-
Notifications
You must be signed in to change notification settings - Fork 201
/
0190-openvpn_decoders.xml
93 lines (83 loc) · 3.54 KB
/
0190-openvpn_decoders.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
<!--
- OpenVPN decoders
- Author: Julio Camargo <julio.camargo@trustux.com.br>
- Updated by Wazuh, Inc.
- Copyright (C) 2015-2020, Wazuh Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<decoder name="openvpn">
<program_name>openvpn|ovpn-server</program_name>
</decoder>
<!--
Jul 22 13:10:29 fw01 openvpn[76395]: girafalez/202.202.202.202:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 22 13:10:29 fw01 openvpn[76395]: girafalez/202.202.202.202:1194 TLS Error: TLS handshake failed
Jul 22 13:10:35 fw01 openvpn[76395]: girafalez/202.202.202.202:1194 Authenticate/Decrypt packet error: packet HMAC authentication failed
Jul 21 18:31:21 fw01 openvpn[76395]: chapolin/200.200.200.200:17777 send_push_reply(): safe_cap=940
-->
<decoder name="openvpn-user-ip">
<parent>openvpn</parent>
<prematch>^\S+/\S+:\d+</prematch>
<regex>^(\S+)/(\S+):(\d+)</regex>
<order>srcuser,srcip,srcport</order>
</decoder>
<!--
Jul 21 18:31:19 fw01 openvpn[76395]: 200.200.200.200:17777 [chapolin] Peer Connection Initiated with [AF_INET]200.200.200.200:17777
May 14 17:49:12 auth openvpn: Sun May 14 17:49:12 2017 200.200.200.200:17777 [chapolin] Peer Connection Initiated with [AF_INET]200.200.200.200:53230
-->
<decoder name="openvpn-ip-user">
<parent>openvpn</parent>
<prematch>\S+:\d+ [</prematch>
<regex>(\S+):(\d+) [(\S+)]</regex>
<order>srcip,srcport,srcuser</order>
</decoder>
<!--
Sep 24 10:39:30 foo ovpn-server[145]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET6]::ffff:192.168.178.1:50165
-->
<decoder name="openvpn-ip-port">
<parent>openvpn</parent>
<prematch> [AF_INET]| [AF_INET6]</prematch>
<regex>](\S+):(\d+)$</regex>
<order>srcip,srcport</order>
</decoder>
<!--
Aug 30 16:08:29 foo ovpn-server[107]: 192.168.178.1 [admin] Peer Connection Initiated with [AF_INET6]::ffff:192.168.178.1:44902
-->
<decoder name="openvpn-ip-user-port">
<parent>openvpn</parent>
<prematch>\S+ [</prematch>
<regex>(\S+) [(\S+)]\.+:(\d+)$</regex>
<order>srcip,srcuser,srcport</order>
</decoder>
<!--
Jul 21 18:32:24 fw01 openvpn: user 'chapolin' authenticated
-->
<decoder name="openvpn-user">
<parent>openvpn</parent>
<prematch>^user '</prematch>
<regex offset="after_prematch">^(\S+)'</regex>
<order>srcuser</order>
</decoder>
<!--
Author: Stuart Williams <stwilliams@workforcesoftware.com>
Date: 2019-01-29
Note: Enhanced decoder rules to handle LDAP integrated authentication
Comments: Not sure how useful the first entry is but will 'log' it - could be useful in auditing numbers etc
-->
<!--
Jan 28 14:25:49 VPN-SERVER-05892 openvpn: LDAP bind failed: Invalid credentials (80090308: LdapErr: DSID-55555555, comment: AcceptSecurityContext error, data 775, v3839)
-->
<decoder name="openvpn_ldap_bind_failed">
<parent>openvpn</parent>
<prematch>^LDAP bind failed: </prematch>
<regex offset="after_prematch">^(\.+) \((\d+): LdapErr: (\S+), comment: (\.+),</regex>
<order>ldap_data.error_message,ldap_data.code,ldap_data.ldaperr,ldap_data.comment</order>
</decoder>
<!--
Jan 28 14:25:49 VPN-SERVER-05892 openvpn: Incorrect password supplied for LDAP DN "CN=Harry T. Hacker,OU=business unit,OU=department,DC=domain,DC=com".
-->
<decoder name="openvpn_ldap_incorrect_password">
<parent>openvpn</parent>
<prematch>^Incorrect password supplied for LDAP DN </prematch>
<regex offset="after_prematch">^"CN=(\.+),OU=(\.+),(\.+)"</regex>
<order>ldap_data.Username,ldap_data.Department,ldap_data.SecurityGroup</order>
</decoder>