-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #2 from atomicturtle/pcre2-update-01
Pcre2 update 01
- Loading branch information
Showing
213 changed files
with
4,727 additions
and
4,745 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,13 @@ | ||
<!-- Windows date format. | ||
- Pre match for windows date format. Used on Windows firewall, | ||
- Pre match for windows date format. Used on Windows firewall, | ||
- IIS, etc. | ||
- Examples: | ||
- 2006-07-23 04:40:02 xxx | ||
--> | ||
<decoder name="windows-date-format"> | ||
<prematch>^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d </prematch> | ||
<prematch_pcre2>^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} </prematch_pcre2> | ||
</decoder> | ||
|
||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
<!-- AIX IPSec decoder. | ||
- Will extract the action,srcip,dstip,protocol,srcport,dstport | ||
- Examples: | ||
- ipsec_logd: #:3 R:p I:10.0.0.99 S:10.0.0.82 D:10.0.0.99 P:tcp/ack SP:50349 DP:22 R:l I:en0 F:n T:0 L:88 | ||
- ipsec_logd: #:1 R:p O:10.0.0.99. S:10.0.0.99 D:10.0.0.25 P:udp SP:2063 DP:53 R:l I:en0 F:n T:0 L:81 | ||
--> | ||
<decoder name="aix-ipsec"> | ||
<type>firewall</type> | ||
<program_name_pcre2>^ipsec_logd</program_name_pcre2> | ||
<pcre2> R:(\w) \w:\S+ S:(\S+) </pcre2> | ||
<pcre2>D:(\S+) P:(\S+) SP:(\d+) DP:(\d+) </pcre2> | ||
<order>action,srcip,dstip,protocol,srcport,dstport</order> | ||
</decoder> | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
<!-- Apache decoder. | ||
- Updated by [email protected]. 2016/02/17 | ||
- Updated by [email protected]. 2016/02/17 | ||
- Will extract the srcip | ||
- Examples: | ||
- Without ID: Will extract the srcip and srcport (when it is available) | ||
|
@@ -23,38 +23,40 @@ | |
- [Tue Sep 30 12:11:21.258612 2014] [ssl:error] [pid 30473] AH02032: Hostname www.example.com provided via SNI and hostname ssl://www.example.com provided via HTTP are different | ||
--> | ||
|
||
|
||
<decoder name="apache-errorlog"> | ||
<program_name>^httpd</program_name> | ||
<program_name_pcre2>^httpd</program_name_pcre2> | ||
</decoder> | ||
|
||
<decoder name="apache-errorlog"> | ||
<prematch>^[warn] |^[notice] |^[error] </prematch> | ||
<prematch_pcre2>^\[warn\] |^\[notice\] |^\[error\] </prematch_pcre2> | ||
</decoder> | ||
|
||
<decoder name="apache-errorlog"> | ||
<prematch>^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:warn] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:notice] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S*:error] |^[\w+ \w+ \d+ \d+:\d+:\d+.\d+ \d+] [\S+:info] </prematch> | ||
<prematch_pcre2>^\[\w+ \w+ \d+ \d+:\d+:\d+\.\d+ \d+\] (?:\[\S+:warn\]|\[\S+:notice\]|\[\S*:error\]|\[\S+:info\]) </prematch_pcre2> | ||
</decoder> | ||
|
||
|
||
<decoder name="apache24-errorlog-ip-port"> | ||
<parent>apache-errorlog</parent> | ||
<prematch offset="after_parent">[client \S+:\d+] \S+:</prematch> | ||
<regex offset="after_parent">[client (\S+):(\d+)] (\S+): </regex> | ||
<prematch_pcre2 offset="after_parent">\[client \S+:\d+?\] \S+:</prematch_pcre2> | ||
<pcre2 offset="after_parent">\[client (\S+):(\d+?)\] (\S+): </pcre2> | ||
<order>srcip,srcport,id</order> | ||
</decoder> | ||
|
||
<decoder name="apache24-errorlog-ip"> | ||
<parent>apache-errorlog</parent> | ||
<prematch offset="after_parent">[client \S+] \S+:</prematch> | ||
<regex offset="after_parent">[client (\S+)] (\S+): </regex> | ||
<prematch_pcre2 offset="after_parent">\[client \S+\] \S+:</prematch_pcre2> | ||
<pcre2 offset="after_parent">\[client (\S+)\] (\S+): </pcre2> | ||
<order>srcip,id</order> | ||
</decoder> | ||
|
||
|
||
<decoder name="apache-errorlog-ip"> | ||
<parent>apache-errorlog</parent> | ||
<prematch offset="after_parent">[client</prematch> | ||
<regex offset="after_prematch">^ (\S+):(\d+)] |^ (\S+)] </regex> | ||
<prematch_pcre2 offset="after_parent">\[client</prematch_pcre2> | ||
<pcre2 offset="after_prematch">^ (\S+):(\d+?)\] |^ (\S+)\] </pcre2> | ||
<order>srcip,srcport</order> | ||
</decoder> | ||
|
||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,39 +1,47 @@ | ||
<!-- Asterisk logs | ||
- Examples: | ||
- Examples: | ||
- Dec 16 18:02:04 asterisk1 asterisk[31774]: NOTICE[31787]: | ||
chan_sip.c:11242 in handle_request_register: Registration from | ||
'"503"<sip:[email protected]>' failed for '192.168.1.137' - Wrong | ||
password | ||
--> | ||
<decoder name="asterisk"> | ||
<program_name>^asterisk</program_name> | ||
<program_name_pcre2>^asterisk</program_name_pcre2> | ||
</decoder> | ||
|
||
<decoder name="asterisk-hijacking"> | ||
<parent>asterisk</parent> | ||
<prematch>^WARNING[\d+]: \S+ in \S+: Don't know </prematch> | ||
<regex offset="after_prematch">^\S+ how to respond via '(\w+/\d.\d/\w+)'</regex> | ||
<prematch_pcre2>^WARNING\[\d+?\]: \S+ in \S+: Don't know </prematch_pcre2> | ||
<pcre2 offset="after_prematch">^\S+ how to respond via '([A-Za-z0-9@_-]+/\d\.\d/[A-Za-z0-9@_-]+)'</pcre2> | ||
<order>user</order> | ||
</decoder> | ||
|
||
<decoder name="asterisk-denied"> | ||
<parent>asterisk</parent> | ||
<prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch> | ||
<regex offset="after_prematch">^\S+ failed for '(\S+)'</regex> | ||
<order>srcip</order> | ||
<prematch_pcre2>^NOTICE\[\d+?\]: \S+ in \S+: Registration from </prematch_pcre2> | ||
<pcre2 offset="after_prematch">^'.+' failed for '(\S+):(\d+?)'|^'.+' failed for '(\S+)'</pcre2> | ||
<order>srcip,srcport</order> | ||
</decoder> | ||
|
||
<decoder name="asterisk-denied2"> | ||
<parent>asterisk</parent> | ||
<prematch>Registration from </prematch> | ||
<regex offset="after_prematch">failed for '(\S+)'</regex> | ||
<order>srcip</order> | ||
<prematch_pcre2>Registration from </prematch_pcre2> | ||
<pcre2 offset="after_prematch">failed for '(\S+):(\d+?)'|failed for '(\S+)'</pcre2> | ||
<order>srcip,srcport</order> | ||
</decoder> | ||
|
||
<decoder name="asterisk-denied3"> | ||
<parent>asterisk</parent> | ||
<prematch_pcre2>^NOTICE\[\d+?\]\[[A-Za-z0-9@_-]+?\]: \S+ in \S+: Call from </prematch_pcre2> | ||
<pcre2 offset="after_prematch">^'\S*' \((\S+):(\d+?)\) to extension '(\S+)' rejected because extension not found in context '(\S+)'\.$</pcre2> | ||
<order>srcip, srcport, extra_data, extra_data</order> | ||
</decoder> | ||
|
||
<decoder name="asterisk-iax-authentication-denied"> | ||
<parent>asterisk</parent> | ||
<prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch> | ||
<regex offset="after_prematch">^(\S+) failed MD5 authentication for (\S+)</regex> | ||
<prematch_pcre2>^NOTICE\[\d+\]: \S+ in \S+: Host </prematch_pcre2> | ||
<pcre2 offset="after_prematch">^(\S+) failed MD5 authentication for (\S+)</pcre2> | ||
<order>srcip, user</order> | ||
</decoder> | ||
|
||
|
Oops, something went wrong.