Joren/Barracuda_CGFW_Wazuh
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Barracuda_CGFW_Wazuh/decoder.xml

165 lines
4.7 KiB
XML
Raw Permalink Blame History

<!--
CGFW Firewall Activity via syslog
-->
<decoder name="cgfw-firewall-activity">
<type>syslog</type>
<program_name type="pcre2">^.*\/box_Firewall_Activity</program_name>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">type=([\w\s]+)</regex>
<order>Type</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">proto=([\w\s]+)</regex>
<order>L4Protocol</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">srcIF=([\w\s]+)</regex>
<order>SourceInterface</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">srcIP=([\d\.]+)</regex>
<order>srcip</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">srcPort=([\d\s]+)</regex>
<order>srcport</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">srcMAC=([\w\d:]+)</regex>
<order>SourceMAC</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">dstIP=([\d\.]+)</regex>
<order>dstip</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">dstPort=([\w\s]+)</regex>
<order>dstport</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">dstService=([\w\s]+)</regex>
<order>DestinationService</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">dstIF=([\w\s]+)</regex>
<order>DestinationInterface</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">rule=([\w\s\-]+)</regex>
<order>FirewallRule</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">info=([\w\s]+)</regex>
<order>Info</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">srcNAT=([\d\.]+)</regex>
<order>SourceNAT</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">dstNAT=([\d\.]+)</regex>
<order>DestinationNAT</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">duration=([\d]+)</regex>
<order>Duration</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">count=([\d]+)</regex>
<order>Count</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">receivedBytes=([\d]+)</regex>
<order>ReceivedBytes</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">sentBytes=([\d]+)</regex>
<order>SentBytes</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">receivedPackets=([\d]+)</regex>
<order>ReceivedPackets</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">sentPackets=([\d]+)</regex>
<order>SentPackets</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">user=([\w\s]+)</regex>
<order>User</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">protocol=([\w\s]+)</regex>
<order>L7Protocol</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">application=([\w\s]+)</regex>
<order>Application</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">target=([\w\s]+)</regex>
<order>Target</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">content=([\w\s]+)</regex>
<order>Content</order>
</decoder>
<decoder name="cgfw-firewall-activity-fields">
<parent>cgfw-firewall-activity</parent>
<regex type="pcre2">urlcat=([\w\s]+)</regex>
<order>URLCategory</order>
</decoder>
Reference in New Issue View Git Blame Copy Permalink