I have been working on a decoder for the Juniper SA2000 SSLVPN. The
recent upgrade fixed the debian errors I was having, so I can now put
this in place. I thought I would share this with the list. So far, this
catches the Administrator logins and the system related events.
<decoder name="SSLVPN">
<program_name />
<prematch> - ive - </prematch>
</decoder>
<decoder name="SSLVPN-Admin">
<parent>SSLVPN</parent>
<prematch offset="after_parent">[.Administrators]</prematch>
<regex offset="after_parent">[(\d+.\d+.\d+.\d+)] (\w+)\(Admin
Users\)[.Administrators] - </regex>
<order>srcip, user</order>
</decoder>
<decoder name="SSLVPN-system">
<parent>SSLVPN</parent>
<prematch offset="after_parent">System\(\)[] - </prematch>
<regex offset="after_parent">[(\d+.\d+.\d+.\d+)] System\(\)[] - </regex>
<order>srcip</order>
</decoder>
The only rule I have so far is for successful admin logins.
<!-- SSLVPN alerts -->
<group name="sslvpn">
<rule id="140000" level="0" noalert="1">
<decoded_as>SSLVPN</decoded_as>
<description>SSLVPN messages grouped.</description>
</rule>
<rule id="140001" level="8">
<if_sid>140000</if_sid>
<regex>Login succeeded for \w+/Admin Users</regex>
<description>Successful Admin login</description>
</rule>
</group>
The default OSSEC rules catch multiple failed logins and system errors.
The only rules I am still writing deal with Host Checker failures. Let
me know if anyone is interested in those and if someone sees some
possible improvements to this decoder.
-Reggie
