Hello, i'm pasting next the decoder and file stuff for a proxy called
pound, i hope it helps and also could be considered to be added next
release:
Sample Logs:
Feb 15 16:06:30 serverca16 pound: bad request "OPTIONS /docs/ HTTP/
1.1" from 200.28.130.166
Feb 15 13:29:44 serverca16 pound: bad header from 200.128.58.131
(---------------: ------------)
Feb 15 14:30:27 serverca18 pound: bad request "PROPFIND /administra/
grafico_barras.php?array1=a%3A11%3A%7Bi%3A0%3Bs%3A1%3A%220%22%3Bi
%3A1%3Bs%3A4%3A%223986%22%3Bi%3A2%3Bs%3A4%3A%224615%22%3Bi%3A3%3Bs
%3A4%3A%222318%22%3Bi%3A4%3Bs%3A4%3A%224256%22%3Bi%3A5%3Bs%3A4%3A
%221454%22%3Bi%3A6%3Bs%3A4%3A%223704%22%3Bi%3A7%3Bs%3A4%3A
%228934%22%3Bi%3A8%3Bs%3A5%3A%2216742%22%3Bi%3A9%3Bs%3A4%3A
%227653%22%3Bi%3A10%3Bs%3A1%3A%220%22%3B%7D&array2=a%3A11%3A%7Bi
%3A0%3Bs%3A1%3A%220%22%3Bi%3A1%3Bs%3A3%3A%22528%22%3Bi%3A2%3Bs%3A4%3A
%221109%22%3Bi%3A3%3Bs%3A3%3A%22222%22%3Bi%3A4%3Bs%3A4%3A%221379%22%3Bi
%3A5%3Bs%3A3%3A%22114%22%3Bi%3A6%3Bs%3A3%3A%22419%22%3Bi%3A7%3Bs%3A4%3A
%223893%22%3Bi%3A8%3Bs%3A4%3A%221436%22%3Bi%3A9%3Bs%3A4%3A
%224247%22%3Bi%3A10%3Bs%3A1%3A%220%22%3B%7D&titulo=Distribucion%20de
%20Egresados%20de%20Pregrado%20y%20Postgrado%20por%20Unidades
%20Academicas&ancho=800&alto=430 HTTP/1.0" from 190.65.107.169
Feb 15 14:41:16 serverca20 pound: bad request "PROPFIND /practicas
HTTP/1.1" from 200.228.194.235
Decoder:
<decoder name="pound">
<program_name>^pound</program_name>
</decoder>
<decoder name="pound-ip">
<parent>pound</parent>
<regex>from (\d+.\d+.\d+.\d+)$</regex>
<order>srcip</order>
</decoder>
<decoder name="pound-url">
<parent>pound</parent>
<prematch>^\w+ </prematch>
<regex offset="after_prematch">^"(\w+ \S+ HTTP\S+)"</regex>
<order>url</order>
</decoder>
Rules:
<group name="pound">
<rule id="100200" level="0">
<decoded_as>pound</decoded_as>
<description>Grouping of pound proxy rules</description>
</rule>
<rule id="100201" level="7">
<if_sid>100200</if_sid>
<match>^bad request</match>
<description>bad request from pound proxy</description>
</rule>
<rule id="100202" level="7">
<if_sid>100200</if_sid>
<match>^bad header</match>
<description>bad header request from pound proxy</description>
</rule>
<rule id="100203" level="10" frequency="10" timeframe="60">
<if_matched_sid>100201</if_matched_sid>
<same_source_ip />
<description>Multiple bad request from pound proxy same source</
description>
<group>recon,</group>
</rule>
<rule id="100204" level="10" frequency="10" timeframe="60">
<if_matched_sid>100202</if_matched_sid>
<same_source_ip />
<description>Multiple bad request from pound proxy same source</
description>
</rule>
<rule id="100205" level="7">
<if_sid>100200</if_sid>
<url>^PUT$</url>
<description>PUT command in url from pound proxy</description>
</rule>
