/decoders/50_vpopmail_decoder.xml
https://bitbucket.org/oscarschneider/ossec-rules · XML · 42 lines · 27 code · 7 blank · 8 comment · 0 complexity · 490e9bf77d62ed7716babdfb4fb0067e MD5 · raw file
- <!-- Vpopmail decoder. (by Ceg Ryan <cegryan ( at ) gmail.com>)
- - Examples:
- - vpopmail[32485]: vchkpw-pop3: password fail abc@xxx.com:x.x.x.x
- - vpopmail[32485]: vchkpw-2110 password fail abc@xxx.com:x.x.x.x
- - vchkpw-pop3: password fail (pass: 'test') user@my_domain:1.2.3.4
- - vpopmail[2100]: vchkpw-pop3: vpopmail user not found abc@xxx.com:x.x.x.x
- - vpopmail[4162]: vchkpw-pop3: vpopmail user not found support@:69.3.64.3
- -->
- <decoder name="vpopmail">
- <program_name>^vpopmail</program_name>
- </decoder>
- <decoder name="vpopmail-fail">
- <parent>vpopmail</parent>
- <prematch>^vchkpw-\S+: password fail</prematch>
- <regex offset="after_prematch"> (\S+)@\S+:(\d+.\d+.\d+.\d+)$</regex>
- <order>user, srcip</order>
- </decoder>
- <decoder name="vpopmail-notfound">
- <parent>vpopmail</parent>
- <prematch>^vchkpw-\S+: vpopmail user not </prematch>
- <regex offset="after_prematch">^found (\S+):(\d+.\d+.\d+.\d+)$</regex>
- <order>user, srcip</order>
- </decoder>
- <decoder name="vpopmail-empty">
- <parent>vpopmail</parent>
- <prematch>^vchkpw-\S+: null password </prematch>
- <regex offset="after_prematch">^given (\S+):(\d+.\d+.\d+.\d+)$</regex>
- <order>user, srcip</order>
- </decoder>
- <decoder name="vpopmail-success">
- <parent>vpopmail</parent>
- <prematch>^vchkpw-\S+: \(\S+\) login </prematch>
- <regex offset="after_prematch">^success (\S+):(\d+.\d+.\d+.\d+)$</regex>
- <order>user, srcip</order>
- </decoder>