/decoders/50_symantec_decoder.xml'

https://bitbucket.org/oscarschneider/ossec-rules · Unknown · 28 lines · 24 code · 4 blank · 0 comment · 0 complexity · 6b1ab0074189b89accd559961a7d0bdf MD5 · raw file

  1. <!-- Symantec AV decoder.
  2. - Source: http://www.ossec.net/wiki/index.php/Symantec_Antivirus
  3. - Examples:
  4. - 24090D00000A,4,3,7,ACMELABS-SRV2,SYSTEM,,,,,,,16777216,"Update to computer ACMELABS-LU2K3 of virus definition file 81011r succeeded.",0,,0,,,,,0,,,,,,,,,,,,,(IP)-192.168.49.66,ACMELABSav,ACMELABS,,8.1.825
  5. - 24090D00000F,4,3,7,ACMELABS-SRV2,SYSTEM,,,,,,,16777216,"Update to computer ACMELABS-APPS-BOX4 of virus definition file 81011r succeeded.",0,,0,,,,,0,,,,,,,,,,,,,(IP)-192.168.49.66,ACMELABSav,ACMELABS,,8.1.825
  6. - 240801012128,5,1,720997,RBLWAP,SYSTEM,Trojan.Zlob,C:\WINDOWS\system32\ld100.tmp,5,4,4,256,570441764,"",0,,0,,0,4254,0,0,0,0,0,0,20060830.022,58100,2,4,0,acme-AVSRV,{579642AA-5A5E-46E1-8613-2289349D1F27},,(IP)-192.168.100.237,acmeav,acme,,8.1.825
  7. -->
  8. <decoder name="symantec-av">
  9. <prematch>^\w\w\w\w\w\w\w\w\w\w\w\w,</prematch>
  10. <regex offset="after_prematch">^(\d+),\d+,\d+,(\S+),(\.+),</regex>
  11. <order>id, system_name, extra_data</order>
  12. <fts>name, location, id, system_name, extra_data</fts>
  13. </decoder>
  14. <!-- Symantec Web Security.
  15. - Source: http://www.ossec.net/wiki/index.php/Symantec_Websecurity
  16. - Examples:
  17. - 20070717,30517,1=3,41=SWS-3.0.1.86/vendor-config,100=Version 3.0.6,3=7,2=29
  18. - 20070717,73556,1=5,100=Logoff due to timeout.,11=1.2.3.4,10=usera,3=1,2=2
  19. 20070717,73559,1=5,11=2.3.4.5,10=userb,3=2,2=1
  20. -->
  21. <decoder name="symantec-websecurity">
  22. <prematch>^\d\d\d\d\d\d\d\d,\d\d\d+,</prematch>
  23. <plugin_decoder>SymantecWS_Decoder</plugin_decoder>
  24. </decoder>