Improved vsftpd decoder

OUTPUT Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129" Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129" Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129" Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129" Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php" Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777" Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php" **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' action: 'CONNECT' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11401' Level: '3' Description: 'FTP session opened.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'FAIL LOGIN' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11403' Level: '5' Description: 'Login failed accessing the FTP server.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' action: 'CONNECT' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11401' Level: '3' Description: 'FTP session opened.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK LOGIN' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11402' Level: '3' Description: 'FTP Authentication success.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK UPLOAD' srcip: '172.28.5.129' url: '/index.php' **Phase 3: Completed filtering (rules). Rule id: '11404' Level: '0' Description: 'FTP server file upload.' **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK DELETE' srcip: '172.28.5.129' url: '/index.php"' **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK CHMOD' srcip: '172.28.5.129' url: '/index.php 777"' **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK RENAME' srcip: '172.28.5.129' url: '/index.php /4444index.php"'
ossec · Aug 18, 2015 · 4d2d4eb · 4d2d4eb
1 parent fac271e
commit 4d2d4eb
Showing 1 changed file with 44 additions and 3 deletions.
diff --git a/etc/decoder.xml b/etc/decoder.xml
@@ -559,11 +559,13 @@ Jan  8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
   - Sun Jun  4 22:08:39 2006 [pid 21611] [dcid] OK LOGIN: Client "192.168.2.10"
   - Sun Jun  4 22:09:22 2006 [pid 21622] CONNECT: Client "192.168.2.10"
   - Sun Jun  4 22:09:24 2006 [pid 21621] [lalal] FAIL LOGIN: Client "192.168.2.10"
-  - Sat Jun  3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client
-  "211.100.27.101"
+  - Sat Jun  3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client "211.100.27.101"
   - Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec
   - Jul 13 12:31:20 www vsftpd: Sun Jul 13 10:31:20 2008 [pid 27528] [anonymous] FAIL LOGIN: Client "84.140.234.76"
-  -->
+  - Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"
+  - Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"
+  - Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"
+  
 <decoder name="vsftpd">
   <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
   <regex offset="after_prematch">Client "(\d+.\d+.\d+.\d+)"$</regex>
@@ -576,7 +578,46 @@ Jan  8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
   <regex offset="after_prematch">Client "(\d+.\d+.\d+.\d+)"$</regex>
   <order>srcip</order>
 </decoder>
+-->
 
+<!-- #####################################################
+     Add by Omar MEZRAG - 0xFFFFFF
+     ##################################################### -->
+
+<decoder name="vsftpd">
+  <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
+</decoder>
+
+<decoder name="vsftpd">
+  <program_name>^vsftpd</program_name>
+  <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
+</decoder>
+
+<decoder name="vsftpd_login">
+  <parent>vsftpd</parent>
+  <prematch offset="after_parent"> LOGIN:</prematch>
+  <regex offset="after_parent">[(\S+)] (\S+ LOGIN): Client "(\d+.\d+.\d+.\d+)"$</regex>
+  <order>user,status,srcip</order>
+</decoder>
+
+<decoder name="vsftpd_connect">
+  <parent>vsftpd</parent>
+  <prematch offset="after_parent">^CONNECT:</prematch>
+  <regex offset="after_parent">(CONNECT): Client "(\d+.\d+.\d+.\d+)"$</regex>
+  <order>action,srcip</order>
+</decoder>
+
+<decoder name="vsftpd_cmd">
+  <parent>vsftpd</parent>
+  <regex offset="after_parent">[(\S+)] (OK \S+): Client "(\d+.\d+.\d+.\d+)", "(\.+)"\.*</regex>
+  <order>user,status,srcip,url</order>
+</decoder>
+
+<decoder name="vsftpd_default">
+  <parent>vsftpd</parent>
+  <regex offset="after_parent">Client "(\d+.\d+.\d+.\d+)"$</regex>
+  <order>srcip</order>
+</decoder>
 
 
 <!-- FTPD decoder - Solaris, MacOS and Wu-ftpd).