PageRenderTime 16ms CodeModel.GetById 15ms app.highlight 1ms RepoModel.GetById 0ms app.codeStats 0ms

/decoders/50_symantec_decoder.xml'

https://bitbucket.org/oscarschneider/ossec-rules
Unknown | 28 lines | 24 code | 4 blank | 0 comment | 0 complexity | 6b1ab0074189b89accd559961a7d0bdf MD5 | raw file
 1
 2
 3<!-- Symantec AV decoder.
 4  - Source: http://www.ossec.net/wiki/index.php/Symantec_Antivirus
 5  - Examples:
 6  - 24090D00000A,4,3,7,ACMELABS-SRV2,SYSTEM,,,,,,,16777216,"Update to computer ACMELABS-LU2K3 of virus definition file 81011r succeeded.",0,,0,,,,,0,,,,,,,,,,,,,(IP)-192.168.49.66,ACMELABSav,ACMELABS,,8.1.825
 7  - 24090D00000F,4,3,7,ACMELABS-SRV2,SYSTEM,,,,,,,16777216,"Update to computer ACMELABS-APPS-BOX4 of virus definition file 81011r succeeded.",0,,0,,,,,0,,,,,,,,,,,,,(IP)-192.168.49.66,ACMELABSav,ACMELABS,,8.1.825
 8  - 240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan.Zlob,C:\WINDOWS\system32\ld100.tmp,5,4,4,256,570441764,"",0,,0,,0,4254,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
 9  -->
10<decoder name="symantec-av">
11  <prematch>^\w\w\w\w\w\w\w\w\w\w\w\w,</prematch>
12  <regex offset="after_prematch">^(\d+),\d+,\d+,(\S+),(\.+),</regex>
13  <order>id, system_name, extra_data</order>
14  <fts>name, location, id, system_name, extra_data</fts>
15</decoder>
16
17
18<!-- Symantec Web Security.
19  - Source: http://www.ossec.net/wiki/index.php/Symantec_Websecurity
20  - Examples:
21  - 20070717,30517,1=3,41=SWS-3.0.1.86/vendor-config,100=Version 3.0.6,3=7,2=29
22  - 20070717,73556,1=5,100=Logoff due to timeout.,11=1.2.3.4,10=usera,3=1,2=2
23    20070717,73559,1=5,11=2.3.4.5,10=userb,3=2,2=1
24  -->
25<decoder name="symantec-websecurity">
26  <prematch>^\d\d\d\d\d\d\d\d,\d\d\d+,</prematch>
27  <plugin_decoder>SymantecWS_Decoder</plugin_decoder>
28</decoder>