-
Notifications
You must be signed in to change notification settings - Fork 201
/
0080-courier_decoders.xml
34 lines (30 loc) · 1.06 KB
/
0080-courier_decoders.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
<!--
- Courier decoders
- Author: Daniel Cid.
- Updated by Wazuh, Inc.
- Copyright (C) 2015-2020, Wazuh Inc.
- Copyright (C) 2009 Trend Micro Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<!--
- Examples:
- pop3d-ssl: LOGIN FAILED, ip=[::ffff:192.168.0.200]
- courierpop3login: LOGIN, user=web10_mauricio, ip=[::ffff:192.168.0.100]
- courierpop3login: LOGIN FAILED, ip=[::ffff:192.168.0.188]
- imaplogin: DISCONNECTED, ip=[::ffff:127.0.0.1], time=0
- Nov 24 18:18:28 gandalf pop3d: LOGIN FAILED, ip=[::ffff:1.2.3.4]
-->
<decoder name="courier">
<program_name>^pop3d|^courierpop3login|^imaplogin|^courier-pop3|^courier-imap</program_name>
</decoder>
<decoder name="courier-login">
<parent>courier</parent>
<prematch>^LOGIN, </prematch>
<regex offset="after_prematch">^user=(\S+), ip=[(\S+)]$</regex>
<order>user, srcip</order>
</decoder>
<decoder name="courier-generic">
<parent>courier</parent>
<regex>, ip=[(\S+)]$|, ip=[(\S+)]$</regex>
<order>srcip</order>
</decoder>