diff --git a/collections/freeswitch.yaml b/collections/freeswitch.yaml index e872cc7..ac25823 100644 --- a/collections/freeswitch.yaml +++ b/collections/freeswitch.yaml @@ -1,10 +1,9 @@ parsers: - haileyxb/freeswitch scenarios: - - haileyxb/freeswitch + - haileyxb/freeswitch-bf description: "freeswitch support : logs and brute-force scenarios" author: haileyxb tags: - linux - freeswitch - - bruteforce \ No newline at end of file diff --git a/parsers/s01-parse/freeswitch.yaml b/parsers/s01-parse/freeswitch.yaml index 2931f65..cf4ed32 100644 --- a/parsers/s01-parse/freeswitch.yaml +++ b/parsers/s01-parse/freeswitch.yaml @@ -2,14 +2,17 @@ onsuccess: next_stage debug: true name: haileyxb/freeswitch description: "Parse Freeswitch logs" -filter: "evt.Parsed.program == 'freeswitch'" +filter: evt.Parsed.program == 'freeswitch' +pattern_syntax: + FS_TIMESTAMP: '202[12]-[01][0-9]-[01]\d \d\d:\d\d:\d\d.\d+' + FS_EXTENSION: '\[[0-9a-zA-Z]+@107.170.213.226\]' grok: - pattern: \\"202[12]-[01][0-9]-[01]\d \d\d:\d\d:\d\d.\d\d\d\d\d\d \\[WARNING\\]sofia_reg.c:1739 SIP auth failure (REGISTER) on sofia profile 'internal' for \\[[0-9a-zA-Z]+@107.170.213.226\\] from ip {IP:source_ip}\\" + pattern: ^%{FS_TIMESTAMP:timestamp} \[WARNING\]sofia_reg.c:1739 SIP auth failure (REGISTER) on sofia profile 'internal' for %{FS_EXTENSION:fs_exten} from ip %{IP:source_ip}$ apply_on: message statics: - meta: log_type value: freeswitch_failed_auth - meta: source_ip expression: "evt.Parsed.source_ip" - - meta: user - expression: "evt.Parsed.user" + - meta: exten + expression: "evt.Parsed.fs_exten" diff --git a/scenarios/freeswitch.yaml b/scenarios/freeswitch-bf.yaml similarity index 89% rename from scenarios/freeswitch.yaml rename to scenarios/freeswitch-bf.yaml index 1954a53..87988f6 100644 --- a/scenarios/freeswitch.yaml +++ b/scenarios/freeswitch-bf.yaml @@ -11,4 +11,4 @@ blackhole: 10m labels: service: freeswitch type: bruteforce - remediation: true \ No newline at end of file + remediation: false