-
Notifications
You must be signed in to change notification settings - Fork 201
/
0375-web-accesslog_decoders.xml
56 lines (48 loc) · 2.55 KB
/
0375-web-accesslog_decoders.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<!--
- Web access log decoders
- Author: Daniel Cid.
- Updated by Wazuh, Inc.
- Copyright (C) 2015-2020, Wazuh Inc.
- Copyright (C) 2009 Trend Micro Inc.
- This program is a free software; you can redistribute it and/or modify it under the terms of GPLv2.
-->
<!-- NCSA common log decoder (used by apache, Lotus Domino and IIS NCSA).
- Will extract the srcip, url and id.
- Every web access log must use "web-log" as their
- type if they want to be matched against the web rules.
- Examples:
With IP:
- 10.11.12.13 - - [03/Aug/2001:21:56:18 -0500] "GET /url.html HTTP/1.1" 200 1732
- 10.11.12.13 - username [18/Jan/2006:13:10:06 -0500] "GET /url.html HTTP/1.1" 200 1732
- 10.11.12.13 domain.com - [05/Nov/2006:00:46:56 -0500] "GET / HTTP/1.1" 302 -
- ::ffff:202.194.15.192 190.7.138.180 - [18/Oct/2010:10:48:55 -0500] "GET //php-my-admin/config/config.inc.php?p=phpinfo(); HTTP/1.1" 404 345 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
- 10.11.12.13 - - - [27/Mar/2017:13:40:40 -0700] "GET /modules.php?name=Search&type=stories&query=qualys&category=-1%20&categ=%20and%201=2%20UNION%20SELECT%200,0,aid,pwd,0,0,0,0,0,0%20from%20nuke_authors/* HTTP/1.0" 404 982 "-" "-"
With domain:
- domain.com 10.11.12.13 - - [12/Sep/2016:15:24:41 +0000] "GET /url/errors.php?mode=js HTTP/1.1" 200 0 "https://domain.com/tt-rss/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.101 Safari/537.36"
2 IPs:
10.10.10.11 10.10.10.12 - - [10/Apr/2017:13:18:05 -0700] "GET /injection/%0d%0aSet-Cookie HTTP/1.1" 404 271 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0"
-->
<decoder name="web-accesslog">
<type>web-log</type>
<prematch>^\S+ \S+ \S+ \.*[\S+ \S\d+] "\w+ \S+ HTTP\S+" </prematch>
</decoder>
<decoder name="web-accesslog-domain">
<type>web-log</type>
<parent>web-accesslog</parent>
<prematch>^\S+.\D+</prematch>
<regex>^\S+ (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip, protocol, url, id</order>
</decoder>
<decoder name="web-accesslog-ip-ip">
<type>web-log</type>
<parent>web-accesslog</parent>
<prematch>^\S+ \S+.\S+ |^\S+ \S+:\S+ </prematch>
<regex>^(\S+) (\S+) \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip2, srcip, protocol, url, id</order>
</decoder>
<decoder name="web-accesslog-ip">
<type>web-log</type>
<parent>web-accesslog</parent>
<regex>^(\S+) \S+ \S+ \.*[\S+ \S\d+] "(\w+) (\S+) HTTP\S+" (\d+) </regex>
<order>srcip, protocol, url, id</order>
</decoder>