Improved vsftpd decoder #654

omarix · 2015-08-18T14:24:49Z

OUTPUT

Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"
Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"
Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"
Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"
Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec
Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"
Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"
Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"

**Phase 1: Completed pre-decoding.
full event: 'Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"'
hostname: 'ossec-server'
program_name: '(null)'
log: 'Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"'

**Phase 2: Completed decoding.
decoder: 'vsftpd'
action: 'CONNECT'
srcip: '172.28.5.129'

*_Phase 3: Completed filtering (rules).
Rule id: '11401'
Level: '3'
Description: 'FTP session opened.'
*_Alert to be generated.

**Phase 1: Completed pre-decoding.
full event: 'Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"'
hostname: 'ossec-server'
program_name: '(null)'
log: 'Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"'

**Phase 2: Completed decoding.
decoder: 'vsftpd'
dstuser: 'ftpuser'
status: 'FAIL LOGIN'
srcip: '172.28.5.129'

*_Phase 3: Completed filtering (rules).
Rule id: '11403'
Level: '5'
Description: 'Login failed accessing the FTP server.'
*_Alert to be generated.

**Phase 1: Completed pre-decoding.
full event: 'Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"'
hostname: 'ossec-server'
program_name: '(null)'
log: 'Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"'

**Phase 2: Completed decoding.
decoder: 'vsftpd'
action: 'CONNECT'
srcip: '172.28.5.129'

*_Phase 3: Completed filtering (rules).
Rule id: '11401'
Level: '3'
Description: 'FTP session opened.'
*_Alert to be generated.

**Phase 1: Completed pre-decoding.
full event: 'Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"'
hostname: 'ossec-server'
program_name: '(null)'
log: 'Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"'

**Phase 2: Completed decoding.
decoder: 'vsftpd'
dstuser: 'ftpuser'
status: 'OK LOGIN'
srcip: '172.28.5.129'

*_Phase 3: Completed filtering (rules).
Rule id: '11402'
Level: '3'
Description: 'FTP Authentication success.'
*_Alert to be generated.

**Phase 1: Completed pre-decoding.
full event: 'Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec'
hostname: 'ossec-server'
program_name: '(null)'
log: 'Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec'

**Phase 2: Completed decoding.
decoder: 'vsftpd'
dstuser: 'ftpuser'
status: 'OK UPLOAD'
srcip: '172.28.5.129'
url: '/index.php'

**Phase 3: Completed filtering (rules).
Rule id: '11404'
Level: '0'
Description: 'FTP server file upload.'

**Phase 1: Completed pre-decoding.
full event: 'Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"'
hostname: 'ossec-server'
program_name: '(null)'
log: 'Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"'

**Phase 2: Completed decoding.
decoder: 'vsftpd'
dstuser: 'ftpuser'
status: 'OK DELETE'
srcip: '172.28.5.129'
url: '/index.php"'

**Phase 1: Completed pre-decoding.
full event: 'Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"'
hostname: 'ossec-server'
program_name: '(null)'
log: 'Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"'

**Phase 2: Completed decoding.
decoder: 'vsftpd'
dstuser: 'ftpuser'
status: 'OK CHMOD'
srcip: '172.28.5.129'
url: '/index.php 777"'

**Phase 1: Completed pre-decoding.
full event: 'Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"'
hostname: 'ossec-server'
program_name: '(null)'
log: 'Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"'

**Phase 2: Completed decoding.
decoder: 'vsftpd'
dstuser: 'ftpuser'
status: 'OK RENAME'
srcip: '172.28.5.129'
url: '/index.php /4444index.php"'

OUTPUT Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129" Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129" Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129" Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129" Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php" Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777" Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php" **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' action: 'CONNECT' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11401' Level: '3' Description: 'FTP session opened.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'FAIL LOGIN' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11403' Level: '5' Description: 'Login failed accessing the FTP server.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' action: 'CONNECT' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11401' Level: '3' Description: 'FTP session opened.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK LOGIN' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11402' Level: '3' Description: 'FTP Authentication success.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK UPLOAD' srcip: '172.28.5.129' url: '/index.php' **Phase 3: Completed filtering (rules). Rule id: '11404' Level: '0' Description: 'FTP server file upload.' **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK DELETE' srcip: '172.28.5.129' url: '/index.php"' **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK CHMOD' srcip: '172.28.5.129' url: '/index.php 777"' **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK RENAME' srcip: '172.28.5.129' url: '/index.php /4444index.php"'

ddpbsd · 2015-08-18T14:40:47Z

Awesome! Can you add tests to src/contrib/ossec-testing/tests for these log messages?

Improved vsftpd decoder

ddpbsd added a commit that referenced this pull request Aug 19, 2015

Merge pull request #654 from omarix/patch-1

5384936

Improved vsftpd decoder

ddpbsd merged commit 5384936 into ossec:master Aug 19, 2015

omarix deleted the patch-1 branch August 21, 2015 09:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improved vsftpd decoder #654

Improved vsftpd decoder #654

omarix commented Aug 18, 2015

ddpbsd commented Aug 18, 2015

Improved vsftpd decoder #654

Improved vsftpd decoder #654

Conversation

omarix commented Aug 18, 2015

ddpbsd commented Aug 18, 2015