On 2014-05-26 18:03, Antonio Querubin wrote:
Wondering if anyone has some decoder rules that work with Barracuda
logs. I recently enabled syslogging of a Barracuda Spam/Virus Email
Firewall device to an OSSEC server. The server is now sending alert
level 2 email notifications complaining of an 'unknown' problem for
email that fails the Barracuda's spam/virtus detection tests:
I have one. Seems to work OK. I was waiting to write some rules and do
some QA before I submitted it. Let me know how it works for you:
<!-- Barracuda S&VF Email Logs -->
<decoder name="barracuda-svf-email">
<program_name>^inbound/pass|^scan|^outbound/smtp</program_name>
</decoder>
<decoder name="barracuda-svf1">
<parent>barracuda-svf-email</parent>
<prematch>^\S+[\d+.\d+.\d+.\d+]|</prematch>
<prematch>^\d+.\d+.\d+.\d+</prematch>
<regex>^\S+[(\d+.\d+.\d+.\d+)] (\d+-\w+-\w+) \d+ \d+ |</regex>
<regex>^(\d+.\d+.\d+.\d+) (\d+-\w+-\w+) \d+ \d+ </regex>
<order>srcip, id</order>
</decoder>
<!-- Info section - SCAN -->
<decoder name="barracuda-svf1">
<parent>barracuda-svf-email</parent>
<regex offset="after_regex">(SCAN) (\S+ \S+ \S+ \S+ \d+ \d+ \.+
SUBJ:\.+)$</regex>
<order>action, extra_data</order>
</decoder>
<!-- Info section RECV -->
<decoder name="barracuda-svf1">
<parent>barracuda-svf-email</parent>
<regex offset="after_regex">(RECV) (\S+ \S+ \d+ \d+ \.+)$</regex>
<order>action, extra_data</order>
</decoder>
<!-- Info section SEND -->
<decoder name="barracuda-svf1">
<parent>barracuda-svf-email</parent>
<regex offset="after_regex">(SEND) (\S+ \d+ \S+ \.+)$</regex>
<order>action, extra_data</order>
</decoder>
<!-- Barracuda S&VF Administration-->
<decoder name="barracuda-svf-admin">
<program_name>^web</program_name>
</decoder>
<decoder name="barracuda-svf-admin-change">
<parent>barracuda-svf-admin</parent>
<prematch>^[\d+.\d+.\d+.\d+] global[] CHANGE</prematch>
<regex offset="after_parent">^[(\d+.\d+.\d+.\d+)] global[] (CHANGE)
(\S+ \(\S*)\)$</regex>
<order>srcip,action,extra_data</order>
</decoder>
<decoder name="barracuda-svf-admin-auth">
<parent>barracuda-svf-admin</parent>
<prematch>^[\d+.\d+.\d+.\d+] LOGIN|</prematch>
<prematch>^[\d+.\d+.\d+.\d+] FAILED_LOGIN|</prematch>
<prematch>^[\d+.\d+.\d+.\d+] LOGOUT</prematch>
<regex offset="after_parent">^[(\d+.\d+.\d+.\d+)] (\S+)
\((\S+)\)\p*$</regex>
<order>srcip,action,user</order>
</decoder>
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
