/decoders/50_telnet_decoder.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 25 lines · 8 code · 5 blank · 12 comment · 0 complexity · 8af56850a03434a8cd7d75784a5add75 MD5 · raw file 

    

  1. <!--
    2. 

  2.  - Telnet decoder
    3. 

  3.  - Will extract the srcip
    4. 

  4.  - Examples:
    5. 

  5.  - May 31 12:33:44 queen telnetd[9876]: warning: can't verify hostname: 
    6. 

  6.    gethostbyname(131.1.satis-tl.ru) failed
    7. 

  7.  - May 29 21:12:18 queen telnetd[6474]: refused connect from 81.215.42.27
    8. 

  8.  - Jun  1 23:02:07 queen telnetd[62948]: connect from external.example.net
    9. 

  9.  - Jun  1 23:02:07 queen telnetd[62948]: ttloop:  read: A connection with a remote socket was reset by that socket.
    10. 

  10.  - Jun  2 09:54:28 valhalla in.telnetd[19723]: [ID 927837 local2.info] connect from external.example.net
    11. 

  11.  - Jun  2 09:54:28 valhalla telnetd[19723]: [ID 485252 daemon.info] ttloop:  peer died: Error 0
    12. 

  12.  -->
    13. 

  13. <decoder name="telnetd">
    14. 

  14.   <program_name>^telnetd|^in.telnetd</program_name>
    15. 

  15. </decoder>
    16. 

  16. 

  17. <decoder name="telnetd-ip">
    18. 

  18.   <parent>telnetd</parent>
    19. 

  19.   <regex>from (\d+.\d+.\d+.\d+)$</regex>
    20. 

  20.   <order>srcip</order>
    21. 

  21. </decoder>
    22.