From ba45fd299845c2efe6640deb8b1a3c8e1c615f6b Mon Sep 17 00:00:00 2001
From: Dh0mp5eur <dhomps.florian@gmail.com>
Date: Fri, 19 Dec 2014 15:38:10 +0100
Subject: [PATCH] Update patterns

---
 test/action_0001.yaml  | 2 +-
 test/action_0002.yaml  | 2 +-
 test/action_0003.yaml  | 2 +-
 test/action_0004.yaml  | 9 +++++++++
 test/connect_0001.yaml | 3 ++-
 vsftpd.grok            | 7 ++-----
 6 files changed, 16 insertions(+), 9 deletions(-)
 create mode 100644 test/action_0004.yaml

diff --git a/test/action_0001.yaml b/test/action_0001.yaml
index b13b6b0..d43248c 100644
--- a/test/action_0001.yaml
+++ b/test/action_0001.yaml
@@ -1,4 +1,4 @@
-pattern: VSFTPD
+pattern: VSFTPD_ACTION
 data: "[newuser] OK LOGIN: Client \"192.168.1.1\""
 result:
         vsftpd_user: newuser
diff --git a/test/action_0002.yaml b/test/action_0002.yaml
index 0e461c9..592fa55 100644
--- a/test/action_0002.yaml
+++ b/test/action_0002.yaml
@@ -1,4 +1,4 @@
-pattern: VSFTPD
+pattern: VSFTPD_ACTION
 data: "[newuser] OK UPLOAD: Client \"192.168.1.1\", \"/transfert.ACK\", 7 bytes, 0.17Kbyte/sec"
 result:
         vsftpd_user: newuser
diff --git a/test/action_0003.yaml b/test/action_0003.yaml
index c20ee36..1f7733d 100644
--- a/test/action_0003.yaml
+++ b/test/action_0003.yaml
@@ -1,4 +1,4 @@
-pattern: VSFTPD
+pattern: VSFTPD_ACTION
 data: "[newuser] FAIL LOGIN: Client \"192.168.1.1\""
 result:
         vsftpd_user: newuser
diff --git a/test/action_0004.yaml b/test/action_0004.yaml
new file mode 100644
index 0000000..9b51515
--- /dev/null
+++ b/test/action_0004.yaml
@@ -0,0 +1,9 @@
+pattern: VSFTPD_ACTION
+data: "[newuser] FAIL DOWNLOAD: Client \"192.168.1.1\", \"/transfert.ACK\", 0.00Kbyte/sec"
+result:
+        vsftpd_user: newuser
+        vsftpd_action_status: FAIL
+        vsftpd_action: DOWNLOAD
+        vsftpd_client_ip: 192.168.1.1
+        vsftpd_file: "/transfert.ACK"
+        vsftpd_file_transfer_speed: "0.00Kbyte/sec"
diff --git a/test/connect_0001.yaml b/test/connect_0001.yaml
index efa5817..1f40c38 100644
--- a/test/connect_0001.yaml
+++ b/test/connect_0001.yaml
@@ -1,4 +1,5 @@
-pattern: VSFTPD
+pattern: VSFTPD_CONNECT
 data: "CONNECT: Client \"192.168.1.1\""
 result:
+        vsftpd_action: CONNECT
         vsftpd_client_ip: 192.168.1.1
diff --git a/vsftpd.grok b/vsftpd.grok
index c290f24..8e22534 100644
--- a/vsftpd.grok
+++ b/vsftpd.grok
@@ -1,6 +1,3 @@
 # common vsftpd patterns
-VSFTPD_CONNECT CONNECT: Client \"%{IP:vsftpd_client_ip}\"
-VSFTPD_ACTION \[%{WORD:vsftpd_user}\] %{WORD:vsftpd_action_status} %{WORD:vsftpd_action}: Client \"%{IP:vsftpd_client_ip}\"(, \"%{GREEDYDATA:vsftpd_file}\", %{DATA:vsftpd_file_size}, %{DATA:vsftpd_file_transfer_speed}$|)
-
-# aggregate all patterns
-VSFTPD %{VSFTPD_CONNECT}|%{VSFTPD_ACTION}
+VSFTPD_CONNECT %{WORD:vsftpd_action}: Client \"%{IP:vsftpd_client_ip}\"
+VSFTPD_ACTION \[%{WORD:vsftpd_user}\] %{WORD:vsftpd_action_status} %{WORD:vsftpd_action}: Client \"%{IP:vsftpd_client_ip}\"(, \"%{GREEDYDATA:vsftpd_file}\", %{DATA:vsftpd_file_size}, %{DATA:vsftpd_file_transfer_speed}|, \"%{GREEDYDATA:vsftpd_file}\", %{DATA:vsftpd_file_transfer_speed}|)$