Hi, what fields do you need?.
Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login (auth failed, 2 attempts in 18 secs): *user*=<test>, method=PLAIN, *rip*=1.2.3.4, *lip*=1.2. 3.4, session=<i8uMIAZEDrdtycjJ> **Phase 1: Completed pre-decoding. full event: 'Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login (auth failed, 2 attempts in 18 secs): user=<test>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, session=<i8uMIAZEDrdtycjJ>' hostname: 'ny' program_name: 'dovecot' log: 'pop3-login: Aborted login (auth failed, 2 attempts in 18 secs): user=<test>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, session=<i8uMIAZEDrdtycjJ>' **Phase 2: Completed decoding. decoder: 'dovecot' dstuser: 'test' srcip: '1.2.3.4' dstip: '1.2.3.4' proto: 'session=<i8uMIAZEDrdtycjJ>' **Phase 3: Completed filtering (rules). Rule id: '9705' Level: '5' Description: 'Dovecot Invalid User Login Attempt.' **Alert to be generated. You can change the decoder <https://github.com/wazuh/wazuh-ruleset/blob/master/decoders/0085-dovecot_decoders.xml#L43-L48>to extract the *method *field, but it seems the rest of fields are decoded. I hope it helps. Regards. On Tuesday, June 6, 2017 at 7:58:55 PM UTC+2, dan (ddpbsd) wrote: > > > > On Jun 6, 2017 1:56 PM, <nno...@cloudlinux.com <javascript:>> wrote: > > Hi all, > > have problem with dovecot decoder > > Example log: > Dec 19 17:20:08 ny dovecot: pop3-login: Aborted login (auth failed, 2 > attempts in 18 secs): user=<test>, method=PLAIN, rip=1.2.3.4, lip=1.2.3.4, > session=<i8uMIAZEDrdtycjJ> > > Default dovecot decoder > > <decoder name="dovecot-aborted"> > <parent>dovecot</parent> > <prematch offset="after_parent">^\w\w\w\w-login: Aborted login</prematch> > <regex offset="after_prematch">: user=\p(\S+)\p, method=\S+, > rip=::ffff:(\d+.\d+.\d+.\d+), lip=::ffff:(\d+.\d+.\d+.\d+)$</regex> > > > Try changing the rip and lip to "(\S+)" > What's there now seems very wrong. > > <order>user, srcip, dstip</order> > </decoder> > > Is it possible to create additional decoder that extracts same fields as > in the above decoder if regex tag not matches but prematch was matched? > > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to ossec-list+...@googlegroups.com <javascript:>. > For more options, visit https://groups.google.com/d/optout. > > > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to ossec-list+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.