-<!-- @(#) $Id: decoder.xml,v 1.162 2009/11/09 20:32:29 dcid Exp $
+<!-- @(#) $Id$
- OSSEC log decoder.
- Author: Daniel B. Cid
- License: http://www.ossec.net/en/licensing.html
<decoder name="ssh-reverse-mapping">
<parent>sshd</parent>
<prematch>^reverse mapping checking </prematch>
- <regex offset="after_prematch">^\w+ for (\S+) </regex>
+ <regex offset="after_prematch">^\w+ for \S+ [(\S+)] |^\w+ for (\S+) </regex>
<order>srcip</order>
</decoder>
<order>srcip</order>
</decoder>
+<decoder name="ssh-osx-refuse">
+ <parent>sshd</parent>
+ <prematch>^refused connect </prematch>
+ <regex offset="after_prematch">^from (\S+)$</regex>
+ <order>srcip</order>
+</decoder>
+
<!--
<!--
+ - rshd decoder
+ - Example message:
+ - Dec 17 10:49:23 hostname rshd[347339]: Connection from 10.217.223.31 on illegal port
+ -->
+<decoder name="rshd">
+ <program_name>^rshd$</program_name>
+</decoder>
+
+<decoder name="rshd-illegal-connection">
+ <parent>rshd</parent>
+ <regex>^Connection from (\S+) on illegal port$</regex>
+ <order>srcip</order>
+</decoder>
+
+
+
+<!--
+ - cimserver decoder
+ - Example messages:
+ - Dec 18 18:06:28 hostname cimserver[18575]: PGS17200: Authentication failed for user jones_b.
+ - Dec 18 18:06:29 hostname cimserver[18575]: PGS17200: Authentication failed for user domain\jones_b.
+ -->
+<decoder name="cimserver">
+ <program_name>^cimserver$</program_name>
+</decoder>
+
+<decoder name="cimserver-failed-authentication">
+ <parent>cimserver</parent>
+ <prematch>^\w+: Authentication failed for user </prematch>
+ <regex offset="after_prematch">^(\S+).$</regex>
+ <order>user</order>
+</decoder>
+
+
+
+<!--
- Samba decoder.
- Will extraxt the username/srcip
- Examples:
- ftpd[811166]: refused connect from 88.225.42.182
- in.ftpd[18561]: [ID 484914 daemon.notice] gethostbyaddr: nameservices.net. != 216.117.134.168
- ftpd[31918]: FTPD: EXPORT file local , remote
+ - Dec 21 12:21:20 hostname ftpd[323115]: login jones_b from client.example.org failed.
-->
<decoder name="ftpd">
<program_name>^ftpd|^in.ftpd</program_name>
<order>srcip</order>
</decoder>
+<decoder name="ftpd-tru64">
+ <parent>ftpd</parent>
+ <prematch>^login \S+ from \S+ failed.</prematch>
+ <regex>^login (\S+) from (\S+) failed.$</regex>
+ <order>user, srcip</order>
+</decoder>
+
<!-- Arpwatch decoder.
<decoder name="dovecot-success">
<parent>dovecot</parent>
<prematch offset="after_parent">^\w\w\w\w-login: Login: </prematch>
- <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=(\S+), </regex>
- <order>user, srcip</order>
+ <regex offset="after_prematch">^user=\p(\S+)\p, method=\S+, rip=\S*(\d+.\d+.\d+.\d+), lip=\S*(\d+.\d+.\d+.\d+), (\S*)$</regex>
+ <order>user, srcip, dstip, protocol</order>
</decoder>
<decoder name="dovecot-aborted">
<parent>dovecot</parent>
<prematch offset="after_parent">^\w\w\w\w-login: Aborted login</prematch>
- <regex offset="after_prematch"> user=\p\S+>, method=\w+, rip=(\S+), lip=\S+</regex>
- <order>srcip</order>
+ <regex offset="after_prematch">: user=\p(\S+)\p, method=\S+, rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+)$</regex>
+ <order>user, srcip, dstip</order>
+</decoder>
+
+<decoder name="dovecot-fail">
+ <parent>dovecot</parent>
+ <prematch offset="after_parent">^auth\(default\)|auth-worker\(default\)</prematch>
+ <regex offset="after_prematch">^: \S+\((\S+),(\d+.\d+.\d+.\d+)\)</regex>
+ <order>user, srcip</order>
</decoder>
<decoder name="dovecot-disconnect">
<parent>dovecot</parent>
<prematch offset="after_parent">^\w\w\w\w-login: Disconnected: </prematch>
- <regex offset="after_prematch">^rip=(\S+), </regex>
- <order>srcip</order>
+ <regex offset="after_prematch">^rip=(\S+), lip=(\d+.\d+.\d+.\d+)</regex>
+ <order>srcip, dstip</order>
</decoder>
-->
<decoder name="windows-snare">
<type>windows</type>
- <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\w \w\w\w \d\d \d\d</prematch>
+ <prematch>^MSWinEventLog\t\d\t\.+\t\d+\t\w\w\S+ \w\w\w \d\d \d\d</prematch>
<regex offset="after_prematch">^:\d\d:\d\d \d\d\d\d\t(\d+)\t(\.+)</regex>
<regex>\t(\.+)\t\.+\t(\.+)\t(\.+)\t</regex>
<order>id, extra_data, user, status, system_name</order>