PageRenderTime 38ms CodeModel.GetById 10ms RepoModel.GetById 0ms app.codeStats 0ms

/decoders/50_vpopmail_decoder.xml

https://bitbucket.org/oscarschneider/ossec-rules
XML | 42 lines | 27 code | 7 blank | 8 comment | 0 complexity | 490e9bf77d62ed7716babdfb4fb0067e MD5 | raw file
  1. <!-- Vpopmail decoder. (by Ceg Ryan <cegryan ( at ) gmail.com>)
  2. - Examples:
  3. - vpopmail[32485]: vchkpw-pop3: password fail abc@xxx.com:x.x.x.x
  4. - vpopmail[32485]: vchkpw-2110 password fail abc@xxx.com:x.x.x.x
  5. - vchkpw-pop3: password fail (pass: 'test') user@my_domain:1.2.3.4
  6. - vpopmail[2100]: vchkpw-pop3: vpopmail user not found abc@xxx.com:x.x.x.x
  7. - vpopmail[4162]: vchkpw-pop3: vpopmail user not found support@:69.3.64.3
  8. -->
  9. <decoder name="vpopmail">
  10. <program_name>^vpopmail</program_name>
  11. </decoder>
  12. <decoder name="vpopmail-fail">
  13. <parent>vpopmail</parent>
  14. <prematch>^vchkpw-\S+: password fail</prematch>
  15. <regex offset="after_prematch"> (\S+)@\S+:(\d+.\d+.\d+.\d+)$</regex>
  16. <order>user, srcip</order>
  17. </decoder>
  18. <decoder name="vpopmail-notfound">
  19. <parent>vpopmail</parent>
  20. <prematch>^vchkpw-\S+: vpopmail user not </prematch>
  21. <regex offset="after_prematch">^found (\S+):(\d+.\d+.\d+.\d+)$</regex>
  22. <order>user, srcip</order>
  23. </decoder>
  24. <decoder name="vpopmail-empty">
  25. <parent>vpopmail</parent>
  26. <prematch>^vchkpw-\S+: null password </prematch>
  27. <regex offset="after_prematch">^given (\S+):(\d+.\d+.\d+.\d+)$</regex>
  28. <order>user, srcip</order>
  29. </decoder>
  30. <decoder name="vpopmail-success">
  31. <parent>vpopmail</parent>
  32. <prematch>^vchkpw-\S+: \(\S+\) login </prematch>
  33. <regex offset="after_prematch">^success (\S+):(\d+.\d+.\d+.\d+)$</regex>
  34. <order>user, srcip</order>
  35. </decoder>