mirror of
https://github.com/socfortress/Wazuh-Rules.git
synced 2025-10-23 00:02:11 +00:00
63 lines
1.5 KiB
XML
63 lines
1.5 KiB
XML
<decoder name="auditd-execve">
|
|
<prematch>^type=EXECVE</prematch>
|
|
</decoder>
|
|
|
|
<!--
|
|
type=EXECVE msg=audit(1672268062.108:138472): argc=2 a0="base64" a1="-d" a2="t" a3="chmod"
|
|
-->
|
|
|
|
<decoder name="auditd-execve">
|
|
<parent>auditd-execve</parent>
|
|
<!--<prematch offset="after_parent">^SYSCALL </prematch>-->
|
|
<regex offset="after_parent">msg=audit\(\d\d\d\d\d\d\d\d\d\d.\d\d\d:(\d+)\): </regex>
|
|
<order>audit.id</order>
|
|
</decoder>
|
|
|
|
<decoder name="auditd-execve">
|
|
<parent>auditd-execve</parent>
|
|
<regex>argc=\d+ a0="(\.*)"</regex>
|
|
<order>audit.execve.a0</order>
|
|
</decoder>
|
|
|
|
<decoder name="auditd-execve">
|
|
<parent>auditd-execve</parent>
|
|
<regex>a1="(\.*)"</regex>
|
|
<order>audit.execve.a1</order>
|
|
</decoder>
|
|
|
|
<decoder name="auditd-execve">
|
|
<parent>auditd-execve</parent>
|
|
<regex>a2="(\.*)"</regex>
|
|
<order>audit.execve.a2</order>
|
|
</decoder>
|
|
|
|
<decoder name="auditd-execve">
|
|
<parent>auditd-execve</parent>
|
|
<regex>a3="(\.*)"</regex>
|
|
<order>audit.execve.a3</order>
|
|
</decoder>
|
|
|
|
<decoder name="auditd-execve">
|
|
<parent>auditd-execve</parent>
|
|
<regex>a4="(\.*)"</regex>
|
|
<order>audit.execve.a4</order>
|
|
</decoder>
|
|
|
|
<decoder name="auditd-execve">
|
|
<parent>auditd-execve</parent>
|
|
<regex>a5="(\.*)"</regex>
|
|
<order>audit.execve.a5</order>
|
|
</decoder>
|
|
|
|
<decoder name="auditd-execve">
|
|
<parent>auditd-execve</parent>
|
|
<regex>a6="(\.*)"</regex>
|
|
<order>audit.execve.a6</order>
|
|
</decoder>
|
|
|
|
<decoder name="auditd-execve">
|
|
<parent>auditd-execve</parent>
|
|
<regex>a7="(\.*)"</regex>
|
|
<order>audit.execve.a7</order>
|
|
</decoder>
|