-
Notifications
You must be signed in to change notification settings - Fork 201
/
0325-suhosin_decoders.xml
24 lines (22 loc) · 1.02 KB
/
0325-suhosin_decoders.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<!--
- Suhosin decoders
- Author: Daniel Cid.
- Updated by Wazuh, Inc.
- Copyright (C) 2015-2020, Wazuh Inc.
- Copyright (C) 2009 Trend Micro Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<!--
- Will extract the attack name and srcip.
- Examples:
- suhosin[76366]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '200.139.164.149', file 'xyz')
- suhosin[24239]: ALERT - configured request variable value length limit exceeded - dropped variable 'introtext' (attacker '192.168.1.2', file '/var/www/site/administrator/index2.php')
- suhosin[32150]: ALERT - configured POST variable limit exceeded - dropped variable 'setting[sg_allow_delete_empty_group]' (attacker '32.104.x.y', file '/home/htdocs/admincp/options.php')
-->
<decoder name="suhosin">
<program_name>^suhosin</program_name>
<type>ids</type>
<regex>^ALERT - (\.+) \(attacker '(\S+)', </regex>
<order>id, srcip</order>
<fts>name, location, id</fts>
</decoder>