/decoders/50_telnet_decoder.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 25 lines · 8 code · 5 blank · 12 comment · 0 complexity · 8af56850a03434a8cd7d75784a5add75 MD5 · raw file

  1. <!--
  2. - Telnet decoder
  3. - Will extract the srcip
  4. - Examples:
  5. - May 31 12:33:44 queen telnetd[9876]: warning: can't verify hostname:
  6. gethostbyname(131.1.satis-tl.ru) failed
  7. - May 29 21:12:18 queen telnetd[6474]: refused connect from 81.215.42.27
  8. - Jun 1 23:02:07 queen telnetd[62948]: connect from external.example.net
  9. - Jun 1 23:02:07 queen telnetd[62948]: ttloop: read: A connection with a remote socket was reset by that socket.
  10. - Jun 2 09:54:28 valhalla in.telnetd[19723]: [ID 927837 local2.info] connect from external.example.net
  11. - Jun 2 09:54:28 valhalla telnetd[19723]: [ID 485252 daemon.info] ttloop: peer died: Error 0
  12. -->
  13. <decoder name="telnetd">
  14. <program_name>^telnetd|^in.telnetd</program_name>
  15. </decoder>
  16. <decoder name="telnetd-ip">
  17. <parent>telnetd</parent>
  18. <regex>from (\d+.\d+.\d+.\d+)$</regex>
  19. <order>srcip</order>
  20. </decoder>