Lets start another try

Trying again
4 years ago · 33402542bf
parent ecbe22d752
commit 33402542bf
3 changed files with 9 additions and 7 deletions
--- a/collections/freeswitch.yaml
+++ b/collections/freeswitch.yaml
@ -1,10 +1,9 @@
 parsers:
  - haileyxb/freeswitch
 scenarios:
-  - haileyxb/freeswitch
+  - haileyxb/freeswitch-bf
 description: "freeswitch support : logs and brute-force scenarios"
 author: haileyxb
 tags:
  - linux
  - freeswitch
  - bruteforce
--- a/parsers/s01-parse/freeswitch.yaml
+++ b/parsers/s01-parse/freeswitch.yaml
@ -2,14 +2,17 @@ onsuccess: next_stage
 debug: true
 name: haileyxb/freeswitch
 description: "Parse Freeswitch logs"
-filter: "evt.Parsed.program == 'freeswitch'"
+filter: evt.Parsed.program == 'freeswitch'
 pattern_syntax:
  FS_TIMESTAMP: '202[12]-[01][0-9]-[01]\d \d\d:\d\d:\d\d.\d+'
  FS_EXTENSION: '\[[0-9a-zA-Z]+@107.170.213.226\]'
 grok:
-  pattern: \\"202[12]-[01][0-9]-[01]\d \d\d:\d\d:\d\d.\d\d\d\d\d\d \\[WARNING\\]sofia_reg.c:1739 SIP auth failure (REGISTER) on sofia profile 'internal' for \\[[0-9a-zA-Z]+@107.170.213.226\\] from ip {IP:source_ip}\\"
+  pattern: ^%{FS_TIMESTAMP:timestamp} \[WARNING\]sofia_reg.c:1739 SIP auth failure (REGISTER) on sofia profile 'internal' for %{FS_EXTENSION:fs_exten} from ip %{IP:source_ip}$
  apply_on: message
 statics:
  - meta: log_type
    value: freeswitch_failed_auth
  - meta: source_ip
    expression: "evt.Parsed.source_ip"
-  - meta: user
+  - meta: exten
-    expression: "evt.Parsed.user"
+    expression: "evt.Parsed.fs_exten"
--- a/scenarios/freeswitch-bf.yaml
+++ b/scenarios/freeswitch-bf.yaml
@ -11,4 +11,4 @@ blackhole: 10m
 labels:
 service: freeswitch
 type: bruteforce
- remediation: true
+ remediation: false