Created
August 29, 2013 19:48
-
-
Save bchavet/6382585 to your computer and use it in GitHub Desktop.
OSSEC Asterisk Decoders and Rules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <decoder name="asterisk"> | |
| <program_name>^asterisk</program_name> | |
| </decoder> | |
| <decoder name="asterisk-hijacking"> | |
| <parent>asterisk</parent> | |
| <prematch>^WARNING[\d+]: \S+ in \S+: Don't know </prematch> | |
| <regex offset="after_prematch">^\S+ how to respond via '(\w+/\d.\d/\w+)'</regex> | |
| <order>user</order> | |
| </decoder> | |
| <decoder name="asterisk-denied"> | |
| <parent>asterisk</parent> | |
| <prematch>^NOTICE[\d+]: \S+ in \S+: Registration from </prematch> | |
| <regex offset="after_prematch">^\S+ failed for '(\d+.\d+.\d+.\d+):\d+'</regex> | |
| <order>srcip</order> | |
| </decoder> | |
| <decoder name="asterisk-denied2"> | |
| <parent>asterisk</parent> | |
| <prematch>Registration from </prematch> | |
| <regex offset="after_prematch">failed for '(\d+.\d+.\d+.\d+)'</regex> | |
| <order>srcip</order> | |
| </decoder> | |
| <decoder name="asterisk-iax-authentication-denied"> | |
| <parent>asterisk</parent> | |
| <prematch>^NOTICE[\d+]: \S+ in \S+: Host </prematch> | |
| <regex offset="after_prematch">^(\d+.\d+.\d+.\d+) failed MD5 authentication for (\S+)</regex> | |
| <order>srcip, user</order> | |
| </decoder> | |
| <decoder name="asterisk-extension-rejected"> | |
| <parent>asterisk</parent> | |
| <prematch>NOTICE[\d+][\.+]: \S+ in \S+: Call from </prematch> | |
| <regex offset="after_prematch">^'(\.*)' \((\d+.\d+.\d+.\d+):\d+\) to extension '\.+' rejected because extension not found in context '(\.+)'.</regex> | |
| <order>srcuser,srcip,dstuser</order> | |
| </decoder> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment