tkuennen/openvpn decoders

## openvpn decoders
OpenVPN Decoders
/var/ossec/etc/ossec.conf (add)
<include>openvpn.xml</include>
/var/ossec/rules/openvpn.xml
<group name="openvpn">
  <program_name>ovpn-server</program_name>
</group>

<!-- Catch TCP connections -->
<group name="openvpn-tcp-event">
  <parent>openvpn</parent>
  <prematch offset="after_parent">^TCP connection established</prematch>
  <regex offset="after_prematch">(\d+.\d+.\d+.\d+):(\d+)$</regex>
  <order>srcip,srcport</order>
</group>

<!-- Decode peer connection event to get dstuser, srcip and srcport -->
<group name="openvpn-login-event">
  <parent>openvpn</parent>
  <prematch offset="after_parent">Peer Connection Initiated</prematch>
  <regex offset="after_parent">^(\d+.\d+.\d+.\d+):(\d+) [(\w+)] </regex>
  <order>srcip,srcport,user</order>
</group>

<!-- Get the VPN IP assigend to the user -->
<group name="openvpn-ip-assign-event">
  <parent>openvpn</parent>
  <prematch offset="after_parent">primary virtual IP for </prematch>
  <regex offset="after_prematch">^(\w+)/(\d+.\d+.\d+.\d+):(\d+): (\d+.\d+.\d+.\d+)$</regex>
  <order>user,srcip,srcport,dstip</order>
</group>

<!-- Decode events that start with user/srcip:srcport -->
<group name="openvpn-client-event">
  <parent>openvpn</parent>
  <regex offset="after_parent">^(\w+)/(\d+.\d+.\d+.\d+):(\d+) </regex>
  <order>user,srcip,srcport</order>
</group>

<!-- Decode events that start with srcip:srcport -->
<group name="openvpn-client-event">
  <parent>openvpn</parent>
  <regex offset="after_parent">^(\d+.\d+.\d+.\d+):(\d+) </regex>
  <order>srcip,srcport</order>
</group>

<!-- Get the actual event message as extra_data -->
<group name="openvpn-client-event">
  <parent>openvpn</parent>
  <regex offset="after_regex">^(\S\.*)</regex>
  <order>extra_data</order>
</group>
<!-- END OpenVPN Decoders -->
	OpenVPN Decoders
	/var/ossec/etc/ossec.conf (add)
	<include>openvpn.xml</include>
	/var/ossec/rules/openvpn.xml
	<group name="openvpn">
	<program_name>ovpn-server</program_name>
	</group>

	<!-- Catch TCP connections -->
	<group name="openvpn-tcp-event">
	<parent>openvpn</parent>
	<prematch offset="after_parent">^TCP connection established</prematch>
	<regex offset="after_prematch">(\d+.\d+.\d+.\d+):(\d+)$</regex>
	<order>srcip,srcport</order>
	</group>

	<!-- Decode peer connection event to get dstuser, srcip and srcport -->
	<group name="openvpn-login-event">
	<parent>openvpn</parent>
	<prematch offset="after_parent">Peer Connection Initiated</prematch>
	<regex offset="after_parent">^(\d+.\d+.\d+.\d+):(\d+) [(\w+)] </regex>
	<order>srcip,srcport,user</order>
	</group>

	<!-- Get the VPN IP assigend to the user -->
	<group name="openvpn-ip-assign-event">
	<parent>openvpn</parent>
	<prematch offset="after_parent">primary virtual IP for </prematch>
	<regex offset="after_prematch">^(\w+)/(\d+.\d+.\d+.\d+):(\d+): (\d+.\d+.\d+.\d+)$</regex>
	<order>user,srcip,srcport,dstip</order>
	</group>

	<!-- Decode events that start with user/srcip:srcport -->
	<group name="openvpn-client-event">
	<parent>openvpn</parent>
	<regex offset="after_parent">^(\w+)/(\d+.\d+.\d+.\d+):(\d+) </regex>
	<order>user,srcip,srcport</order>
	</group>

	<!-- Decode events that start with srcip:srcport -->
	<group name="openvpn-client-event">
	<parent>openvpn</parent>
	<regex offset="after_parent">^(\d+.\d+.\d+.\d+):(\d+) </regex>
	<order>srcip,srcport</order>
	</group>

	<!-- Get the actual event message as extra_data -->
	<group name="openvpn-client-event">
	<parent>openvpn</parent>
	<regex offset="after_regex">^(\S\.*)</regex>
	<order>extra_data</order>
	</group>
	<!-- END OpenVPN Decoders -->