Hello my name is Christian and is my first post here.
I looked the tool MALTRAIL --> https://github.com/stamparm/maltrail And i writing custom decoder to the tool: log: "2016-01-15 13:49:47.570168" name.machine.666 185.94.111.1 60630 0.0.0.0 520 UDP IP 185.94.111.1 "bad reputation (malicious)" "alienvault.com (+dshield.org,greensnow.co)" "2016-01-15 13:50:17.543332" name.machine.666 182.74.68.35 43124 0.0.0.0 22 TCP IP 182.74.68.35 attacker "badips.com (+blocklist.de,openbl.org)" "2016-01-15 13:50:17.729366" name.machine.666 182.74.68.35 43124 0.0.0.0 22 TCP IP 182.74.68.35 attacker "badips.com (+blocklist.de,openbl.org)" ossec.conf <localfile> <location>/var/log/maltrail/%Y-%m-%d.log</location> <log_format>syslog</log_format> </localfile> decoder.xml <decoder name="maltrail"> <prematch>^"\d+-\d+-\d+ \d+:\d+:\d+.\d+"</prematch> </decoder> <decoder name="maltrail-alert"> <parent>maltrail</parent> <regex offset="after_parent">^ \w+.\w+.\d+ (\d+) (\d+.\d+.\d+.\d+) (\w+) (\d+) IP (\d+.\d+.\d+.\d+)</regex> <order>srcport, dstip, dstport,protocol, srcip</order> </decoder> local_rules.xml <group name="syslog,maltrail,"> <rule id="110000" level="0"> <decoded_as>maltrail</decoded_as> <description>MAILTRAIL KILLALL MDF app group.</description> </rule> <rule id="110001" level="7"> <if_sid>110000</if_sid> <srcip>0.0.0.0</srcip> <match>attack</match> <description>Possible attack from fucking ips!?</description> </rule> </group> Thks for reading this shit! Some ideia or some implementation? sorry for my bad english! -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
