decoders/0325-suhosin_decoders.xml

<!--
  -  Suhosin decoders
  -  Author: Daniel Cid.
  -  Updated by Wazuh, Inc.
  -  Copyright (C) 2015-2020, Wazuh Inc.
  -  Copyright (C) 2009 Trend Micro Inc.
  -  This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->


<!--
  - Will extract the attack name and srcip.
  - Examples:
  - suhosin[76366]: ALERT - canary mismatch on efree() - heap overflow detected (attacker '200.139.164.149', file 'xyz')
  - suhosin[24239]: ALERT - configured request variable value length limit exceeded - dropped variable 'introtext' (attacker '192.168.1.2', file '/var/www/site/administrator/index2.php')
  - suhosin[32150]: ALERT - configured POST variable limit exceeded - dropped variable 'setting[sg_allow_delete_empty_group]' (attacker '32.104.x.y', file '/home/htdocs/admincp/options.php')
  -->
<decoder name="suhosin">
  <program_name>^suhosin</program_name>
  <type>ids</type>
  <regex>^ALERT - (\.+) \(attacker '(\S+)', </regex>
  <order>id, srcip</order>
  <fts>name, location, id</fts>
</decoder>