From 5576e9346400fa93790e847ed2626152c04c1803 Mon Sep 17 00:00:00 2001 From: Nitro Cao Date: Thu, 6 Aug 2020 11:10:37 +0800 Subject: [PATCH] Add decoders to extract the username field from failed login logs of proftpd --- decoders/0230-proftpd_decoders.xml | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/decoders/0230-proftpd_decoders.xml b/decoders/0230-proftpd_decoders.xml index 2a82578b9..0a468822b 100644 --- a/decoders/0230-proftpd_decoders.xml +++ b/decoders/0230-proftpd_decoders.xml @@ -17,6 +17,9 @@ - proftpd[2344]: refused connect from 192.168.1.2 (192.168.1.2) - proftpd[15181]: valhalla (crawl-66-249-66-80.googlebot.com[66.249.66.80]) - Connection from crawl-66-249-66-80.googlebot.com [66.249.66.80] denied. - proftpd[26169] server.example.net: Fatal: unable to open incoming connection: Der Socket ist nicht verbunden + - proftpd[13378]: 10.22.136.85 (111.250.52.78[111.250.52.78]) - USER root (Login failed): Incorrect password + - proftpd[17655]: 10.22.136.85 (10.22.126.169[10.22.126.169]) - USER cronftp (Login failed): authentication via 'ssh-dss' public key failed + - proftpd[19969]: 10.22.136.85 (10.22.33.14[10.22.33.14]) - USER anonymous: no such user found from 10.22.33.14 [10.22.33.14] to ::ffff:10.22.136.85:21 --> ^proftpd @@ -31,8 +34,26 @@ name, user, srcip, location - + proftpd - ^\S+ \(\S+[(\S+)]\)|^\S+ \(\S+[(\S+)]\) - srcip + \(Login failed\): Incorrect password + ^\S+ \(\S+[(\S+)]\)\s*\S \w+ (\S+) + \(Login failed\): Incorrect password + srcip, srcuser + + + + proftpd + \(Login failed\): authentication via '\S+' public key failed + ^\S+ \\S+[(\S+)]\)\s*\S \w+ (\S+) + \(Login failed\): authentication via '\S+' public key failed + srcip, srcuser + + + + proftpd + : no such user found from + ^\S+ \(\S+[(\S+)]\)\s*\S \w+ (\S+): + no such user found from \S+ [\S+] to \S+ + srcip, srcuser