/decoders/50_symantec_decoder.xml'
https://bitbucket.org/oscarschneider/ossec-rules · Unknown · 28 lines · 24 code · 4 blank · 0 comment · 0 complexity · 6b1ab0074189b89accd559961a7d0bdf MD5 · raw file
- <!-- Symantec AV decoder.
- - Source: http://www.ossec.net/wiki/index.php/Symantec_Antivirus
- - Examples:
- - 24090D00000A,4,3,7,ACMELABS-SRV2,SYSTEM,,,,,,,16777216,"Update to computer ACMELABS-LU2K3 of virus definition file 81011r succeeded.",0,,0,,,,,0,,,,,,,,,,,,,(IP)-192.168.49.66,ACMELABSav,ACMELABS,,8.1.825
- - 24090D00000F,4,3,7,ACMELABS-SRV2,SYSTEM,,,,,,,16777216,"Update to computer ACMELABS-APPS-BOX4 of virus definition file 81011r succeeded.",0,,0,,,,,0,,,,,,,,,,,,,(IP)-192.168.49.66,ACMELABSav,ACMELABS,,8.1.825
- - 240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan.Zlob,C:\WINDOWS\system32\ld100.tmp,5,4,4,256,570441764,"",0,,0,,0,4254,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
- -->
- <decoder name="symantec-av">
- <prematch>^\w\w\w\w\w\w\w\w\w\w\w\w,</prematch>
- <regex offset="after_prematch">^(\d+),\d+,\d+,(\S+),(\.+),</regex>
- <order>id, system_name, extra_data</order>
- <fts>name, location, id, system_name, extra_data</fts>
- </decoder>
- <!-- Symantec Web Security.
- - Source: http://www.ossec.net/wiki/index.php/Symantec_Websecurity
- - Examples:
- - 20070717,30517,1=3,41=SWS-3.0.1.86/vendor-config,100=Version 3.0.6,3=7,2=29
- - 20070717,73556,1=5,100=Logoff due to timeout.,11=1.2.3.4,10=usera,3=1,2=2
- 20070717,73559,1=5,11=2.3.4.5,10=userb,3=2,2=1
- -->
- <decoder name="symantec-websecurity">
- <prematch>^\d\d\d\d\d\d\d\d,\d\d\d+,</prematch>
- <plugin_decoder>SymantecWS_Decoder</plugin_decoder>
- </decoder>