-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathopenbsd_parser.xml
91 lines (89 loc) · 6.38 KB
/
openbsd_parser.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
<patternDefinitions>
<pattern name="patOpenBSDMod"><![CDATA[doas|pf]]></pattern>
</patternDefinitions>
<eventFormatRecognizer><![CDATA[<:gPatSyslogPRI><:gPatMon>\s+<:gPatDay>\s+<:gPatTime>\s+<:patOpenBSDMod>:\s]]></eventFormatRecognizer>
<parsingInstructions>
<collectFieldsByRegex src="$_rawmsg">
<regex><![CDATA[<:gPatSyslogPRI><_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\s+<_body:gPatMesgBody>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute>
<setEventAttribute attr="eventType">OpenBSD_Generic</setEventAttribute>
<setEventAttribute attr="eventAction">0</setEventAttribute>
<setEventAttribute attr="eventSeverity">1</setEventAttribute>
<collectFieldsByRegex src="$_body">
<regex><![CDATA[<procName:patOpenBSDMod>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="eventType">combineMsgId("OpenBSD_", $procName, "_Generic")</setEventAttribute>
<choose>
<when test='$procName = "doas"'>
<switch>
<case>
<!-- message specific parsing
doas: admin ran command tcpdump -n -e -ttt -i pflog0 host 111.8.234.4 as root from /home/admin
doas: admin ran command /bin/sh -c echo BECOME-SUCCESS-ztjxtnjesqmturhgiqomtpyllfkgkenb; /usr/local/bin/python3 as root from /home/admin
doas: admin ran command su as root from /home/admin
doas: admin ran command tcpdump -n -e -ttt -i pflog0 host 1.116.16.40 as root from /home/admin
-->
<collectFieldsByRegex src="$_body">
<regex><![CDATA[doas:\s+<user:gPatStr>\sran\scommand\s<command:gPatMesgBody>\sas\s<targetUser:gPatStr>\sfrom\s<:gPatStr>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="eventType">"OpenBSD_Successful_SUDO_Exec"</setEventAttribute>
<setEventAttribute attr="eventSeverity">4</setEventAttribute>
</case>
<case>
<!-- message specific parsing
<85>May 12 14:49:25 doas: failed auth for system
-->
<collectFieldsByRegex src="$_body">
<regex><![CDATA[doas:\s+failed auth for\s+<user:gPatStr>]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="eventType">"OpenBSD_Failed_SUDO_Exec"</setEventAttribute>
<setEventAttribute attr="eventSeverity">4</setEventAttribute>
<setEventAttribute attr="eventAction">1</setEventAttribute>
</case>
</switch>
</when>
<when test='$procName = "pf"'>
<switch>
<case>
<!-- message specific parsing
<150>May 17 05:56:11 pf: May 17 05:56:10.745609 rule 1/(match) block in on ix0: 5.22.157.38.37999 > 123.123.1.2.389: udp 53
<150>May 17 05:56:11 pf: May 17 05:56:10.572145 rule 1/(match) block in on ix0: 185.176.26.27.45682 > 222.123.45.4.3937: R 1571949896:1571949896(0) win 1200
<150>May 17 05:56:28 pf: May 17 05:56:27.348862 rule 54/(match) block in on ix0: 46.232.112.19.40044 > 243.211.98.4.1919: S 3874162489:3874162489(0) win 1024
<150>May 17 08:21:36 pf: May 17 08:21:36.248596 rule 1/(match) block in on ix0: 2649:123:1f2f:e4:64de:a201:a9ef:3c70.38624 > 2222:fd00:1234:9:3991:bb0:9c0a:b9e.22000: S 3572420616:3572420616(0) win 64800 <[|tcp]> [flowlabel 0x6adbd]
<150>Jul 8 14:02:15 pf: Jul 08 14:02:14.924576 rule 75.some-anchor.7/(match) pass in on vlan99: 2649:123:1f2f:e4:64de:a201:a9ef:3c70.53137 > 2222:fd00:1234:9:3991:bb0:9c0a:b9e.161: C=publ [|snmp]
-->
<collectFieldsByRegex src="$_body">
<regex><![CDATA[pf:\s+<_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\.\d+\s+rule\s+<_rulenum:gPatInt>.*\/\(match\)\s<_action:gPatWord>\s+<direction:gPatWord>\s+on\s+<srcIntfName:gPatWord>:\s+<srcIpAddr:gPatIpAddr>\.<srcIpPort:gPatInt>\s+>\s+<destIpAddr:gPatIpAddr>\.<destIpPort:gPatInt>.*]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="eventType">"OpenBSD_PF"</setEventAttribute>
<setEventAttribute attr="eventSeverity">4</setEventAttribute>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute>
</case>
<case>
<!-- icmp message specific parsing
<150>May 17 05:56:09 pf: May 17 05:56:08.524354 rule 1/(match) block in on vlan32: fe80::7e5c:f8ff:fed8:5d5b > 2194:fd12:9:2::2: [|icmp6]
<150>May 17 08:57:44 pf: May 17 08:57:44.009511 rule 1/(match) block in on vlan32: fe80::7e5c:f8ff:fed8:5d5b > fe80::200:5eff:fe00:120: [|icmp6]
<150>May 17 20:31:00 pf: May 17 20:30:59.562924 rule 48/(match) pass in on em0: 13.209.116.151 > 199.116.2.120: icmp: echo request (DF)
<150>Jul 10 14:14:16 pf: Jul 10 14:14:16.239456 rule 75.some-anchor.7/(match) pass in on vlan99: 2649:123:1f2f:e4:64de:a201:a9ef:3c70 > ff02::1:ff00:1: [|icmp6]
-->
<collectFieldsByRegex src="$_body">
<regex><![CDATA[pf:\s+<_mon:gPatMon>\s+<_day:gPatDay>\s+<_time:gPatTime>\.\d+\s+rule\s+<_rulenum:gPatInt>.*\/\(match\)\s<_action:gPatWord>\s+<direction:gPatWord>\s+on\s+<srcIntfName:gPatWord>:\s+<srcIpAddr:gPatIpAddr>\s+>\s+<destIpAddr:gPatIpAddr>\:]]></regex>
</collectFieldsByRegex>
<setEventAttribute attr="eventSeverity">4</setEventAttribute>
<setEventAttribute attr="deviceTime">toDateTime($_mon, $_day, $_time)</setEventAttribute>
</case>
</switch>
<choose>
<when test='$_action = "block"'>
<setEventAttribute attr="eventAction">1</setEventAttribute>
<setEventAttribute attr="eventType">OpenBSD-PF-Traffic-Blocked</setEventAttribute>
</when>
<when test='$_action = "pass"'>
<setEventAttribute attr="eventAction">0</setEventAttribute>
<setEventAttribute attr="eventType">OpenBSD-PF-Traffic-Permitted</setEventAttribute>
</when>
</choose>
</when>
</choose>
</parsingInstructions>