From c8b795d9ea1a0e2cc52b69db47aa1d2afcb67a7d Mon Sep 17 00:00:00 2001
From: Joren <jorensc@riseup.net>
Date: Thu, 6 Mar 2025 09:40:26 +0100
Subject: [PATCH] first commit

---
 decoder.xml | 164 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 164 insertions(+)
 create mode 100644 decoder.xml

diff --git a/decoder.xml b/decoder.xml
new file mode 100644
index 0000000..6757cd0
--- /dev/null
+++ b/decoder.xml
@@ -0,0 +1,164 @@
+<!--
+  CGFW Firewall Activity via syslog
+-->
+<decoder name="cgfw-firewall-activity">
+  <type>syslog</type>
+  <program_name type="pcre2">^.*\/box_Firewall_Activity</program_name>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">type=([\w\s]+)</regex>
+  <order>Type</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">proto=([\w\s]+)</regex>
+  <order>L4Protocol</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">srcIF=([\w\s]+)</regex>
+  <order>SourceInterface</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">srcIP=([\d\.]+)</regex>
+  <order>SourceIP</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">srcPort=([\d\s]+)</regex>
+  <order>SourcePort</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">srcMAC=([\w\d:]+)</regex>
+  <order>SourceMAC</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">dstIP=([\d\.]+)</regex>
+  <order>DestinationIP</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">dstPort=([\w\s]+)</regex>
+  <order>DestinationPort</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">dstService=([\w\s]+)</regex>
+  <order>DestinationService</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">dstIF=([\w\s]+)</regex>
+  <order>DestinationInterface</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">rule=([\w\s\-]+)</regex>
+  <order>FirewallRule</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">info=([\w\s]+)</regex>
+  <order>Info</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">srcNAT=([\d\.]+)</regex>
+  <order>SourceNAT</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">dstNAT=([\d\.]+)</regex>
+  <order>DestinationNAT</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">duration=([\d]+)</regex>
+  <order>Duration</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">count=([\d]+)</regex>
+  <order>Count</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">receivedBytes=([\d]+)</regex>
+  <order>ReceivedBytes</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">sentBytes=([\d]+)</regex>
+  <order>SentBytes</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">receivedPackets=([\d]+)</regex>
+  <order>ReceivedPackets</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">sentPackets=([\d]+)</regex>
+  <order>SentPackets</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">user=([\w\s]+)</regex>
+  <order>User</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">protocol=([\w\s]+)</regex>
+  <order>L7Protocol</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">application=([\w\s]+)</regex>
+  <order>Application</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">target=([\w\s]+)</regex>
+  <order>Target</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">content=([\w\s]+)</regex>
+  <order>Content</order>
+</decoder>
+
+<decoder name="cgfw-firewall-activity-fields">
+  <parent>cgfw-firewall-activity</parent>
+  <regex type="pcre2">urlcat=([\w\s]+)</regex>
+  <order>URLCategory</order>
+</decoder>
+