/decoders/50_telnet_decoder.xml
https://bitbucket.org/oscarschneider/ossec-rules · XML · 25 lines · 8 code · 5 blank · 12 comment · 0 complexity · 8af56850a03434a8cd7d75784a5add75 MD5 · raw file
- <!--
- - Telnet decoder
- - Will extract the srcip
- - Examples:
- - May 31 12:33:44 queen telnetd[9876]: warning: can't verify hostname:
- gethostbyname(131.1.satis-tl.ru) failed
- - May 29 21:12:18 queen telnetd[6474]: refused connect from 81.215.42.27
- - Jun 1 23:02:07 queen telnetd[62948]: connect from external.example.net
- - Jun 1 23:02:07 queen telnetd[62948]: ttloop: read: A connection with a remote socket was reset by that socket.
- - Jun 2 09:54:28 valhalla in.telnetd[19723]: [ID 927837 local2.info] connect from external.example.net
- - Jun 2 09:54:28 valhalla telnetd[19723]: [ID 485252 daemon.info] ttloop: peer died: Error 0
- -->
- <decoder name="telnetd">
- <program_name>^telnetd|^in.telnetd</program_name>
- </decoder>
- <decoder name="telnetd-ip">
- <parent>telnetd</parent>
- <regex>from (\d+.\d+.\d+.\d+)$</regex>
- <order>srcip</order>
- </decoder>