/decoders/50_trend_decoder.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 17 lines · 5 code · 5 blank · 7 comment · 0 complexity · beaf831f2f631e467f7a356fb5d16eff MD5 · raw file

  1. <!-- Trend Micro OSCE (Office Scan) decoder.
  2. - 20090716<;>948<;>TROJ_Generic.DIT<;>25<;>3<;>0<;>C:\Documents and Settings\Administrator\Desktop\HyperSnap 6.02.01_EN\HprSnap6Man.chm<;>
  3. - 20090716<;>950<;>WORM_DOWNAD.A<;>1<;>3<;>0<;>C:\Documents and Settings\DCS_VM-ICRC-WFBS6\Local Settings\Temporary Internet Files\Content.IE5\9JK3DN67\sitb[1].jpg<;>
  4. - 20090716<;>951<;>WORM_DOWNAD.A<;>1<;>3<;>0<;>C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9JK3DN67\sitb[1].jpg<;>
  5. - Date<;>Time<;>Virus name<;>Scan result<;>Scan type<;>Seen<;>Filename<;>
  6. - We are only extracting the scan result right now.
  7. -->
  8. <decoder name="trend-osce">
  9. <prematch>^20\d\d\d\d\d\d\<;></prematch>
  10. <regex offset="after_prematch">^\d+\<;>\S+\<;>(\d+)\<;</regex>
  11. <order>id</order>
  12. </decoder>