[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] ossec-hids: decoder.xml (HEAD) [dcid]

To: dancid@xxxxxxxxxxxxxxx
Subject: [ossec-dev] ossec-hids: decoder.xml (HEAD) [dcid]
From: OSSEC CVS <cvs-commit@xxxxxxxxx>
Date: Thu, 7 Sep 2006 20:19:05 -0300 (ADT)
Content-transfer-encoding: 8bit

Module name:	ossec-hids
Changes by:	dcid	06/09/07 20:19:03

Modified files:
	decoder.xml

Log message:
Description: Multiple windows fixes. Porting the agent/server changes to windows.
Reviewed by: dcid
Bug:

Index: decoder.xml
===================================================================
RCS file: /usr/cvsroot/ossec-hids/etc/decoder.xml,v
diff -u -r1.70 -r1.71
--- decoder.xml	7 Sep 2006 17:21:23 -0000	1.70
+++ decoder.xml	7 Sep 2006 23:19:03 -0000	1.71
@@ -601,6 +601,8 @@
   - %PIX-2-106002: udp connection denied by outbound list 30 src 216.53.120.62 138 dest 169.132.10.82 138
   -  %PIX-4-106023: Deny tcp src inside:111.11.11.1/2143 dst YYY:172.11.1.11/139 by access-group "inside_inbound"
   - %PIX-4-400013 IDS:2003 ICMP redirect from 10.4.1.2 to 10.2.1.1 on interface dmz
+  - %PIX-2-106006: Deny inbound UDP from ***/20031 to ***/20031 on  
+  interface vpn
   -->
 <decoder name="pix">
   <prematch>^%PIX-|^\w\w\w \d\d \d\d\d\d \d\d:\d\d:\d\d: %PIX-</prematch>
@@ -642,6 +644,15 @@
   <order>id, srcip, dstip, protocol, action</order>
 </decoder>
 
+<decoder name="pix-fw5">
+  <parent>pix</parent>
+  <type>firewall</type>
+  <prematch offset="after_parent">^2-106006|^2-106007</prematch>
+  <regex offset="after_parent">^(\S+): (\w+) \S+ (\w+) from </regex>
+  <regex>(\d+.\d+.\d+.\d+)/(\d+) to (\d+.\d+.\d+.\d+)/(\d+) </regex>
+  <order>id, action, protocol, srcip, srcport, dstip, dstport</order>
+</decoder>
+
 <decoder name="pix-attacks">
   <parent>pix</parent>
   <prematch offset="after_parent">^2-106012: |^2-106017: |</prematch>
@@ -850,7 +861,8 @@
 
 
 <!-- Windows decoder
-  - Will extract url (as win source),action (as win category) and id.
+  - Will extract data (as win source),action (as win category), id,
+  - username and computer name (as url).
   - Examples:
   - WinEvtLog: Application: INFORMATION(0x00000064): ESENT: 
     (no user)(no domain): 
@@ -863,12 +875,14 @@
     name or bad password       User Name:  ab      Domain:     cd      
     Logon Type: 2       Logon Process:  User32          Authentication 
     Package: Negotiate       Workstation Name:   ad
+  - WinEvtLog: Security: AUDIT_SUCCESS(538): Security: lac: OSSEC-HM: OSSEC-HM: User Logoff:        User Name:      lac     Domain:         OSSEC-HM        Logon ID:               (0x0,0x7C966E)          Logon Type:     2  
   -->
 <decoder name="windows">
   <type>windows</type>
   <prematch>^WinEvtLog: </prematch>
-  <regex>^WinEvtLog: (\w+): (\w+)\((\d+)\): \w+: (\w+):</regex>
-  <order>data,action,id,user</order>
+  <regex>^WinEvtLog: (\w+): (\w+)\((\d+)\): \w+: (\w+): \S+ (\S+):</regex>
+  <order>data, action, id, user, system_name</order>
+  <fts>name, location, user, system_name</fts>
 </decoder>

References:
- [ossec-dev] ossec-hids: decoder.xml (HEAD) [dcid]
  - From: OSSEC CVS

Prev by Date: [ossec-dev] ossec-hids: eventinfo.c (HEAD) eventinfo.h (HEAD) fts.c (HEAD) [dcid]
Next by Date: [ossec-dev] ossec-hids: fts.c (HEAD) [dcid]
Previous by thread: [ossec-dev] ossec-hids: decoder.xml (HEAD) [dcid]
Next by thread: [ossec-dev] New supposely stable snapshot at the web site
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.