PageRenderTime 5ms CodeModel.GetById 3ms app.highlight 1ms RepoModel.GetById 0ms app.codeStats 0ms

/decoders/50_telnet_decoder.xml

https://bitbucket.org/oscarschneider/ossec-rules
XML | 25 lines | 8 code | 5 blank | 12 comment | 0 complexity | 8af56850a03434a8cd7d75784a5add75 MD5 | raw file
 1
 2
 3
 4<!--
 5 - Telnet decoder
 6 - Will extract the srcip
 7 - Examples:
 8 - May 31 12:33:44 queen telnetd[9876]: warning: can't verify hostname: 
 9   gethostbyname(131.1.satis-tl.ru) failed
10 - May 29 21:12:18 queen telnetd[6474]: refused connect from 81.215.42.27
11 - Jun  1 23:02:07 queen telnetd[62948]: connect from external.example.net
12 - Jun  1 23:02:07 queen telnetd[62948]: ttloop:  read: A connection with a remote socket was reset by that socket.
13 - Jun  2 09:54:28 valhalla in.telnetd[19723]: [ID 927837 local2.info] connect from external.example.net
14 - Jun  2 09:54:28 valhalla telnetd[19723]: [ID 485252 daemon.info] ttloop:  peer died: Error 0
15 -->
16<decoder name="telnetd">
17  <program_name>^telnetd|^in.telnetd</program_name>
18</decoder>
19
20<decoder name="telnetd-ip">
21  <parent>telnetd</parent>
22  <regex>from (\d+.\d+.\d+.\d+)$</regex>
23  <order>srcip</order>
24</decoder>
25