[prev in list] [next in list] [prev in thread] [next in thread]
List: os-sim-commits
Subject: [Os-sim-commits] agent/etc/agent/plugins snare.cfg,1.2,1.3
From: Dominique Karg <dkarg () users ! sourceforge ! net>
Date: 2008-01-07 10:02:11
Message-ID: E1JBoo8-0000eA-Au () mail ! sourceforge ! net
[Download RAW message or body]
Update of /cvsroot/os-sim/agent/etc/agent/plugins
In directory sc8-pr-cvs3.sourceforge.net:/tmp/cvs-serv6246
Modified Files:
snare.cfg
Log Message:
Improve regexp
Index: snare.cfg
===================================================================
RCS file: /cvsroot/os-sim/agent/etc/agent/plugins/snare.cfg,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- snare.cfg 25 Oct 2007 13:45:28 -0000 1.2
+++ snare.cfg 7 Jan 2008 10:02:09 -0000 1.3
@@ -35,7 +35,7 @@
[snare-ossim-format-fallthrough]
#Feb 20 14:16:57 10.186.64.58 ^A MSWinEventLog;1;Security;466;Tue Feb 20 14:17:17 \
2007;538;Security;Administrador;User;Success Audit;QUICKSILVER-0JM08ZRD;Inicio/cierre \
de sesióCierre de sesióe usuario: ^INombre de usuario:^IAdministrador \
^IDominio:^I^IQUICKSILVER-0JM08ZRD ^IId. de inicio de sesióI^I(0x0,0x20E0FA) \
^ITipo de inicio de sesióI7 ;61 event_type=event
-regexp="^(?P<date>\w+\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\S+)\s+.*MSWinEventLog; \
\d+;\w+;\d+;(?P<date2>\w+\s+\w+\s+\d{1,2}\s\d\d:\d\d:\d\d\s+\d+);(?P<plugin_sid>\d+);\w+;(?P<username>[^;]+);\w+;[^;]+;[^;]+;[^;]+;;"
+regexp="^(?P<date>\w+\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\S+)\s+.*MSWinEventLog \
;\d+;\w+;\d+;(?P<date2>\w+\s+\w+\s+\d{1,2}\s\d\d:\d\d:\d\d\s+\d+);(?P<plugin_sid>\d+);[^;]+;(?P<username>[^;]+);[^;]+;[^;]+;[^;]+;[^;]+;;(?P<userdata1>.*)"
date={normalize_date($date)}
sensor={resolv($sensor)}
src_ip={resolv($sensor)}
@@ -43,11 +43,12 @@
plugin_id=1518
plugin_sid={$plugin_sid}
username={$username}
+userdata1={$userdata1}
[snare-ossim-format-1]
#Feb 8 16:48:22 10.186.64.58 ^A MSWinEventLog;0;Security;4;Thu Feb 08 16:48:25 \
2007;592;Security;Administrador;User;Success Audit;QUICKSILVER-0JM08ZRD;Seguimiento \
detallado;;Se ha creado un proceso: ^IId. de proceso:^I^I^I980 ^INombre de \
archivo de imagen:^I\WINNT\system32\CMD.EXE ^IId. de proceso creador:^I^I984 \
^INombre de usuario:^I^I^IAdministrador ^IDominio:^I^I^I^IQUICKSILVER-0JM08ZRD \
^IId. de inicio de sesi\xf3n:^I^I(0x0,0xD237) ;1 event_type=event
-regexp="^(?P<date>\w+\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\S+)\s+.*MSWinEventLog; \
\d+;\w+;\d+;(?P<date2>\w+\s+\w+\s+\d{1,2}\s\d\d:\d\d:\d\d\s+\d+);(?P<plugin_sid>\d+);\ \
w+;(?P<username>[^;]+);\w+;[^;]+;[^;]+;[^;]+;;[^:]+:\s{4}[^:]+:\D+(?P<pid>\d+)\s{4}[^: \
]+:(?P<process_name>[^\s{4}]+)\s{4}[^:]+:\D+(?P<ppid>\d+)\s{4}[^:]+:([^\s{4}]+)\s{4}(.*)$"
+regexp="^(?P<date>\w+\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\S+)\s+.*MSWinEventLog \
;\d+;\w+;\d+;(?P<date2>\w+\s+\w+\s+\d{1,2}\s\d\d:\d\d:\d\d\s+\d+);(?P<plugin_sid>\d+); \
[^;]+;(?P<username>[^;]+);[^;]+;[^;]+;[^;]+;[^;]+;;[^:]+:\s{4}[^:]+:\D+(?P<pid>\d+)\s{ \
4}[^:]+:(?P<process_name>[^\s{4}]+)\s{4}[^:]+:\D+(?P<ppid>\d+)\s{4}[^:]+:([^\s{4}]+)\s{4}(.*)$"
date={normalize_date($date)}
sensor={resolv($sensor)}
src_ip={resolv($sensor)}
@@ -62,7 +63,7 @@
[snare-ossim-format-2]
#Feb 20 15:03:05 host_sample.int.whatever.corp.local \
host_samepl.int.whatever.corp.local MSWinEventLog;1;System;1997;Tue Feb 20 15:04:08 \
2007;10;Print;SYSTEM;User;Information;AMRERSFP01;None;;Document 241, Sample file.pdf \
owned by Kobi was printed on PRINTER1 via port JK82. Size in bytes: 7597 pages \
printed: 0 ;146 event_type=event
-regexp="^(?P<date>\w+\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\S+)\s+.*MSWinEventLog; \
\d+;\w+;\d+;(?P<date2>\w+\s+\w+\s+\d{1,2}\s\d\d:\d\d:\d\d\s+\d+);(?P<plugin_sid>\d+);\ \
w+;(?P<username>[^;]+);\w+;[^;]+;[^;]+;[^;]+;;Document\s+(?P<doc_number>\d+),\s+(?P<filename>.*)\s+owned \
by\s+(?P<owner_name>\S+).*was printed on\s+(?P<printer_name>.*)\s+via port" \
+regexp="^(?P<date>\w+\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\S+)\s+.*MSWinEventLog; \
\d+;[^;]+;\d+;(?P<date2>\w+\s+\w+\s+\d{1,2}\s\d\d:\d\d:\d\d\s+\d+);(?P<plugin_sid>\d+) \
;[^;]+;(?P<username>[^;]+);[^;]+;[^;]+;[^;]+;[^;]+;;Document\s+(?P<doc_number>\d+),\s+(?P<filename>.*)\s+owned \
by\s+(?P<owner_name>\S+).*was printed on\s+(?P<printer_name>.*)\s+via port" \
date={normalize_date($date)} sensor={resolv($sensor)}
src_ip={resolv($sensor)}
@@ -75,7 +76,7 @@
[snare-ossim-format-3]
#Feb 20 15:03:05 host_sample.int.whatever.corp.local \
host_samepl.int.whatever.corp.local MSWinEventLog;1;System;1997;Tue Feb 20 15:04:08 \
2007;10;Print;SYSTEM;User;Information;AMRERSFP01;None;;Document 241, Sample file.pdf \
owned by DK (192.1682.44.31) was printed on PRINTER1 via port JK82. Size in bytes: \
7597 pages printed: 0 ;146 event_type=event
-regexp="^(?P<date>\w+\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\S+)\s+.*MSWinEventLog; \
\d+;\w+;\d+;(?P<date2>\w+\s+\w+\s+\d{1,2}\s\d\d:\d\d:\d\d\s+\d+);(?P<plugin_sid>\d+);\ \
w+;(?P<username>[^;]+);\w+;[^;]+;[^;]+;[^;]+;;Document\s+(?P<doc_number>\d+),\s+(?P<filename>.*)\s+owned \
by\s+(?P<owner_name>\S+)\s+(?P<owner_ip>\S+)\s+was printed \
on\s+(?P<printer_name>.*)\s+via port" \
+regexp="^(?P<date>\w+\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\S+)\s+.*MSWinEventLog; \
\d+;[^;]+;\d+;(?P<date2>\w+\s+\w+\s+\d{1,2}\s\d\d:\d\d:\d\d\s+\d+);(?P<plugin_sid>\d+) \
;[^;]+;(?P<username>[^;]+);[^;]+;[^;]+;[^;]+;[^;]+;;Document\s+(?P<doc_number>\d+),\s+(?P<filename>.*)\s+owned \
by\s+(?P<owner_name>\S+)\s+(?P<owner_ip>\S+)\s+was printed \
on\s+(?P<printer_name>.*)\s+via port" date={normalize_date($date)}
sensor={resolv($sensor)}
src_ip={resolv($owner_ip)}
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Os-sim-commits mailing list
Os-sim-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-commits
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic