[ossec-dev] ossec-hids: decoder.xml (HEAD) [dcid]

[OSSEC CVS <cvs-commit@xxxxxxxxx>]

Module name:	ossec-hids
Changes by:	dcid	06/09/05 22:57:15

Modified files:
	decoder.xml

Log message:
Description: Fixing sendmail decoder (patch by Marco).
Reviewed by: dcid
Bug: http://www.ossec.net/bugs/show_bug.cgi?id=22

Index: decoder.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/decoder.xml,v
diff -u -r1.67 -r1.68
--- decoder.xml	29 Aug 2006 19:35:40 -0000	1.67
+++ decoder.xml	6 Sep 2006 01:57:15 -0000	1.68
@@ -408,6 +408,7 @@
   - relay=dsl.static81215198185.ttnet.net.tr [81.215.198.185] (may be forged), reject=553 5.1.8 
   - <rtreter@xxxxxxxxx>... Domain of sender address rtreter@xxxxxxxxx does not exist
   - sm-msp-queue[13484]: k5TKj6L5012934: to=root, ctladdr=root (0/0), delay=00:04:00, xdelay=00:00:00, mailer=relay, pri=120112, relay=[127.0.0.1], dsn=4.0.0, stat=Deferred: Connection refused by [127.0.0.1]
+  - sendmail[7735]: [ID 801593 mail.notice] k856Hah0007735: ruleset=check_rcpt, arg1=<sc@xxxxxx>, relay=[216.22.33.7], reject=553 5.3.0 <sc@xxxxxx>... Spammer 216.22.33.7 usergl@xxxxxxxxxxxxxxxxx rejected by RBL:http://www.spamhaus.org/
  -->
 <decoder name="sendmail-reject">
   <prematch>^sendmail[\d+]: |^sm-mta[\d+]: |^sm-msp-queue[\d+]: </prematch>
@@ -415,7 +416,21 @@
   <order>srcip</order>
 </decoder>  
 
+<decoder name="sendmail-reject-nodns">
+  <parent>sendmail-reject</parent>
+  <prematch offset="after_parent">relay=[</prematch>
+  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)]</regex>
+  <order>srcip</order>
+</decoder>
+
+<decoder name="sendmail-reject-dns">
+  <parent>sendmail-reject</parent>
+  <prematch  offset="after_parent">relay=\S+ [</prematch>
+  <regex offset="after_prematch">^(\d+.\d+.\d+.\d+)]</regex>
+  <order>srcip</order>
+</decoder>
 
+         
 <!-- Mail scanner
   - Will extract the srcip/action
   - Examples: