Skip to content

Commit 9c1d340

Browse files
ddpbsdddpbsd
authored
Merge pull request #1578 from Bob-Andrews/patch-12
Changed IPv4 to IPv4/IPv6 regex Dionaea/Cowrie
2 parents 37475d6 + 270b7ea commit 9c1d340

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

etc/decoder.xml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3325,7 +3325,7 @@ s=2 SFwdQ=0 SDupQ=0 SErr=0 RQ=2 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFE
33253325
<!-- {"direction": "inbound", "protocol": "ip", "ids_type": "network", "timestamp": "2018-09-14T11:02:54.215411", "dionaea_action": "reject", "type": "dionaea.connections", "app": "dionaea", "src_ip": "16.10.10.10", "vendor_product": "Dionaea", "dest_port": 365, "signature": "Connection to Honeypot", "src_port": 45302, "dest_ip": "16.10.10.11", "sensor": "5e7031cf-b74d-22f9-57e0-254166752457", "transport": "tcp", "severity": "high"} -->
33263326
<decoder name="dionaea">
33273327
<prematch>dionaea.connections</prematch>
3328-
<regex>^\p\pdirection\p: \p(\S+)\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\.\d+\p, \pdionaea_action\p: \p(\S+)\p, \ptype\p: \pdionaea.connections\p, \papp\p: \pdionaea\p, \psrc_ip\p: \p(\d+.\d+.\d+.\d+)\p, \pvendor_product\p: \pDionaea\p, \pdest_port\p: (\d+), \psignature\p: \p\.+\p, \psrc_port\p: (\d+), \pdest_ip\p: \p(\d+.\d+.\d+.\d+)\p, \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p\p</regex>
3328+
<regex>^{\pdirection\p: \p(\S+)\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d\.\d+\p, \pdionaea_action\p: \p(\S+)\p, \ptype\p: \pdionaea.connections\p, \papp\p: \pdionaea\p, \psrc_ip\p: "(\S+)", \pvendor_product\p: \pDionaea\p, \pdest_port\p: (\d+), \psignature\p: \p\.+\p, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p}</regex>
33293329
<order>extra_data, protocol, action, srcip, dstport, srcport, dstip</order>
33303330
</decoder>
33313331

@@ -3342,21 +3342,21 @@ s=2 SFwdQ=0 SDupQ=0 SErr=0 RQ=2 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFE
33423342
<decoder name="cowrie-attempt">
33433343
<parent>cowrie</parent>
33443344
<prematch>"SSH login attempted</prematch>
3345-
<regex>^\p\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \pssh_username\p: \p(\S+)\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: \p(\d+.\d+.\d+.\d+)\p, \pssh_password\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: \p(\d+.\d+.\d+.\d+)\p\p</regex>
3345+
<regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \pssh_username\p: \p(\S+)\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pssh_password\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"}</regex>
33463346
<order>protocol, extra_data, user, dstport, srcport, srcip, action, dstip</order>
33473347
</decoder>
33483348

33493349
<decoder name="cowrie-session">
33503350
<parent>cowrie</parent>
33513351
<prematch>"SSH session on cowrie honeypot</prematch>
3352-
<regex>^\p\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \ptype\p: \pcowrie.sessions\p, \papp\p: \pcowrie\p, \psrc_ip\p: \p(\d+.\d+.\d+.\d+)\p, \pdest_port\p: (\d+), \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \psrc_port\p: (\d+), \pdest_ip\p: \p(\d+.\d+.\d+.\d+)\p, \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p\p</regex>
3352+
<regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \pvendor_product\p: \pCowrie\p, \ptype\p: \pcowrie.sessions\p, \papp\p: \pcowrie\p, \psrc_ip\p: "(\S+)", \pdest_port\p: (\d+), \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \psrc_port\p: (\d+), \pdest_ip\p: "(\S+)", \psensor\p: \S+, \ptransport\p: \p\S+\p, \pseverity\p: \p\S+\p}</regex>
33533353
<order>protocol, extra_data, srcip, dstport, action, srcport, dstip</order>
33543354
</decoder>
33553355

33563356
<decoder name="cowrie-command">
33573357
<parent>cowrie</parent>
33583358
<prematch>"command attempted on cowrie honeypot</prematch>
3359-
<regex>^\p\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: \p(\d+.\d+.\d+.\d+)\p, \pcommand\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: \p(\d+.\d+.\d+.\d+)\p\p</regex>
3359+
<regex>^{\pdirection\p: \p\S+\p, \pprotocol\p: \p(\S+)\p, \pids_type\p: \p(\S+)\p, \ptimestamp\p: \p\d\d\d\d-\d\d-\d\d\w\d\d:\d\d:\d\d.\d+\p, \papp\p: \pcowrie\p, \ptransport\p: \p\S+\p, \pdest_port\p: (\d+), \psrc_port\p: (\d+), \pseverity\p: \p\S+\p, \pvendor_product\p: \pCowrie\p, \psensor\p: \S+, \psrc_ip\p: "(\S+)", \pcommand\p: \p\S+\p, \psignature\p: \p(\.+)\p, \pssh_version\p: \.+, \ptype\p: \pcowrie.sessions\p, \pdest_ip\p: "(\S+)"}</regex>
33603360
<order>protocol, extra_data, dstport, srcport, srcip, action, dstip</order>
33613361
</decoder>
33623362

0 commit comments

Comments
 (0)