1filter: "evt.Parsed.program startsWith 'freeswitch'"
2onsuccess: next_stage
3
4name: crowdsecurity/freeswitch
5description: "Parse freeswitch logs"
6pattern_syntax:
7 TIMESTAMP: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}'
8nodes:
9- grok:
10 pattern: '%{TIMESTAMP:timestamp}.*\[WARNING\] sofia_reg.c:\d+ %{GREEDYDATA:parsedmessage}'
11 apply_on: message
12 nodes:
13 - grok:
14 pattern: "Can't find user \\[.*@%{IPORHOST}\\] from %{IPORHOST:remote_ip}"
15 apply_on: parsedmessage
16 onsuccess: next_stage
17 statics:
18 - meta: sub_type
19 value: user_enumeration
20 - grok:
21 pattern: "IP %{IPORHOST:remote_ip} Rejected by register acl"
22 apply_on: parsedmessage
23 onsuccess: next_stage
24 statics:
25 - meta: sub_type
26 value: acl_reject
27 - grok:
28 pattern: "SIP auth failure \\((REGISTER|INVITE)\\) on sofia profile '.*' for \\[.*\\] from ip %{IPORHOST:remote_ip}"
29 apply_on: parsedmessage
30 onsuccess: next_stage
31 statics:
32 - meta: sub_type
33 value: auth_failure
34statics:
35 - meta: service
36 value: freeswitch
37 - target: evt.StrTime
38 expression: evt.Parsed.timestamp
39 - meta: source_ip
40 expression: evt.Parsed.remote_ip
