duncaninnes/auditavc.pattern

## auditavc.pattern
AVCDEV (%{NUMBER:devmaj}:%{NUMBER:devmin})
AUDITAVC (?:type=%{WORD:audit_type} audit\(%{NUMBER:audit_epoch}:%{NUMBER:audit_counter}\): avc:\s*%{WORD:avc_action}\s*\{ %{WORD:avc_type} \} for\s*pid=(%{NUMBER:avc_pid})? comm=\"(%{WORD:avc_comm})?\" %{WORD:avc_class}=\"(%{NOTSPACE:avc_class_value})?\"( dev=(%{AVCDEV:avc_dev})? ino=(%{NUMBER:avc_ino})?)? scontext=(%{NOTSPACE:avc_scontext})? tcontext=(%{NOTSPACE:avc_tcontext})? tclass=(%{WORD:avc_tclass})?)

## iptables.pattern
NETFILTERMAC %{COMMONMAC:dst_mac}:%{COMMONMAC:src_mac}:%{ETHTYPE:ethtype}
ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}))
IPTABLES1 (?:%{WORD:fw}: IN=(%{WORD:in_device})? OUT=(%{WORD:out_device})? (MAC=%{NETFILTERMAC})?.*SRC=%{IP:src_ip} DST=%{IP:dst_ip}.*PROTO=%{WORD:proto}?.*SPT=%{INT:src_port}?.*DPT=%{INT:dst_port}?.*)
IPTABLES2 (?:%{WORD:fw}: IN=(%{WORD:in_device})? OUT=(%{WORD:out_device})? (MAC=%{NETFILTERMAC})?.*SRC=%{IP:src_ip} DST=%{IP:dst_ip}.*PROTO=%{INT:proto}?.*)
FWLOG (?:%{IPTABLES1}|%{IPTABLES2})
	NETFILTERMAC %{COMMONMAC:dst_mac}:%{COMMONMAC:src_mac}:%{ETHTYPE:ethtype}
	ETHTYPE (?:(?:[A-Fa-f0-9]{2}):(?:[A-Fa-f0-9]{2}))
	IPTABLES1 (?:%{WORD:fw}: IN=(%{WORD:in_device})? OUT=(%{WORD:out_device})? (MAC=%{NETFILTERMAC})?.SRC=%{IP:src_ip} DST=%{IP:dst_ip}.PROTO=%{WORD:proto}?.SPT=%{INT:src_port}?.DPT=%{INT:dst_port}?.*)
	IPTABLES2 (?:%{WORD:fw}: IN=(%{WORD:in_device})? OUT=(%{WORD:out_device})? (MAC=%{NETFILTERMAC})?.SRC=%{IP:src_ip} DST=%{IP:dst_ip}.PROTO=%{INT:proto}?.*)
	FWLOG (?:%{IPTABLES1}\|%{IPTABLES2})