Merge pull request #654 from omarix/patch-1

Improved vsftpd decoder
ossec · Aug 19, 2015 · 5384936 · 5384936
2 parents fac271e + 4d2d4eb
commit 5384936
Showing 1 changed file with 44 additions and 3 deletions.
diff --git a/etc/decoder.xml b/etc/decoder.xml
@@ -559,11 +559,13 @@ Jan  8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
   - Sun Jun  4 22:08:39 2006 [pid 21611] [dcid] OK LOGIN: Client "192.168.2.10"
   - Sun Jun  4 22:09:22 2006 [pid 21622] CONNECT: Client "192.168.2.10"
   - Sun Jun  4 22:09:24 2006 [pid 21621] [lalal] FAIL LOGIN: Client "192.168.2.10"
-  - Sat Jun  3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client
-  "211.100.27.101"
+  - Sat Jun  3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client "211.100.27.101"
   - Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec
   - Jul 13 12:31:20 www vsftpd: Sun Jul 13 10:31:20 2008 [pid 27528] [anonymous] FAIL LOGIN: Client "84.140.234.76"
-  -->
+  - Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"
+  - Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"
+  - Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"
+  
 <decoder name="vsftpd">
   <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
   <regex offset="after_prematch">Client "(\d+.\d+.\d+.\d+)"$</regex>
@@ -576,7 +578,46 @@ Jan  8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke
   <regex offset="after_prematch">Client "(\d+.\d+.\d+.\d+)"$</regex>
   <order>srcip</order>
 </decoder>
+-->
 
+<!-- #####################################################
+     Add by Omar MEZRAG - 0xFFFFFF
+     ##################################################### -->
+
+<decoder name="vsftpd">
+  <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
+</decoder>
+
+<decoder name="vsftpd">
+  <program_name>^vsftpd</program_name>
+  <prematch>^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] </prematch>
+</decoder>
+
+<decoder name="vsftpd_login">
+  <parent>vsftpd</parent>
+  <prematch offset="after_parent"> LOGIN:</prematch>
+  <regex offset="after_parent">[(\S+)] (\S+ LOGIN): Client "(\d+.\d+.\d+.\d+)"$</regex>
+  <order>user,status,srcip</order>
+</decoder>
+
+<decoder name="vsftpd_connect">
+  <parent>vsftpd</parent>
+  <prematch offset="after_parent">^CONNECT:</prematch>
+  <regex offset="after_parent">(CONNECT): Client "(\d+.\d+.\d+.\d+)"$</regex>
+  <order>action,srcip</order>
+</decoder>
+
+<decoder name="vsftpd_cmd">
+  <parent>vsftpd</parent>
+  <regex offset="after_parent">[(\S+)] (OK \S+): Client "(\d+.\d+.\d+.\d+)", "(\.+)"\.*</regex>
+  <order>user,status,srcip,url</order>
+</decoder>
+
+<decoder name="vsftpd_default">
+  <parent>vsftpd</parent>
+  <regex offset="after_parent">Client "(\d+.\d+.\d+.\d+)"$</regex>
+  <order>srcip</order>
+</decoder>
 
 
 <!-- FTPD decoder - Solaris, MacOS and Wu-ftpd).