X-Git-Url: http://ftp.carnet.hr/pub/carnet-debian/scm?a=blobdiff_plain;f=etc%2Fdecoder.xml;fp=etc%2Fdecoder.xml;h=e4b0b984750a28772d8cd1adc2c84315c136ccd2;hb=789cbc8e52da68eba3517b920ef22e000cf3c9fd;hp=669508edc65514e61f14c75783ff3fb719d75b11;hpb=ef70704f0b31b59bb719b884d6a99cb9e3e2044a;p=ossec-hids.git
diff --git a/etc/decoder.xml b/etc/decoder.xml
index 669508e..e4b0b98 100755
--- a/etc/decoder.xml
+++ b/etc/decoder.xml
@@ -464,7 +464,7 @@
proftpd
- ^\S+ \(\S+[(\S+)]\)
+ ^\S+ \(\S+[(\S+)]\)|^\S+ \(\S+[::ffff:(\S+)]\)
srcip
@@ -498,6 +498,19 @@
user,srcip
+
+
+
+ ^\S+ - \S+ [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d]
+ ^(\S+) - (\S+) [\d\d/\S\S\S/\d\d\d\d:\d\d:\d\d:\d\d -\d\d\d\d] "(\S+) (\.+) (\d+) \d+$
+ extra_data,dstuser,action,url,status
+
+
+
- ^pop3d|^courierpop3login|^imaplogin
+ ^pop3d|^courierpop3login|^imaplogin|^courier-pop3|^courier-imap
@@ -715,7 +728,7 @@
courier
- , ip=[(\S+\d)]$
+ , ip=[(\S+\d)]$|, ip=[::ffff:(\S+\d)]$
srcip
@@ -1613,6 +1626,27 @@
url, srcip, id
+
+
+
+ windows-date-format
+ web-log
+ true
+ ^\d+.\d+.\d+.\d+ GET |^\d+.\d+.\d+.\d+ POST
+ (\S+ \S*) \.* (\d+.\d+.\d+.\d+) \S*\.* (\d\d\d) \S+ \S+ \S+
+ url,srcip,id
+
+
windows
- ^WinEvtLog:
+ ^\d\d\d\d \w\w\w \d\d \d\d:\d\d:\d\d WinEvtLog: |^WinEvtLog:
^\.+: (\w+)\((\d+)\): (\.+):
(\.+): \.+: (\S+):
status, id, extra_data, user, system_name
@@ -1849,9 +1884,9 @@ Sat May 7 03:27:57 CDT 2011 /var/ossec/active-response/bin/firewall-drop.sh del
-->
- ^Mon|^Tue|^Wed|^Thu|^Fri|^Sat|^Sun \S+\s+\d+ \d\d:\d\d:\d\d \S+ \d+ /\.+/active-response
- /bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)
- action, status, srcip, id, extra_data
+ ^\w\w\w \w+\s+\d+ \d\d:\d\d:\d\d \w+ \d+ /\S+/active-response
+ /bin/(\S+) (\S+) - (\S+) (\d+.\d+) (\d+)
+ action, status, srcip, id, extra_data
+
+
+ userdel
+ user removed: name=(\S+)$
+ srcuser
+
+
+
-
-
- ^bro
-
-
-
- bro-ids
- no=PortscanSummary
- sa=(\S+) num=(\d+) msg=
- srcip,extra_data
-
-
-
- bro-ids
- no=PortScan
- sa=(\S+) p=(\d+)/(\S+) num=(\d+)
- srcip,srcport,protocol,extra_data
-
-
-
- bro-ids
- na=NOTICE
- sa=(\S+) sp=(\d+)/(\S+) da=(\S+) dp=(\d+)/\S+
- srcip,srcport,protocol,dstip,dstport
-
-
-
-
-
- auditd
- ^AVC
- ^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$
- action,id,status,extra_data
-
+
+ auditd
+ ^AVC
+ ^(AVC) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): avc: (\S+) { \.+ } for pid=\d+ comm="(\S+)" path="\S+" dev=\S+ ino=\d+ scontext=\S+ tcontext=\S+ tclass=\S+$
+ action,id,status,extra_data
+
-
- auditd
- ^SYSCALL
- ^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"
- action,id,status,extra_data
-
+
+ auditd
+ ^SYSCALL
+ ^(SYSCALL) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): arch=\w+ syscall=\d+ success=(\S+) exit=\S+ a0=\w+ a1=\w+ a2=\w+ a3=\w+ items=\d+ ppid=\d+ pid=\d+ auid=\d+ uid=\d+ gid=\d+ euid=\d+ suid=\d+ fsuid=\d+ egid=\d+ sgid=\d+ fsgid=\d+ tty=\S+ ses=\d+ comm="\S+" exe="(\.+)"
+ action,id,status,extra_data
+
-
- auditd
- ^CONFIG_CHANGE
- ^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$
- action,id,extra_data
-
+
+ auditd
+ ^CONFIG_CHANGE
+ ^(CONFIG_CHANGE) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): auid=\d+ ses=\d+ op="\.+" path="(\.+)" key="\S+" list=\d+ res=\d+$
+ action,id,extra_data
+
-
- auditd
- ^PATH
- ^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+
- action,id,extra_data
-
+
+ auditd
+ ^PATH
+ ^(PATH) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): item=\d+ name="(\.+)" inode=\d+ dev=\S+ mode=\d+ ouid=\d+ ogid=\d+ rdev=\S+
+ action,id,extra_data
+
-
- auditd
- ^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|
- ^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+
- action,id
-
-
-
- auditd
- acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$
- user,extra_data,srcip
-
-
-
- auditd
- ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$
- user,extra_data,srcip,status
-
-
-
- auditd
- subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$
- user,extra_data,srcip,status
-
-
-
- auditd
- subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$
- extra_data,srcip,status
-
+
+ auditd
+ ^(USER_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+|
+ ^(CRED_\S+) msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): user pid=\d+ uid=\d+ auid=\d+
+ action,id
+
+
+
+ auditd
+ acct="(\.+)" : exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+$
+ user,extra_data,srcip
+
+
+
+ auditd
+ ses=\d+ subj=\S+ msg='\.+ acct="(\.+)" exe="(\.+)" hostname=\S+ addr=(\S+) terminal=\S+ res=(\S+)$
+ user,extra_data,srcip,status
+
+
+
+ auditd
+ subj=\S+ msg='\.+ acct="(\.+)" \p*\s*exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$
+ user,extra_data,srcip,status
+
+
+
+ auditd
+ subj=\S+ msg='\.+ exe="(\.+)" \(hostname=\S+, addr=(\S+), terminal=\S+ res=(\S+)\)'$
+ extra_data,srcip,status
+
+
+
+
+ iptables
+ ^[\s\d+.\d+] mptscsih:
+ ^[\s\d+.\d+] (\w+): (\w+): task abort: (\w+)
+ id,data,status
+
+
+
+ iptables
+ ^[\s\d+.\d+] mptbase:
+ ^[\s\d+.\d+] (\w+): (\w+):\s+\w+ is now (\w+)\p\s(\D+)$
+ id,data,action,status
+
+
+
+
+