From 4d2d4eb23c4266d5941bbdbb955229246cc3db34 Mon Sep 17 00:00:00 2001 From: 0xFFFFFF Date: Tue, 18 Aug 2015 15:23:37 +0100 Subject: [PATCH] Improved vsftpd decoder OUTPUT Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129" Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129" Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129" Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129" Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php" Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777" Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php" **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:34 2015 [pid 4864] CONNECT: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' action: 'CONNECT' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11401' Level: '3' Description: 'FTP session opened.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:36 2015 [pid 4863] [ftpuser] FAIL LOGIN: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'FAIL LOGIN' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11403' Level: '5' Description: 'Login failed accessing the FTP server.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:49 2015 [pid 4868] CONNECT: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' action: 'CONNECT' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11401' Level: '3' Description: 'FTP session opened.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:50 2015 [pid 4867] [ftpuser] OK LOGIN: Client "172.28.5.129"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK LOGIN' srcip: '172.28.5.129' **Phase 3: Completed filtering (rules). Rule id: '11402' Level: '3' Description: 'FTP Authentication success.' **Alert to be generated. **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:47:50 2015 [pid 4872] [ftpuser] OK UPLOAD: Client "172.28.5.129", "/index.php", 8099 bytes, 1176.26Kbyte/sec' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK UPLOAD' srcip: '172.28.5.129' url: '/index.php' **Phase 3: Completed filtering (rules). Rule id: '11404' Level: '0' Description: 'FTP server file upload.' **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK DELETE' srcip: '172.28.5.129' url: '/index.php"' **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK CHMOD' srcip: '172.28.5.129' url: '/index.php 777"' **Phase 1: Completed pre-decoding. full event: 'Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"' hostname: 'ossec-server' program_name: '(null)' log: 'Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php"' **Phase 2: Completed decoding. decoder: 'vsftpd' dstuser: 'ftpuser' status: 'OK RENAME' srcip: '172.28.5.129' url: '/index.php /4444index.php"' --- etc/decoder.xml | 47 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 3 deletions(-) diff --git a/etc/decoder.xml b/etc/decoder.xml index 8ca3dc710..05f37f3ae 100755 --- a/etc/decoder.xml +++ b/etc/decoder.xml @@ -559,11 +559,13 @@ Jan 8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke - Sun Jun 4 22:08:39 2006 [pid 21611] [dcid] OK LOGIN: Client "192.168.2.10" - Sun Jun 4 22:09:22 2006 [pid 21622] CONNECT: Client "192.168.2.10" - Sun Jun 4 22:09:24 2006 [pid 21621] [lalal] FAIL LOGIN: Client "192.168.2.10" - - Sat Jun 3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client - "211.100.27.101" + - Sat Jun 3 07:51:42 2006 [pid 25073] [Administrator] FAIL LOGIN: Client "211.100.27.101" - Sun Aug 27 16:28:20 2006 [pid 13962] [xx] OK UPLOAD: Client "1.2.3.4", "/a.php", 8338 bytes, 18.77Kbyte/sec - Jul 13 12:31:20 www vsftpd: Sun Jul 13 10:31:20 2008 [pid 27528] [anonymous] FAIL LOGIN: Client "84.140.234.76" - --> + - Sun Aug 16 15:48:02 2015 [pid 4832] [ftpuser] OK DELETE: Client "172.28.5.129", "/index.php" + - Sun Aug 16 16:26:06 2015 [pid 4976] [ftpuser] OK CHMOD: Client "172.28.5.129", "/index.php 777" + - Sun Aug 16 16:26:21 2015 [pid 4976] [ftpuser] OK RENAME: Client "172.28.5.129", "/index.php /4444index.php" + ^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] Client "(\d+.\d+.\d+.\d+)"$ @@ -576,7 +578,46 @@ Jan 8 19:32:41 tp.lan dropbear[15165]: Pubkey auth succeeded for 'root' with ke Client "(\d+.\d+.\d+.\d+)"$ srcip +--> + + + + ^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] + + + + ^vsftpd + ^\w\w\w \w\w\w\s+\d+ \S+ \d+ [pid \d+] + + + + vsftpd + LOGIN: + [(\S+)] (\S+ LOGIN): Client "(\d+.\d+.\d+.\d+)"$ + user,status,srcip + + + + vsftpd + ^CONNECT: + (CONNECT): Client "(\d+.\d+.\d+.\d+)"$ + action,srcip + + + + vsftpd + [(\S+)] (OK \S+): Client "(\d+.\d+.\d+.\d+)", "(\.+)"\.* + user,status,srcip,url + + + + vsftpd + Client "(\d+.\d+.\d+.\d+)"$ + srcip +