/decoders/50_trend_decoder.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 17 lines · 5 code · 5 blank · 7 comment · 0 complexity · beaf831f2f631e467f7a356fb5d16eff MD5 · raw file 

    

  1. <!-- Trend Micro OSCE (Office Scan) decoder.
    2. 

  2.   - 20090716<;>948<;>TROJ_Generic.DIT<;>25<;>3<;>0<;>C:\Documents and Settings\Administrator\Desktop\HyperSnap 6.02.01_EN\HprSnap6Man.chm<;>
    3. 

  3.   - 20090716<;>950<;>WORM_DOWNAD.A<;>1<;>3<;>0<;>C:\Documents and Settings\DCS_VM-ICRC-WFBS6\Local Settings\Temporary Internet Files\Content.IE5\9JK3DN67\sitb[1].jpg<;>
    4. 

  4.   - 20090716<;>951<;>WORM_DOWNAD.A<;>1<;>3<;>0<;>C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\9JK3DN67\sitb[1].jpg<;>
    5. 

  5.   - Date<;>Time<;>Virus name<;>Scan result<;>Scan type<;>Seen<;>Filename<;>
    6. 

  6.   - We are only extracting the scan result right now.
    7. 

  7.   -->
    8. 

  8. <decoder name="trend-osce">
    9. 

  9.   <prematch>^20\d\d\d\d\d\d\<;></prematch>
    10. 

  10.   <regex offset="after_prematch">^\d+\<;>\S+\<;>(\d+)\<;</regex>
    11. 

  11.   <order>id</order>
    12. 

  12. </decoder>
    13.