PageRenderTime 39ms CodeModel.GetById 35ms app.highlight 2ms RepoModel.GetById 0ms app.codeStats 0ms

/decoders/50_vpopmail_decoder.xml

https://bitbucket.org/oscarschneider/ossec-rules
XML | 42 lines | 27 code | 7 blank | 8 comment | 0 complexity | 490e9bf77d62ed7716babdfb4fb0067e MD5 | raw file
 1
 2
 3
 4<!-- Vpopmail decoder. (by Ceg Ryan <cegryan ( at ) gmail.com>)
 5  - Examples:
 6  - vpopmail[32485]: vchkpw-pop3: password fail abc@xxx.com:x.x.x.x
 7  - vpopmail[32485]: vchkpw-2110 password fail abc@xxx.com:x.x.x.x
 8  -                  vchkpw-pop3: password fail (pass: 'test') user@my_domain:1.2.3.4
 9  - vpopmail[2100]: vchkpw-pop3: vpopmail user not found abc@xxx.com:x.x.x.x
10  - vpopmail[4162]: vchkpw-pop3: vpopmail user not found support@:69.3.64.3
11  -->
12<decoder name="vpopmail">
13  <program_name>^vpopmail</program_name>
14</decoder>
15
16<decoder name="vpopmail-fail">
17  <parent>vpopmail</parent>
18  <prematch>^vchkpw-\S+: password fail</prematch>
19  <regex offset="after_prematch"> (\S+)@\S+:(\d+.\d+.\d+.\d+)$</regex>
20  <order>user, srcip</order>
21</decoder>
22
23<decoder name="vpopmail-notfound">
24  <parent>vpopmail</parent>
25  <prematch>^vchkpw-\S+: vpopmail user not </prematch>
26  <regex offset="after_prematch">^found (\S+):(\d+.\d+.\d+.\d+)$</regex>
27  <order>user, srcip</order>
28</decoder>
29
30<decoder name="vpopmail-empty">
31  <parent>vpopmail</parent>
32  <prematch>^vchkpw-\S+: null password </prematch>
33  <regex offset="after_prematch">^given (\S+):(\d+.\d+.\d+.\d+)$</regex>
34  <order>user, srcip</order>
35</decoder>
36
37<decoder name="vpopmail-success">
38  <parent>vpopmail</parent>
39  <prematch>^vchkpw-\S+: \(\S+\) login </prematch>
40  <regex offset="after_prematch">^success (\S+):(\d+.\d+.\d+.\d+)$</regex>
41  <order>user, srcip</order>
42</decoder>