[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-cvs] ossec-hids: decoder.xml (HEAD) [dcid]

To: ossec-cvs@xxxxxxxxx
Subject: [ossec-cvs] ossec-hids: decoder.xml (HEAD) [dcid]
From: OSSEC CVS <cvs-commit@xxxxxxxxx>
Date: Tue, 21 Aug 2007 21:40:04 -0300 (ADT)
Authentication-results: mx.google.com; spf=pass (google.com: domain of dcid+caf_=ossec-cvs=googlegroups.com@xxxxxxxxx designates 66.249.82.233 as permitted sender) smtp.mail=dcid+caf_=ossec-cvs=googlegroups.com@xxxxxxxxx
Authentication-results: mx.google.com; spf=neutral smtp.mail=dcid@xxxxxxxxxxxxxxxx
Content-transfer-encoding: 8bit

Module name:	ossec-hids
Changes by:	dcid	07/08/21 21:39:31

Modified files:
	decoder.xml

Log message:
Description: Fixing netscreen decoder, the database daemon and adding a few more entries to the policy checks/ rootkit list...
Reviewed by: dcid
Bug:

Index: decoder.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/decoder.xml,v
diff -u -r1.120 -r1.121
--- decoder.xml	16 Aug 2007 00:24:22 -0000	1.120
+++ decoder.xml	22 Aug 2007 00:39:31 -0000	1.121
@@ -721,13 +721,15 @@
 <!-- Netscreen Firewall decoder.
   - Will extract the action,srcip,dstip,protocol,srcport,dstport
   - Examples:
-  - Jan  1 10:02:11 [11.210.1.193.1.132] ns5gt: NetScreen device_id=ns5gt  [No Name]system-notification-00257(traffic): start_time="2006-01-01 10:09:38" duration=0 policy_id=310101 service=tcp/port:1526 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=38 src=10.1.2.3 dst=10.1.1.1 src_port=51350 dst_port=1426
+  - Jan  1 10:02:11 xx ns5gt: NetScreen device_id=ns5gt  [No Name]system-notification-00257(traffic): start_time="2006-01-01 10:09:38" duration=0 policy_id=310101 service=tcp/port:1526 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=38 src=10.1.2.3 dst=10.1.1.1 src_port=51350 dst_port=1426
   - <13>Mar 16 15:27:56 192.168.2.1 ns5gt: NetScreen device_id=ns5gt  [No Name]system-notification-00257(traffic): start_time=\"2004-03-16 16:31:22\" duration=0 policy_id=310001 service=tcp/port:120 proto=6 src zone=Null dst zone=self action=Deny sent=0 rcvd=60 src=10.1.1.1 dst=10.1.2.1 src_port=32047 dst_port=22
   - Jun  2 11:24:16 fire00 sav00: NetScreen device_id=sav00  [Root]system-critical-00436: Large ICMP packet! From 210.232.20.7 to 148.100.114.126, proto 1 (zone Untrust, int ethernet1/2). Occurred 1 times. (2006-06-02 11:24:16)
   -  NetScreen device_id=ns5gt [Root]system-critical-00027: Multiple login failures occurred for user netscreen from IP address 1.2.3.4:1567 (2004-10-07)
+  - 
+  - ** Program name for netscreen is empty, since it is the hostname.
   -->
 <decoder name="netscreenfw">
-  <program_name>^sav00|^ns5gt</program_name>
+  <program_name />
   <prematch>^NetScreen device_id</prematch>
 </decoder>  
 
@@ -754,7 +756,7 @@
 
 <decoder name="netscreenfw-admin">
   <parent>netscreenfw</parent>
-  <regex offset="after_parent">]system-(\w+)-(\d+):</regex>
+  <regex offset="after_parent">system-(\w+)-(\d+):</regex>
   <order>action, id</order>  
 </decoder>

Follow-Ups:
- [ossec-cvs] ossec-hids: decoder.xml (HEAD) [dcid]
  - From: OSSEC CVS

References:
- [ossec-cvs] ossec-hids: decoder.xml (HEAD) [dcid]
  - From: OSSEC CVS

Prev by Date: [ossec-cvs] ossec-hids: rootkit_files.txt (HEAD) win_malware_rcl.txt (HEAD) [dcid]
Next by Date: [ossec-cvs] ossec-hids: ossec-local.sh (HEAD) ossec-server.sh (HEAD) [dcid]
Previous by thread: [ossec-cvs] ossec-hids: decoder.xml (HEAD) [dcid]
Next by thread: [ossec-cvs] ossec-hids: decoder.xml (HEAD) [dcid]
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.