Merge pull request #2 from atomicturtle/pcre2-update-01

Pcre2 update 01
ossec · Sep 18, 2020 · 387b66c · 387b66c
2 parents 1e144c8 + 15b7ad9
commit 387b66c
Show file tree

Hide file tree

Showing 213 changed files with 4,727 additions and 4,745 deletions.
diff --git a/decoders.d/00-crs-iptables_decoder.xml b/decoders.d/00-crs-iptables_decoder.xml
@@ -1,5 +1,5 @@
 <!-- Iptables decoder.
-  - Will extract the srcip, dstip, srcport, dstport, protocol
+       - Will extract the srcip, dstip, srcport, dstport, protocol
   - Examples:
   - kernel: FIREWALL_OUT IN= OUT=eth0
     SRC=192.168.6.57 DST=216.161.248.225 LEN=40 TOS=0x00 PREC=0x00 TTL=64
@@ -14,66 +14,68 @@
   - Aug 17 10:03:37 myhostname kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:08:02:da:c8:51:00:0f:f7:74:31:8a:08:00 SRC=1.2.3.36 DST=1.2.3.194 LEN=28 TOS=0x00 PREC=0x00 TTL=44 ID=60200 PROTO=ICMP TYPE=8 CODE=0 ID=10466 SEQ=21229
   -->
 <decoder name="iptables">
-   <program_name>^kernel</program_name>
+   <program_name_pcre2>^kernel</program_name_pcre2>
 </decoder>
 
 <decoder name="iptables-1">
    <parent>iptables</parent>
    <type>firewall</type>
-   <prematch>^[\d+.\d+] \S+ IN=</prematch>
+   <prematch_pcre2>^\[\d+\.\d+\] \S+ IN=</prematch_pcre2>
 
-   <regex>^[\d+.\d+] (\S+) \.+ SRC=(\S+) DST=(\S+)</regex>
-   <regex> \.+ PROTO=(\w+) </regex>
+   <pcre2>^\[\d+\.\d+\] (\S+) .+ SRC=(\S+) DST=(\S+)</pcre2>
+   <pcre2> .+ PROTO=(\w+) </pcre2>
    <order>action,srcip,dstip,protocol</order>
 </decoder>
 
 <decoder name="iptables-1">
    <parent>iptables</parent>
    <type>firewall</type>
-   <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
+   <pcre2 offset="after_regex">^SPT=(\d+) DPT=(\d+) </pcre2>
    <order>srcport,dstport</order>
 </decoder>
 
 <decoder name="iptables-2">
    <parent>iptables</parent>
    <type>firewall</type>
-   <prematch>^\S+ IN=</prematch>
+   <prematch_pcre2>^\S+ IN=</prematch_pcre2>
 
-   <regex>^(\S+) \.+ SRC=(\S+) DST=(\S+) \.+ </regex>
-   <regex>PROTO=(\w+) </regex>
+   <pcre2>^(\S+) .+ SRC=(\S+) DST=(\S+) .+ </pcre2>
+   <pcre2>PROTO=(\w+) </pcre2>
    <order>action,srcip,dstip,protocol</order>
 </decoder>
 
+
 <decoder name="iptables-2">
    <parent>iptables</parent>
    <type>firewall</type>
-   <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
+   <pcre2 offset="after_regex">^SPT=(\d+?) DPT=(\d+?) </pcre2>
    <order>srcport,dstport</order>
 </decoder>
 
 <decoder name="iptables-shorewall">
    <parent>iptables</parent>
    <type>firewall</type>
-   <prematch>^Shorewall:\S+:</prematch>
+   <prematch_pcre2>^Shorewall:\S+:</prematch_pcre2>
 
-   <regex offset="after_prematch">^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
-   <regex>PROTO=(\w+) </regex>
+   <pcre2 offset="after_prematch">^(\S+):.+ SRC=(\S+) DST=(\S+) .+ </pcre2>
+   <pcre2>PROTO=(\w+) </pcre2>
    <order>action,srcip,dstip,protocol</order>
 </decoder>
 
 <decoder name="iptables-shorewall">
    <parent>iptables</parent>
    <type>firewall</type>
-   <regex offset="after_regex">^SPT=(\d+) DPT=(\d+) </regex>
+   <pcre2 offset="after_regex">^SPT=(\d+) DPT=(\d+) </pcre2>
    <order>srcport,dstport</order>
 </decoder>
 
 <decoder name="iptables-shorewall2">
   <parent>iptables</parent>
   <type>firewall</type>
-  <prematch>^\p\S+\p Shorewall:\S+:</prematch>
-  <regex offset="after_prematch">^(\S+):\.+ SRC=(\S+) DST=(\S+) \.+ </regex>
-  <regex>PROTO=(\w+) </regex>
+  <prematch_pcre2>^[()*+,.:;\<=>?\[\]!"'#%&$|{}-]\S+[()*+,.:;\<=>?\[\]!"'#%&$|{}-] Shorewall:\S+:</prematch_pcre2>
+  <pcre2 offset="after_prematch">^(\S+):.+ SRC=(\S+) DST=(\S+) .+ </pcre2>
+  <pcre2>PROTO=(\w+) </pcre2>
   <order>action,srcip,dstip,protocol</order>
 </decoder>
 
+
diff --git a/decoders.d/50-crs-pam_decoder.xml → decoders.d/00-crs-pam_decoder.xml b/decoders.d/50-crs-pam_decoder.xml → decoders.d/00-crs-pam_decoder.xml
@@ -18,55 +18,58 @@
   - Nov 11 22:46:29 localhost vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=1.2.3.4
   - Sep 28 15:28:58 server login: pam_unix(login:session): session opened for user carl by LOGIN(uid=0)
   - Sep 28 15:35:18 server sshd[123]: pam_unix(sshd:session): session opened for user carl by (uid=0)
+  - Mar 29 00:42:09 server saslauthd[1230]: pam_succeed_if(smtp:auth): error retrieving information about user demo
+
   -->
 <decoder name="pam">
-  <program_name>(pam_unix)$</program_name>
+  <program_name_pcre2>\(pam_unix\)$</program_name_pcre2>
 </decoder>
 
 <decoder name="pam">
-  <program_name></program_name>
-  <prematch>^pam_unix|^\(pam_unix\)</prematch>
+  <!-- allow any program name if the prematch_pcre2 regex matches -->
+  <program_name_pcre2>.*</program_name_pcre2>
+  <prematch_pcre2>^pam_unix|^\(pam_unix\)|^pam_succeed_if</prematch_pcre2>
 </decoder>
 
 <decoder name="pam-user">
   <parent>pam</parent>
-  <prematch>^session \w+ </prematch>
-  <regex offset="after_prematch">^for user (\S+)</regex>
+  <prematch_pcre2>^session \w+ </prematch_pcre2>
+  <pcre2 offset="after_prematch">^for user (\S+)</pcre2>
   <order>user</order>
 </decoder>
 
 <!--XXXX<decoder name="pam-user2">
-  <parent>pam</parent>
-  <prematch>^session \S+ </prematch>
-  <regex>for user (\S+)</regex>
+       <parent>pam</parent>
+  <prematch_pcre2>^session \S+ </prematch_pcre2>
+  <pcre2>for user (\S+)</pcre2>
   <order>user</order>
 </decoder>
 -->
 
 <decoder name="pam-host-user">
   <parent>pam</parent>
-  <prematch>rhost=\S+\s+user=\S+</prematch>
-  <regex>rhost=(\S+)\s+user=(\S+)</regex>
+  <prematch_pcre2>rhost=\S+[ ]+user=\S+</prematch_pcre2>
+  <pcre2>rhost=(\S+)[ ]+?user=(\S+)</pcre2>
   <order>srcip, user</order>
 </decoder>
 
 <decoder name="pam-ruser">
   <parent>pam</parent>
-  <prematch> ruser</prematch>
-  <regex offset="after_prematch">^=(\S+) </regex>
+  <prematch_pcre2> ruser</prematch_pcre2>
+  <pcre2 offset="after_prematch">^=(\S+) </pcre2>
   <order>user</order>
 </decoder>
 
 <decoder name="pam-ruser">
   <parent>pam</parent>
-  <regex> rhost=(\S+)$</regex>
+  <pcre2> rhost=(\S+)</pcre2>
   <order>srcip</order>
 </decoder>
 
 <decoder name="pam-host">
   <parent>pam</parent>
-  <prematch> rhost</prematch>
-  <regex offset="after_prematch">^=(\S+)</regex>
+  <prematch_pcre2> rhost</prematch_pcre2>
+  <pcre2 offset="after_prematch">^=(\S+)</pcre2>
   <order>srcip</order>
 </decoder>
 
diff --git a/decoders.d/00-crs-windows-date-format_decoder.xml b/decoders.d/00-crs-windows-date-format_decoder.xml
@@ -1,10 +1,13 @@
 <!-- Windows date format.
-  -  Pre match for windows date format. Used on Windows firewall,
+       -  Pre match for windows date format. Used on Windows firewall,
   -  IIS, etc.
   -  Examples:
   -  2006-07-23 04:40:02 xxx
   -->
 <decoder name="windows-date-format">
-  <prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d </prematch>
+  <prematch_pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} </prematch_pcre2>
 </decoder>
 
+
+
+
diff --git a/decoders.d/50-crs-aix-ipsec_decoder.xml b/decoders.d/50-crs-aix-ipsec_decoder.xml
@@ -0,0 +1,15 @@
+<!-- AIX IPSec decoder.
+       - Will extract the action,srcip,dstip,protocol,srcport,dstport
+  - Examples:
+  - ipsec_logd: #:3 R:p  I:10.0.0.99 S:10.0.0.82 D:10.0.0.99 P:tcp/ack SP:50349 DP:22 R:l I:en0 F:n T:0 L:88
+  - ipsec_logd: #:1 R:p  O:10.0.0.99. S:10.0.0.99 D:10.0.0.25 P:udp SP:2063 DP:53 R:l I:en0 F:n T:0 L:81
+ -->
+<decoder name="aix-ipsec">
+   <type>firewall</type>
+   <program_name_pcre2>^ipsec_logd</program_name_pcre2>
+   <pcre2> R:(\w)  \w:\S+ S:(\S+) </pcre2>
+   <pcre2>D:(\S+) P:(\S+) SP:(\d+) DP:(\d+) </pcre2>
+   <order>action,srcip,dstip,protocol,srcport,dstport</order>
+</decoder>
+
+
diff --git a/decoders.d/50-crs-apache_decoder.xml b/decoders.d/50-crs-apache_decoder.xml
@@ -1,5 +1,5 @@
 <!-- Apache decoder.
-  - Updated by [email protected]. 2016/02/17
+       - Updated by [email protected]. 2016/02/17
   - Will extract the srcip
   - Examples:
   - Without ID: Will extract the srcip and srcport (when it is available)
@@ -23,38 +23,40 @@
       - [Tue Sep 30 12:11:21.258612 2014] [ssl:error] [pid 30473] AH02032: Hostname www.example.com provided via SNI and hostname ssl://www.example.com provided via HTTP are different
 -->
 
+
 <decoder name="apache-errorlog">
-    <program_name>^httpd</program_name>
+    <program_name_pcre2>^httpd</program_name_pcre2>
 </decoder>
 
 <decoder name="apache-errorlog">
-    <prematch>^[warn] |^[notice] |^[error] </prematch>
+    <prematch_pcre2>^\[warn\] |^\[notice\] |^\[error\] </prematch_pcre2>
 </decoder>
 
 <decoder name="apache-errorlog">
-    <prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch>
+    <prematch_pcre2>^\[\w+ \w+ \d+ \d+:\d+:\d+\.\d+ \d+\] (?:\[\S+:warn\]|\[\S+:notice\]|\[\S*:error\]|\[\S+:info\]) </prematch_pcre2>
 </decoder>
 
-
 <decoder name="apache24-errorlog-ip-port">
     <parent>apache-errorlog</parent>
-    <prematch offset="after_parent">[client \S+:\d+] \S+:</prematch>
-    <regex offset="after_parent">[client (\S+):(\d+)] (\S+): </regex>
+    <prematch_pcre2 offset="after_parent">\[client \S+:\d+?\] \S+:</prematch_pcre2>
+    <pcre2 offset="after_parent">\[client (\S+):(\d+?)\] (\S+): </pcre2>
     <order>srcip,srcport,id</order>
 </decoder>
 
 <decoder name="apache24-errorlog-ip">
     <parent>apache-errorlog</parent>
-    <prematch offset="after_parent">[client \S+] \S+:</prematch>
-    <regex offset="after_parent">[client (\S+)] (\S+): </regex>
+    <prematch_pcre2 offset="after_parent">\[client \S+\] \S+:</prematch_pcre2>
+    <pcre2 offset="after_parent">\[client (\S+)\] (\S+): </pcre2>
     <order>srcip,id</order>
 </decoder>
 
 
 <decoder name="apache-errorlog-ip">
     <parent>apache-errorlog</parent>
-    <prematch offset="after_parent">[client</prematch>
-    <regex offset="after_prematch">^ (\S+):(\d+)] |^ (\S+)] </regex>
+    <prematch_pcre2 offset="after_parent">\[client</prematch_pcre2>
+    <pcre2 offset="after_prematch">^ (\S+):(\d+?)\] |^ (\S+)\] </pcre2>
     <order>srcip,srcport</order>
 </decoder>
 
+
+
diff --git a/decoders.d/50-crs-apparmor_decoder.xml b/decoders.d/50-crs-apparmor_decoder.xml
@@ -1,5 +1,5 @@
 <!-- apparmor
-  - Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003
+       - Jun 24 10:35:29 hostname kernel: [49787.970285] audit: type=1400 audit(1403598929.839:88986): apparmor="ALLOWED" operation="getattr" profile="/usr/sbin/dovecot//null-1//null-2//null-4a6" name="/home/admin/mails/new/" pid=19973 comm="imap" requested_mask="r" denied_mask="r" fsuid=1003 ouid=1003
   - Jul 14 11:03:47 hostname kernel: [ 8665.951930] type=1400 audit(1405328627.702:54): apparmor="DENIED" operation="open" profile="/usr/bin/evince" name="/etc/xfce4/defaults.list" pid=16418 comm="evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
   - Jun 16 17:37:39 hostname kernel: [891880.587623] audit: type=1400 audit(1402933059.038:1681857): apparmor="ALLOWED" operation="exec" profile="/usr/sbin/dovecot//null-1fde//null-1fdf" name="/usr/lib/dovecot/pop3-login" pid=13903 comm="dovecot" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18"
   - Jun 16 17:37:39 hostname kernel: [891880.587957] audit: type=1400 audit(1402933059.038:1681858): apparmor="ALLOWED" operation="open" profile="/usr/sbin/dovecot//null-1fde//null-1fdf//null-6b18" name="/usr/lib/dovecot/libdovecot-login.so.0.0.0" pid=13903 comm="pop3-login" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
@@ -12,8 +12,9 @@
 
 <decoder name="apparmor">
   <parent>iptables</parent>
-  <prematch> apparmor=</prematch>
-  <regex> apparmor="(\S+)" operation="(\S+)"</regex>
+  <prematch_pcre2> apparmor=</prematch_pcre2>
+  <pcre2> apparmor="(\S+)" operation="(\S+)"</pcre2>
   <order>status, extra_data</order>
 </decoder>
 
+
diff --git a/decoders.d/50-crs-arpwatch_decoder.xml b/decoders.d/50-crs-arpwatch_decoder.xml
@@ -1,5 +1,5 @@
 <!-- Arpwatch decoder.
-  - Will extract srcip/mac for "new station" messages.
+       - Will extract srcip/mac for "new station" messages.
   - Examples:
   - arpwatch: new station 192.168.1.103 0:11:43:5e:5d:80 eth0
   - arpwatch: bogon 172.16.150.149 0:2:b3:d6:e5:68 eth0
@@ -8,14 +8,16 @@
   - arpwatch: reused old ethernet address 192.168.17.248 0:e:3b:a:cb:67 (0:1e:8c:72:b0:d0)
   -->
 <decoder name="arpwatch">
-  <program_name>^arpwatch</program_name>
+  <program_name_pcre2>^arpwatch</program_name_pcre2>
 </decoder>
 
 <decoder name="arpwatch-new">
   <parent>arpwatch</parent>
-  <prematch>^new station |^bogon </prematch>
-  <regex offset="after_prematch">^(\S+) (\S+)</regex>
+  <prematch_pcre2>^new station |^bogon </prematch_pcre2>
+  <pcre2 offset="after_prematch">^(\S+) (\S+)</pcre2>
   <order>srcip, extra_data</order>
   <fts>name, srcip, extra_data</fts>
 </decoder>
 
+
+
diff --git a/decoders.d/50-crs-asterisk_decoder.xml b/decoders.d/50-crs-asterisk_decoder.xml
@@ -1,39 +1,47 @@
 <!-- Asterisk logs
-  - Examples:
+       - Examples:
   - Dec 16 18:02:04 asterisk1 asterisk[31774]: NOTICE[31787]:
   chan_sip.c:11242 in handle_request_register: Registration from
   '"503"<sip:[email protected]>' failed for '192.168.1.137' - Wrong
   password
   -->
 <decoder name="asterisk">
-  <program_name>^asterisk</program_name>
+  <program_name_pcre2>^asterisk</program_name_pcre2>
 </decoder>
 
 <decoder name="asterisk-hijacking">
   <parent>asterisk</parent>
-  <prematch>^WARNING[\d+]: \S+ in \S+: Don't know </prematch>
-  <regex offset="after_prematch">^\S+ how to respond via '(\w+/\d.\d/\w+)'</regex>
+  <prematch_pcre2>^WARNING\[\d+?\]: \S+ in \S+: Don't know </prematch_pcre2>
+  <pcre2 offset="after_prematch">^\S+ how to respond via '([A-Za-z0-9@_-]+/\d\.\d/[A-Za-z0-9@_-]+)'</pcre2>
   <order>user</order>
 </decoder>
 
 <decoder name="asterisk-denied">
   <parent>asterisk</parent>
-  <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch>
-  <regex offset="after_prematch">^\S+ failed for '(\S+)'</regex>
-  <order>srcip</order>
+  <prematch_pcre2>^NOTICE\[\d+?\]: \S+ in \S+: Registration from </prematch_pcre2>
+  <pcre2 offset="after_prematch">^'.+' failed for '(\S+):(\d+?)'|^'.+' failed for '(\S+)'</pcre2>
+  <order>srcip,srcport</order>
 </decoder>
 
 <decoder name="asterisk-denied2">
   <parent>asterisk</parent>
-  <prematch>Registration from </prematch>
-  <regex offset="after_prematch">failed for '(\S+)'</regex>
-  <order>srcip</order>
+  <prematch_pcre2>Registration from </prematch_pcre2>
+  <pcre2 offset="after_prematch">failed for '(\S+):(\d+?)'|failed for '(\S+)'</pcre2>
+  <order>srcip,srcport</order>
+</decoder>
+
+<decoder name="asterisk-denied3">
+  <parent>asterisk</parent>
+  <prematch_pcre2>^NOTICE\[\d+?\]\[[A-Za-z0-9@_-]+?\]: \S+ in \S+: Call from </prematch_pcre2>
+  <pcre2 offset="after_prematch">^'\S*' \((\S+):(\d+?)\) to extension '(\S+)' rejected because extension not found in context '(\S+)'\.$</pcre2>
+  <order>srcip, srcport, extra_data, extra_data</order>
 </decoder>
 
 <decoder name="asterisk-iax-authentication-denied">
   <parent>asterisk</parent>
-  <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch>
-  <regex offset="after_prematch">^(\S+) failed MD5 authentication for (\S+)</regex>
+  <prematch_pcre2>^NOTICE\[\d+\]: \S+ in \S+: Host </prematch_pcre2>
+  <pcre2 offset="after_prematch">^(\S+) failed MD5 authentication for (\S+)</pcre2>
   <order>srcip, user</order>
 </decoder>
 
+