)\((\d+)\): (\.+): </regex>
1526 <regex>(\.+): \.+: (\S+): </regex>
1527 <order>status, id, extra_data, user, system_name</order>
1528 <fts>name, location, user, system_name</fts>
1532 <!-- Windows decoder -NTsyslog format
1533 - Will extract extra_data (as win source),action (as win category), id,
1534 - username and computer name (as url).
1536 - security[failure] 577 IBM17M\Jeremy Lee Privileged Service Called: Server:Security Service:- Primary User Name:IBM17M$ Primary Domain:LEETHERNET Primary Logon ID:(0x0,0x3E7) Client User Name:Jeremy Lee Client Domain:IBM17M Client Logon ID:(0x0,0x1447F) Privileges:SeSecurityPrivilege
1537 - security[success] 528 IBM17M\Jeremy Lee Successful Logon: User Name:Jeremy Lee Domain:IBM17M Logon ID:(0x0,0x3A2E471) Logon Type:2 Logon Process:User32 Authentication Package:Negotiate Workstation Name:IBM17M Logon GUID: {00000000-0000-0000-0000-000000000000}
1539 <decoder name="windows-ntsyslog">
1540 <type>windows</type>
1541 <prematch>^security[\w+] \d+ </prematch>
1542 <regex>^(\w+)[(\w+)] (\d+) </regex>
1543 <order>extra_data, status, id</order>
1547 <!-- Windows decoder - Snare format.
1548 - Will extract extra_data (as win source), action (as category), id,
1549 - username and computer name (as system_name).
1551 - These logs must be tab-separated (as specified in the Snare format)
1554 - Aug 11 11:11:11 xx.org MSWinEventLog 1 System 59221 Thu Aug 11 01:11:11 2006 17 Windows Update Agent Unknown User
1555 - Jan 16 05:52:15 hostname.xx.org MSWinEventLog 1
1556 Security 13049 Tue Jan 16 05:52:15 2007 680 Security
1557 SYSTEM User Success Audit ACTUATE Account Logon
1558 Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
1559 Account Name: IUSR_HOSTNAME Workstation: ACTUATE
1561 - Jan 16 13:02:24 hostname.yy.org MSWinEventLog 1
1562 Application 14539 Tue Jan 16 13:02:24 2007 1704 SceCli
1563 Unknown User N/A Information ACTUATE None Security
1564 policy in the Group policy objects are applied successfully. 67
1565 - Jan 16 15:41:37 hostname.zz.org MSWinEventLog 1 System
1566 15059 Tue Jan 16 15:41:37 2007 10 Print username User
1567 Information HOSTNAME None Document 76,
1568 /directory/directory/directory/directory/directory/date/Afilename owned
1569 by username was printed on hostname_duplex via port hostname_duplex.
1570 Size in bytes: 19543296; pages printed: 162 361
1572 <decoder name="windows-snare">
1573 <type>windows</type>
1574 <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch>
1575 <regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex>
1576 <regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex>
1577 <order>id, extra_data, user, status, system_name</order>
1578 <fts>name, id, location, user, system_name</fts>
1582 <!-- Symantec AV decoder.
1583 - Source: http://www.ossec.net/wiki/index.php/Symantec_Antivirus
1585 - 24090D00000A,4,3,7,ACMELABS-SRV2,SYSTEM,,,,,,,16777216,"Update to computer ACMELABS-LU2K3 of virus definition file 81011r succeeded.",0,,0,,,,,0,,,,,,,,,,,,,(IP)-192.168.49.66,ACMELABSav,ACMELABS,,8.1.825
1586 - 24090D00000F,4,3,7,ACMELABS-SRV2,SYSTEM,,,,,,,16777216,"Update to computer ACMELABS-APPS-BOX4 of virus definition file 81011r succeeded.",0,,0,,,,,0,,,,,,,,,,,,,(IP)-192.168.49.66,ACMELABSav,ACMELABS,,8.1.825
1587 - 240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan.Zlob,C:\WINDOWS\system32\ld100.tmp,5,4,4,256,570441764,"",0,,0,,0,4254,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
1589 <decoder name="symantec-av">
1590 <prematch>^\w\w\w\w\w\w\w\w\w\w\w\w,</prematch>
1591 <regex offset="after_prematch">^(\d+),\d+,\d+,(\S+),(\.+),</regex>
1592 <order>id, system_name, extra_data</order>
1593 <fts>name, location, id, system_name, extra_data</fts>
1597 <!-- Symantec Web Security.
1598 - Source: http://www.ossec.net/wiki/index.php/Symantec_Websecurity
1600 - 20070717,30517,1=3,41=SWS-3.0.1.86/vendor-config,100=Version 3.0.6,3=7,2=29
1601 - 20070717,73556,1=5,100=Logoff due to timeout.,11=1.2.3.4,10=usera,3=1,2=2
1602 20070717,73559,1=5,11=2.3.4.5,10=userb,3=2,2=1
1604 <decoder name="symantec-websecurity">
1605 <prematch>^\d\d\d\d\d\d\d\d,\d\d\d+,</prematch>
1606 <plugin_decoder>SymantecWS_Decoder</plugin_decoder>
1611 <!-- Trend Micro OSCE (Office Scan) decoder.
1612 - 20090716<;>948<;>TROJ_Generic.DIT<;>25<;>3<;>0<;>C:\Documents and Settings\Administrator\Desktop\HyperSnap 6.02.01_EN\HprSnap6Man.chm<;>
1613 - 20090716<;>950<;>WORM_DOWNAD.A<;>1<;>3<;>0<;>C:\Documents and Settings\DCS_VM-ICRC-WFBS6\Local Settings\Temporary Internet Files\Content.IE5\9JK3DN67\sitb[1].jpg<;>
1614 - 20090716<;>951<;>WORM_DOWNAD.A<;>1<;>3<;>0<;>C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9JK3DN67\sitb[1].jpg<;>
1615 - Date<;>Time<;>Virus name<;>Scan result<;>Scan type<;>Seen<;>Filename<;>
1616 - We are only extracting the scan result right now.
1618 <decoder name="trend-osce">
1619 <prematch>^20\d\d\d\d\d\d\<;></prematch>
1620 <regex offset="after_prematch">^\d+\<;>\S+\<;>(\d+)\<;</regex>
1627 - Deals with ossec internal messages.
1629 <decoder name="ossec">
1630 <prematch>^ossec: </prematch>
1634 <decoder name="ossec-agent">
1635 <parent>ossec</parent>
1637 <prematch offset="after_parent">^Agent started:</prematch>
1638 <regex offset="after_prematch">^ '(\S+)'</regex>
1639 <order>extra_data</order>
1640 <fts>name, location, extra_data</fts>
1643 <decoder name="ossec-alert">
1644 <program_name>^ossec$</program_name>
1645 <plugin_decoder>OSSECAlert_Decoder</plugin_decoder>
1651 - Will extract the severity and the srcip/username when available.
1653 - [08/Aug/2006:22:32:12 +0100] WARN:admin:Authentication failure, url=/index.cgi, host=xx.yy.com, user=admin
1654 - [10/Dec/2006:16:59:26 +0000] INFO:Zeus Admin Server running
1656 <decoder name="zeus">
1657 <prematch>^[\d\d/\w\w\w/\d\d\d\d:\d\d:\d\d:\d\d \S+] </prematch>
1658 <regex offset="after_prematch"> host=(\S+), </regex>
1659 <order>srcip</order>
1664 <!-- Vmware ESX logs.
1665 - Will extract the severity and username/ip when availavle.
1667 - [2008-03-09 22:43:35.924 'ha-eventmgr' 84503472 info] Event 2053 : User root@127.0.0.1 logged in
1668 - [2008-02-05 02:13:18.112 'ha-eventmgr' 95833272 info] Event xyz : User m@1.2.3.4 logged in
1669 - [2008-08-26 11:06:16.359 'ha-eventmgr' 20532144 info] Event 285 : Failed login attempt for root@127.0.0.1
1670 - Aug 25 06:01:10 hostname vmware-hostd[1863]: Accepted password for user root from 127.0.0.1
1671 - Aug 7 11:05:34 localhost vmware-authd[9709]: login from 172.16.129.78 as 523b717c-4542-f5fc-c006-1644eb8f4330
1672 - Aug 26 11:42:29 localhost vmware-hostd[1863]: Rejected password for user blablabla from 127.0.0.1
1674 <decoder name="vmware">
1675 <prematch>^[\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d.\d\d\d '\S+' \d+ </prematch>
1678 <decoder name="vmware-extra">
1679 <parent>vmware</parent>
1680 <regex offset="after_parent">^(\w+)] \S+ \S+ </regex>
1681 <order>status</order>
1684 <decoder name="vmware-extra">
1685 <parent>vmware</parent>
1686 <regex offset="after_regex">^: User (\w+)@(\d+.\d+.\d+.\d+)</regex>
1687 <regex> logged |^: Failed login \w+ for (\w+)@(\d+.\d+.\d+.\d+)</regex>
1688 <order>user, srcip</order>
1691 <decoder name="vmware-syslog">
1692 <program_name>vmware</program_name>
1695 <decoder name="vmware-success">
1696 <parent>vmware-syslog</parent>
1697 <prematch>^Accepted|^Rejected</prematch>
1698 <regex offset="after_prematch">^ \S+ for user (\S+) from (\S+)$</regex>
1699 <order>user, srcip</order>
1702 <decoder name="vmware-login">
1703 <parent>vmware-syslog</parent>
1704 <prematch>^login from </prematch>
1705 <regex offset="after_prematch">^(\S+) as</regex>
1706 <order>srcip</order>
1713 - Nov 21 15:12:56 unknown audit: [ID 905220 audit.notice] system booted
1715 - Nov 21 15:16:22 unknown audit: [ID 984917 audit.notice] login - telnet
1716 failed session 2740580090 by root as root:root from 1.254.168.192
1717 - failed session 2740580090 by root as root:root from 1.254.168.192
1718 - ok session 347344759 by 500959152 as root:root from 3.11.8.4 obj
1720 <decoder name="solaris_bsm">
1721 <program_name>^audit$</program_name>
1724 <decoder name="solaris_bsm_session">
1725 <parent>solaris_bsm</parent>
1726 <prematch> \w+ session \d+ by </prematch>
1727 <regex> (\w+) session \d+ by</regex>
1728 <order>status</order>
1731 <decoder name="solaris_bsm_session">
1732 <parent>solaris_bsm</parent>
1733 <regex offset="after_regex">^ \S+ as \S+:\S+ from (\S+)</regex>
1734 <order>srcip</order>
1741 - Dec 16 18:02:04 asterisk1 asterisk[31774]: NOTICE[31787]:
1742 chan_sip.c:11242 in handle_request_register: Registration from
1743 '"503"<sip:503@192.168.1.107>' failed for '192.168.1.137' - Wrong
1746 <decoder name="asterisk">
1747 <program_name>^asterisk</program_name>
1750 <decoder name="asterisk-denied">
1751 <parent>asterisk</parent>
1752 <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
1753 <regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+)'</regex>
1754 <order>srcip</order>
1760 - Group for Cisco IOS messages.
1761 - We would need to support multiple formats, but currently we require
1762 - no service time stamp and no sequence-numbers.
1764 - Aug 17 17:41:26 xyz.com 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS: list 30 denied 124.254.75.141 1 packet
1765 - Aug 20 11:33:41 RouterName 696: %SYS-5-CONFIG_I: Configured from
1766 console by admin on vty0 (210.x.x.12)
1767 - 681: Aug 17 17:41:24.776 AEST: %SEC-6-IPACCESSLOGS:
1768 - 1348: .Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
1769 - 1348: *Jun 12 18:22:22 UTC: %SYS-5-CONFIG_I:
1770 - 23: May 3 05:15:25.217 UTC: %SEC-6-IPACCESSLOGP:
1772 "^%\w+-\d-\w+: |^\S\w\w+ \.\d \d\d:\S+ \w+: %\w+-\d-\w+:"
1774 <decoder name="cisco-ios">
1775 <prematch>^%\w+-\d-\w+: </prematch>
1778 <decoder name="cisco-ios">
1780 <prematch>^%\w+-\d-\w+: </prematch>
1785 - Will extract the action, srcip, srcport, dstip and dstport
1788 - %SEC-6-IPACCESSLOGP: list 102 denied tcp 10.0.6.56(3067) -> 172.36.4.7(139), 1 packet
1789 - %SEC-6-IPACCESSLOGP: list 199 denied tcp 10.0.61.108(1477) -> 10.0.127.20(445), 1 packet
1791 <decoder name="cisco-ios-acl">
1792 <parent>cisco-ios</parent>
1793 <type>firewall</type>
1794 <prematch>^%SEC-6-IPACCESSLOGP: </prematch>
1795 <regex offset="after_prematch">^list \S+ (\w+) (\w+) </regex>
1796 <regex>(\S+)\((\d+)\) -> (\S+)\((\d+)\),</regex>
1797 <order>action, protocol, srcip, srcport, dstip, dstport</order>
1801 <!-- Cisco IOS IDS/IPS module
1802 - Will extract the id, srcip, srcport, dstip and dstport
1803 - Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:51654 -> 10.10.10.10:4444]
1804 - Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:3051 Subsig:1 Sev:4 TCP Connection Window Size DoS [192.168.100.11:60797 -> 10.10.10.10:80]
1805 - Sep 1 10:25:29 10.10.10.1 %IPS-4-SIGNATURE: Sig:5123 Subsig:2 Sev:5 WWW IIS Internet Printing Overflow [192.168.100.11:60797 -> 10.10.10.10:80]
1807 <decoder name="cisco-ios-ids">
1808 <parent>cisco-ios</parent>
1810 <prematch>^%IPS-4-SIGNATURE: </prematch>
1811 <regex offset="after_prematch">^Sig:(\d+) \.+[(\S+):(\d+) -> </regex>
1812 <regex>(\S+):(\d+)]</regex>
1813 <order>id, srcip, srcport, dstip, dstport</order>
1814 <fts>name, id, srcip, dstip</fts>
1815 <ftscomment>First time Cisco IOS IDS/IPS module rule fired.</ftscomment>
1820 - Extracts the ID of cisco ios messages.
1822 <decoder name="cisco-ios-generic">
1823 <parent>cisco-ios</parent>
1824 <regex>^(%\w+-\d-\w+): </regex>
1830 <!-- Checkpoint via syslog decoder.
1831 - Does not currently handle all types of Checkpoint events.
1832 - Checkpoint NG(X)/FW-1 logs via (Linux) syslog
1833 - Ex. fw log -ftnp fw.log | logger -t Checkpoint
1836 - -f select current log file
1838 - -n use ip instead of name
1839 - -p use port number instead of name
1841 - -l add date before timestamp
1842 - Use of -l changes log format slightly
1844 - -g without : and ; delimiters
1845 - use of -g significantly changes log format
1846 - this decoder is incompatible with -g
1849 - -t <tag> prepends "tag: " to log entry
1850 - the tag here must match "program name" in the decoder
1854 - Checkpoint: 21Aug2007 12:00:00 accept 10.10.10.2 >eth0 rule: 100; rule_uid:
1855 {00000000-0000-0000-0000-000000000000}; service_id: nbdatagram; src:
1856 10.10.10.3; dst: 10.10.10.255; proto: udp; product: VPN-1 & FireWall-1;
1857 service: 138; s_port: 138;
1859 - Checkpoint: 13:00:00 accept 10.10.10.2 >eth0 rule: 101; rule_uid:
1860 {00000000-0000-0000-0000-000000000000}; service_id: http; src: 10.10.10.3; dst:
1861 10.1.2.3; proto: tcp; product: VPN-1 & FireWall-1; service: 80; s_port: 1111;
1863 - Checkpoint: 21Aug2007 14:49:26 drop 10.10.10.1 >eth4 rule: 102; rule_uid:
1864 {00000000-0000-0000-0000-000000000000}; ICMP: Echo Request; src: 10.10.10.2;
1865 dst: 10.10.10.3; proto: icmp; ICMP Type: 8; ICMP Code: 0; product: VPN-1 &
1868 - Checkpoint: 3Apr2008 15:02:15 monitor 10.10.10.3 >eth2 Attack Info: Line
1869 in HTTP request too long; attack: Malformed HTTP; src: 10.10.10.4; dst:
1870 10.10.10.5; proto: tcp; product: SmartDefense; service: 111; s_port: 222;
1873 <!-- \s+\S+ \d\d:\d\d:\d\d (\w+) \d+.\d+.\d+.\d+ \p\S+ rule: -->
1874 <decoder name="checkpoint-syslog">
1875 <program_name>^Checkpoint</program_name>
1876 <prematch>^\s+\S+ \d\d:\d\d:\d\d </prematch>
1879 <decoder name="checkpoint-syslog-fw">
1880 <parent>checkpoint-syslog</parent>
1881 <type>firewall</type>
1882 <prematch offset="after_parent">^drop|^accept|^reject</prematch>
1883 <regex offset="after_parent">^(\w+)\s+\S+ \p\S+ rule:\.+</regex>
1884 <regex>src: (\d+.\d+.\d+.\d+); dst: (\d+.\d+.\d+.\d+); proto: (\S+);</regex>
1885 <order>action,srcip,dstip,protocol</order>
1888 <decoder name="checkpoint-syslog-fw">
1889 <parent>checkpoint-syslog</parent>
1890 <type>firewall</type>
1891 <regex offset="after_regex">service: (\d+); s_port: (\d+);</regex>
1892 <order>dstport,srcport</order>
1895 <decoder name="checkpoint-syslog-ids">
1896 <parent>checkpoint-syslog</parent>
1898 <prematch offset="after_parent">^monitor|^drop</prematch>
1899 <regex offset="after_prematch">attack: (\.+); </regex>
1900 <regex>src: (\d+.\d+.\d+.\d+); dst: (\d+.\d+.\d+.\d+); </regex>
1901 <regex>proto: (\S+);</regex>
1902 <order>extra_data, srcip, dstip, protocol</order>
1903 <fts>name, extra_data, srcip, dstip</fts>
1904 <ftscomment>First time Checkpoint rule fired.</ftscomment>
1909 <!-- Microsoft Windows 2003 ipv4, 2008 ipv4/ipv6 DHCP decoder for OSSEC
1910 - Author: phishphreek@gmail.com
1914 - Server 2008 DHCP IPv4 Decoder (must go first)
1915 - ID,Date,Time,Description,IP Address,Host Name,MAC Address,User Name, TransactionID, QResult,Probationtime, CorrelationID.
1916 - 24,3/10/2009,0:00:46,Database Cleanup Begin,,,,
1917 - 0,3/10/2009,0:00:46,DNS Update Request,201.10.168.192,OPS03W034.,,
1920 <decoder name="ms-dhcp-ipv4">
1921 <prematch>^\d\d,\d+/\d+/\d\d\d\d,\d+:\d+:\d+,</prematch>
1922 <regex>^(\d\d),</regex>
1927 - Server 2008 DHCP IPv6 Decoder (must go second)
1928 - ID,Date,Time,Description,IPV6 Address,Host Name,Error Code, Duid Length, Duid Bytes(Hex),User Name.
1930 11020,05/05/09,00:00:38,DHCPV6
1931 <decoder name="ms-dhcp-ipv6">
1932 <prematch>^\d\d\d\d\d,\d\d/\d\d/\d\d,\d\d:\d\d:\d\d,</prematch>
1933 <regex>^(\d\d\d\d\d),</regex>