-
Notifications
You must be signed in to change notification settings - Fork 201
/
0185-openldap_decoders.xml
62 lines (55 loc) · 2.23 KB
/
0185-openldap_decoders.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
<!--
- OpenLDAP decoders
- Author: Daniel Cid.
- Updated by Wazuh, Inc.
- Copyright (C) 2015-2020, Wazuh Inc.
- Copyright (C) 2009 Trend Micro Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<!--
- Jan 11 09:26:57 hostname slapd[20872]: conn=999999 fd=64 ACCEPT from IP=10.10.248.27:33957 (IP=10.10.241.77:389)
- Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=0 BIND dn="uid=example,ou=People,dc=example,dc=com" method=128
- Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=0 RESULT tag=97 err=49 text=
^- Login Failed
- Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=1 BIND dn="uid=example,ou=People,dc=example,dc=com" method=128
^- Login Retried
- Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=1 RESULT tag=97 err=0 text=
^- Login Successful
- Jan 11 09:26:57 hostname slapd[20872]: conn=999999 op=2 UNBIND
- Jan 11 09:26:57 hostname slapd[20872]: conn=999999 fd=64
^- Connection closed
- Oct 2 19:51:22 example slapd[30864]: conn=1068 fd=19 ACCEPT from IP=192.168.0.2:59800 (IP=0.0.0.0:636)
- Feb 11 20:12:27 ldap slapd[13129]: conn=15098 fd=23 ACCEPT from IP=[fda2:3ab6:adf4:aa2a::0]:45242 (IP=[::]:389)
-->
<decoder name="openldap">
<program_name>^slapd</program_name>
<accumulate/>
</decoder>
<decoder name="openldap-connect_ipv6">
<parent>openldap</parent>
<prematch>ACCEPT from IP=[</prematch>
<regex>^conn=(\d+) fd=\d+ ACCEPT from IP=[(\S+)]:\d+ \(IP=[(\S+)]:</regex>
<order>id, srcip, dstip</order>
<accumulate/>
</decoder>
<decoder name="openldap-connect_ipv4">
<parent>openldap</parent>
<prematch>ACCEPT from IP=</prematch>
<regex>^conn=(\d+) fd=\d+ ACCEPT from IP=(\S+):\d+ \(IP=(\S+):</regex>
<order>id, srcip, dstip</order>
<accumulate/>
</decoder>
<decoder name="openldap-bind">
<parent>openldap</parent>
<prematch>BIND </prematch>
<regex>^conn=(\d+) op=\d+ BIND dn="\w+=(\w+),</regex>
<order>id, dstuser</order>
<accumulate/>
</decoder>
<decoder name="openldap-result">
<accumulate/>
<parent>openldap</parent>
<prematch> RESULT </prematch>
<regex>^conn=(\d+) op=\d+ RESULT </regex>
<order>id</order>
</decoder>