-
Notifications
You must be signed in to change notification settings - Fork 201
/
0255-roundcube_decoders.xml
56 lines (46 loc) · 2.98 KB
/
0255-roundcube_decoders.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<!--
- Roundcube decoders
- Author: Daniel Cid.
- Updated by Wazuh, Inc.
- Copyright (C) 2015-2020, Wazuh Inc.
- Copyright (C) 2009 Trend Micro Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<!--
- Will extract username and src IP from the logs, when available.
Examples syslog: (older and newer versions of roundcube)
- Apr 10 22:45:20 hostname roundcube: [10-Apr-2009 22:45:20 -0500] IMAP Error: Authentication for username failed (LOGIN): "a001 NO Authentication failed." (POST /roundcube/?_task=&_action=login)
- Apr 10 23:01:23 hostname roundcube: [10-Apr-2009 23:01:23 -0500]: Successful login for username (id 1) from 127.0.0.1
- Oct 28 19:31:08 hostname roundcube: <isj89gtf> IMAP Error: Login failed for username from 127.0.0.1. AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /roundcube/?_task=login&_action=login)
Example from roundcube internal logfile in versions < 1.4 (/path/to/roundcube/logs/errors):
- [04-Oct-2017 17:03:30 +0200]: <jkgnfe79> IMAP Error: Login failed for username from 127.0.0.1. AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/roundcube/program/lib/Roundcube/rcube_imap.php on line 193 (POST /roundcube/?_task=login&_action=login)
Example from roundcube internal logfile in versions >= 1.4 (/path/to/roundcube/logs/errors.log):
- [04-Oct-2017 17:03:30 +0200]: <jkgnfe79> IMAP Error: Login failed for username against mailhost.example.com from 127.0.0.1. AUTHENTICATE PLAIN: Authentication failed. in /var/www/html/roundcube/program/lib/Roundcube/rcube_imap.php on line 200 (POST /roundcube/?_task=login&_action=login)
Examples if log_logins is enabled (/path/to/roundcube/logs/userlogins):
- [04-Oct-2017 16:08:01 +0200]: <lrpo6s0r> Failed login for test from 127.0.0.1 in session abcdefg (error: 0)
- [04-Oct-2017 16:09:17 +0200]: <4bd4jqqc> Successful login for test (ID: 6) from 127.0.0.1 in session abcdefg
-->
<decoder name="roundcube">
<program_name>^roundcube</program_name>
</decoder>
<decoder name="roundcube">
<prematch>^[\d\d-\w\w\w-\d\d\d\d \d\d:\d\d:\d\d \S+]</prematch>
</decoder>
<decoder name="roundcube-success">
<parent>roundcube</parent>
<prematch> Successful login for </prematch>
<regex offset="after_prematch">^(\S+) \(id \d+\) from (\S+)$|^(\S+) \(ID: \d+\) from (\S+)</regex>
<order>user, srcip</order>
</decoder>
<decoder name="roundcube-denied-old">
<parent>roundcube</parent>
<prematch>] \w+ Error: Authentication </prematch>
<regex offset="after_prematch">^for (\S+) failed</regex>
<order>user</order>
</decoder>
<decoder name="roundcube-denied-new">
<parent>roundcube</parent>
<prematch>> \w+ Error: Login failed |> Failed login </prematch>
<regex offset="after_prematch">^for (\S+) from (\S+)\. |^for (\S+) from (\S+) in session |^for (\S+) against \S+ from (\S+)\. |^for (\S+) against \S+ from (\S+) in session </regex>
<order>user, srcip</order>
</decoder>