prelude-lml-rules-5.1.0/0000775000175000017500000000000013537533463015247 5ustar tandrejatandrejaprelude-lml-rules-5.1.0/src/0000775000175000017500000000000013537533463016036 5ustar tandrejatandrejaprelude-lml-rules-5.1.0/src/prelude-lml-rules-check0000775000175000017500000000277713537533463022426 0ustar tandrejatandreja#!/usr/bin/env perl ##### # # Copyright (C) 2013-2019 CS-SI. All Rights Reserved. # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### if ($#ARGV < 0) { print "Displays rules id and check for duplicates\n"; print "Usage : $0 \n"; print "Example : $0 /etc/prelude-lml/ruleset/*.rules\n"; } %ID = (); $rules = 0; $files = 0; foreach $f (@ARGV) { @ids = (); open(IN, $f) || die ("Cannot open $f\n"); while() { if (/^\s*id\s*=\s*(\d+)/) { if (defined $ID{$1}) { print STDERR "WARNING $f line $. : Id $1 allready defined in " . $ID{$1}[0] . ' line ' . $ID{$1}[1] . "\n"; } else { $ID{$1} = [$f, $.]; push(@ids, $1); } $rules++; } } close(IN); $files++; print "$f: " . join(', ', sort { $a <=> $b } @ids) . "\n"; } print "$rules rules in $files files\n"; prelude-lml-rules-5.1.0/ruleset/0000775000175000017500000000000013537533463016732 5ustar tandrejatandrejaprelude-lml-rules-5.1.0/ruleset/ntsyslog.rules0000664000175000017500000005606713537533463021706 0ustar tandrejatandreja#FULLNAME: NTsyslog #VERSION: 1.0 #DESCRIPTION: This program formats all System, Security, and Application events into a single line and sends them to a syslog host. This ruleset aims at analyzing the logs returned by the ntsyslog application, which converts NT events to syslog. ##### # # Copyright (C) 2003 Vincent Glaume # Currently supported by G Ramon Gomez # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Windows Event ID 515 - A trusted logon process has registered #CATEGORY:Authentication #LOG:Jul 11 09:33:18 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 515 NT AUTHORITY\SYSTEM A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name:KSecDD regex=security\[success\] 515 (.*) A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name:([\w\\]+); \ classification.text=Logon process started; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=515; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com183.html; \ id=1400; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$2 has registered as a trusted logon process; \ source(0).process.name=$2; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ last #DESCRIPTION:Windows Event ID 528 - Successful Logon #CATEGORY:Authentication #LOG:Jul 11 13:44:11 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 528 SACRAMENTO\ggomez Successful Logon: User Name:ggomez Domain:SACRAMENTO Logon ID:(0x0,0x16AC1854) Logon Type:7 Logon Process:User32 Authentication Package:Negotiate Workstation Name:SMF-ENG-GGOMEZ Logon GUID: {621924db-649e-3b17-b41a-215e55680eb3} regex=security\[success\] 528 (.*) Successful Logon: User Name:([\w ]+) Domain:(.+) Logon ID:\(.*\) Logon Type:(\d+) Logon Process:(\w+) .* Workstation Name:(\S+); \ classification.text=Logon; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=528; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com189.html; \ id=1401; \ revision=3; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=$2 successfully logged on on $6 ($3 domain) via $5; \ source(0).process.name=$5; \ source(0).node.address(0).category=unknown; \ source(0).node.address(0).address=$6; \ source(0).node.name=$6; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$2; \ additional_data(0).type=integer; \ additional_data(0).meaning=Logon type; \ additional_data(0).data=$4; \ additional_data(1).type=string; \ additional_data(1).meaning=Authentication domain; \ additional_data(1).data=$3; \ last #DESCRIPTION:Windows Event ID 538 - User Logoff #CATEGORY:Authentication #LOG:Jun 24 15:22:39 bigipnet security[success] 538 NT AUTHORITY\ANONYMOUS LOGON User Logoff: User Name:ANONYMOUS LOGON Domain:NT AUTHORITY Logon ID:(0x0,0x938205) Logon Type:3 regex=security\[success\] 538 .* User Logoff:\s+User Name:([\w ]+) Domain:([\w ]+) Logon ID:\S+ Logon Type:(\d+); \ classification.text=Logoff; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=538; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com199.html; \ id=1402; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=$1 logged off; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ additional_data(0).type=integer; \ additional_data(0).meaning=Logon type; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Authentication domain; \ additional_data(1).data=$2; \ last #DESCRIPTION:Windows Event ID 560 - Object Open (Currently broken on Windows 2003; verify against older Windows) #CATEGORY:Authentication #LOG:Jul 11 08:55:16 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 560 NT AUTHORITY\SYSTEM Object Open: Object Server:Security Account Manager Object Type:SAM_DOMAIN Object Name:SMF-ENG-GGOMEZ Handle ID:1290248 Operation ID:{0,378510053} Process ID:944 Image File Name: C:\WINDOWS\system32\lsass.exe Primary User Name:SMF-ENG-GGOMEZ$ Primary Domain:RES Primary Logon ID:(0x0,0x3E7) Client User Name:SMF-ENG-GGOMEZ$ Client Domain:RES Client Logon ID:(0x0,0x3E7) Accesses: %%1537 %%1538 %%1539 %%1540 %%5392 %%5393 %%5394 %%5395 %%5396 %%5398 %%5399 %%5400 %%5401 %%5402 Privileges:- Restricted Sid Count: 0 regex=security\[success\] 560 (.*) Object Open:\s* Object Server:[\w\s]+ Object Type:[\w\_]+\s* Object Name:([\w-]+)\s* Handle ID:\d+\s* Operation ID:.*\s* Process ID:(\d+) [\S ]+ Primary User Name:(\S*)\s* Primary Domain:\S+\s* Primary Logon ID:\S*\s* Client User Name:(\S+)\s* Client Domain; \ classification.text=Object opened; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=560; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com202.html; \ id=1403; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$3 opened an object $2; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$4; \ source(0).user.user_id(2).type=current-user; \ source(0).user.user_id(2).name=$5; \ source(0).process.pid=$3; \ last #DESCRIPTION:Windows Event ID 562 - Object closed #CATEGORY:Authentication #LOG:Jul 11 08:55:16 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 562 NT AUTHORITY\SYSTEM Handle Closed: Object Server:Security Account Manager Handle ID:1093856 Process ID:944 Image File Name: C:\WINDOWS\system32\lsass.exe regex=security\[success\] 562 (.*) Handle Closed: Object Server:[\w\s]+ Handle ID:(\d+) Process ID:(\d+) Image File Name: (.+); \ classification.text=Object closed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=562; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com204.html; \ id=1404; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Object Handle $2 closed; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ target(0).process.pid=$3; \ additional_data(0).type=integer; \ additional_data(0).meaning=Handle ID; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Image; \ additional_data(1).data=$4; \ last #DESCRIPTION:Windows Event ID 577 - Privileged Service Called #CATEGORY:Authentication #LOG:Jul 11 15:09:21 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 577 NT AUTHORITY\SYSTEM Privileged Service Called: Server: NT Local Security Authority / Authentication Service Service:LsaRegisterLogonProcess() Primary User Name:SMF-ENG-GGOMEZ$ Primary Domain:RES Primary Logon ID:(0x0,0x3E7) Client User Name:SMF-ENG-GGOMEZ$ Client Domain:RES Client Logon ID:(0x0,0x3E7) Privileges:SeTcbPrivilege regex= security\[success\] 577 (.*) Privileged Service Called: Server:.+ Service:(.*) Primary User Name:(.+) Primary Domain:.+ Primary Logon ID:\(.*\) Client User Name:(.+) Client Domain:.+ Client Logon ID:.+ Privileges:(.+); \ classification.text=User privilege exercised; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=577; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com213.html; \ id=1406; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Service $2 called with the following privileges: $5; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$3; \ source(0).user.user_id(2).type=current-user; \ source(0).user.user_id(2).name=$4; \ target(0).node.address(0).category=unknown; \ target(0).node.address(0).address=$2; \ target(0).node.name=$2; \ last #DESCRIPTION:Windows Event ID 643 - Domain Policy Changed #CATEGORY:Account Management #LOG:Oct 31 18:02:39 192.168.1.100 security[success] 643 NT AUTHORITY\SYSTEM Domain Policy Changed: Password Policy modified Domain:ELMW2 Domain ID:ELMW2 Caller User Name:W2DC$ Caller Domain:ELMW2 Caller Logon ID:(0x0,0x3E7) Privileges:- regex= security\[success\] 643 (.*) Domain Policy Changed: Password Policy modified Domain:(.+) Domain ID: .+ Caller User Name:(.+); \ classification.text=Password policy modified; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=643; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com263.html; \ id=1407; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=User $3 modified the password policy for the $2 domain; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$3; \ last #DESCRIPTION:Windows Event ID 680 - Account Used for Logon #CATEGORY:Authentication #LOG:Oct 22 20:57:03 smf-syslog-02 smf-dc-01/smf-dc-01 security[success] Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Account Name: DRankin Workstation: SMF-HLP-16 regex= security\[success\].*Account Used for Logon by: (.+) Account Name: (.+) Workstation: (.+); \ classification.text=Login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=680; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com304.html; \ id=1408; \ revision=3; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=Logon attempt on $3 using the $2 account; \ source(0).node.address(0).category=unknown; \ source(0).node.address(0).address=$3; \ source(0).node.name=$3; \ source(0).process.name=$1; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ last #DESCRIPTION:Windows Event ID 682 - Session reconnected to winstation #CATEGORY:Authentication #LOG:Oct 31 18:02:39 192.168.1.100 security[success] 682 NT AUTHORITY\SYSTEM Session reconnected to winstation: User Name:Jean Dupond Domain:IBM17M Logon ID:(0x0,0x1F5A9C) Session Name:Console Client Name:Unknown Client Address:1.1.1.1 regex= security\[success\] 682 (.*) Session reconnected to winstation: User Name:([\w ]+) Domain:.+ Logon ID:\(.+\) Session Name:.+ Client Name:(.+) Client Address:([\d\.]+); \ classification.text=Remote control user reconnected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=682; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com306.html; \ id=1409; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Session reconnection from $5; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).node.address(1).category=unknown; \ source(0).node.address(1).address=$3; \ source(0).node.name=$3; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last #DESCRIPTION:Windows Event ID 683 - Session disconnected from winstation #CATEGORY:Authentication #LOG:Oct 31 18:02:39 192.168.1.100 security[success] 683 NT AUTHORITY\SYSTEM Session disconnected from winstation: User Name:administrator Domain:ELMW2 Logon ID:(0x0,0x5BAA5) Session Name:Unknown Client Name:CPQ Client Address:10.42.42.90 regex= security\[success\] 683 (.*) Session disconnected from winstation: User Name:([\w ]+) Domain:.+ Logon ID:\(.+\) Session Name:.+ Client Name:(.+) Client Address:([\d\.]+); \ classification.text=Remote control user disconnected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=683; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com307.html; \ id=1410; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Session reconnection from $4; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).node.address(1).category=unknown; \ source(0).node.address(1).address=$3; \ source(0).node.name=$3; \ source(0).user.user_id(0).type=target-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$2; \ last #DESCRIPTION:Windows Event ID other - Security Success message #CATEGORY:Generic #regex= security\[success\] (\d+); \ # classification.text=Windows Event ID [$1]; \ # id=1411; \ # revision=1; \ # analyzer(0).name=NTsyslog; \ # analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ # analyzer(0).class=Service; \ # assessment.impact.severity=low; \ # assessment.impact.type=other; \ # assessment.impact.description=Security Success message with identifier #$1; \ # last #DESCRIPTION:Windows Event ID other - Security Failure message #CATEGORY:Generic #regex= security\[failure\] (\d+); \ # classification.text=Windows Event ID [$1]; \ # id=1416; \ # revision=1; \ # analyzer(0).name=NTsyslog; \ # analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ # analyzer(0).class=Service; \ # assessment.impact.severity=medium; \ # assessment.impact.type=other; \ # assessment.impact.description=Security Failure message with identifier #$1; \ # last #DESCRIPTION:Windows Event ID 529 or 534 - Logon Failure #CATEGORY:Authentication #LOG:Dec 10 00:23:37 webbrain.itg.sac.tfs security[failure] 529 NT AUTHORITY\SYSTEM Logon Failure: Reason:Unknown user name or bad password User Name:administrator Domain:ITG Logon Type:2 Logon Process:Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:WEBBRAIN regex=security\[failure\] (529|534) .+ Logon Failure: Reason:(.+) User Name:([\w ]+) Domain:(.+) Logon Type:(\d+) Logon Process:(\w+) Authentication Package:.+ Workstation Name:(.+); \ classification.text=Login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=$1; \ id=1412; \ revision=3; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=Logon as $3 failed: $2; \ source(0).process.name=$6; \ target(0).node.address(0).category=unknown; \ target(0).node.address(0).address=$7; \ target(0).node.name=$7; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$3; \ additional_data(0).type=integer; \ additional_data(0).meaning=Logon type; \ additional_data(0).data=$5; \ additional_data(1).type=string; \ additional_data(1).meaning=Authentication domain; \ additional_data(1).data=$4; \ last #DESCRIPTION:Windows Event ID 578 - Privileged object operation #CATEGORY:Authentication #LOG:Dec 9 17:42:49 testdb.itg.sac.tfs security[failure] 578 ITG\mzirion Privileged object operation: Object Server:Security Object Handle:4294967295 Process ID:3540 Primary User Name:TESTDB$ Primary Domain:ITG Primary Logon ID:(0x0,0x3E7) Client User Name:mzirion Client Domain:ITG Client Logon ID:(0x2,0x5E829351) Privileges:SeIncreaseBasePriorityPrivilege regex=security\[failure\] 578 .+ Privileged object operation: Object Server:Security Object Handle:\d+ Process ID:(\d+) Primary User Name:(.+) Primary Domain:(.+) Primary Logon ID:\(.*\) Client User Name:([\w ]+) Client.+Privileges:(\S+); \ classification.text=User privilege exercised; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=578; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com214.html; \ id=1413; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=medium; \ assessment.impact.type=user; \ target(0).process.pid=$1; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$4; \ additional_data(0).type=string; \ additional_data(0).meaning=Authentication domain; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Privileges; \ additional_data(1).data=$5; \ last #DESCRIPTION:Windows Event ID 627 - Attemptation to change password #CATEGORY:Account Management #LOG:Dec 7 20:07:49 testdb.itg.sac.tfs security[failure] 627 NT AUTHORITY\SYSTEM Change Password Attempt: Target Account Name:TsInternetUser Target Domain:TESTDB Target Account ID: %{S-1-5-21-854245398-413027322-725345543-1000} Caller User Name:TESTDB$ Caller Domain:ITG Caller Logon ID:(0x0,0x3E7) Privileges:- regex= security\[failure\] 627 (.+) Change Password Attempt: Target Account Name:(.+) Target Domain:(.+) Target Account ID:.+ Caller User Name:(.+); \ classification.text=Password change; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=627; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com247.html; \ id=1414; \ revision=2; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=medium; \ assessment.impact.type=user; \ assessment.impact.description=$4 attempted to change the password for $2 on the $3 domain; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(1).type=current-user; \ source(0).user.user_id(1).name=$4; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Authentication domain; \ additional_data(0).data=$3; \ last #DESCRIPTION:Windows Event ID 681 - Logon to account #CATEGORY:Authentication #LOG:Dec 10 08:20:07 mrfreeze.itg.sac.tfs security[failure] 681 NT AUTHORITY\SYSTEM The logon to account: tfslegalask@itg.sac.tfs by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: MRFREEZE failed. The error code was: 3221225572 regex=security\[failure\] 681 (.+) The logon to account: (\S+) by:.+ from workstation: (\w+); \ classification.text=Login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=681; \ classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com326.html; \ id=1415; \ revision=3; \ analyzer(0).name=NTsyslog; \ analyzer(0).manufacturer=ntsyslog.sourceforge.net; \ analyzer(0).class=Service; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=Logon as $2 from $3 failed; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).node.address(0).category=unknown; \ source(0).node.address(0).address=$3; \ source(0).node.name=$3; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last prelude-lml-rules-5.1.0/ruleset/nxlog_windows.rules0000664000175000017500000001312113537533463022705 0ustar tandrejatandreja#FULLNAME: NXLog Windows #VERSION: 1.0 #DESCRIPTION: NXLOG is a universal log collector and forwarder supporting different platforms (BSD, Unix, Linux, Windows, Android), log sources and protocols (Syslog, Windows EventLog, Graylog2 GELF, XML, JSON, CSV and more) ##### # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:User account password has been changed #CATEGORY:Account Management #LOG:Aug 4 10:43:59 WIN-EDVLDBQ49OJ.rs.prelude MSWinEventLog 1 Security 644 Thu Aug 04 10:43:59 2016 4738 Microsoft-Windows-Security-Auditing N/A N/A Success Audit WIN-EDVLDBQ49OJ.rs.prelude Gestion des comptes d’utilisateur Un compte d’utilisateur a été modifié. Sujet : ID de sécurité : S-1-5-7 Nom du compte : ANONYMOUS LOGON Domaine du compte : AUTORITE NT ID d’ouverture de session : 0x3e6 Compte cible : ID de sécurité : S-1-5-21-3077753346-2009837333-1327024817-1105 Nom du compte : fpo Domaine du compte : RS Attributs modifiés : Nom du compte SAM : - Nom complet : - Nom principal de l’utilisateur : - Répertoire de base : - Lecteur de base : - Chemin d’accès au script : - Chemin d’accès au profil : - Stations de travail utilisateurs : - Dernière modification du mot de passe le : 04/08/2016 10:43:59 Le compte expire le : - ID de groupe principal : - Délégué autorisé : - Ancienne valeur UAC : - Nouvelle valeur UAC : - Contrôle du compte d’utilisateur : - Paramètres utilisateur : - Historique SID : - Horaire d’accès : - Informations supplémentaires : Privilèges: - 12535 #LOG:Aug 4 10:43:59 WIN-EDVLDBQ49OJ.rs.prelude MSWinEventLog 1 Security 647 Thu Aug 04 10:43:59 2016 4738 Microsoft-Windows-Security-Auditing N/A N/A Success Audit WIN-EDVLDBQ49OJ.rs.prelude Gestion des comptes d’utilisateur Un compte d’utilisateur a été modifié. Sujet : ID de sécurité : S-1-5-21-3077753346-2009837333-1327024817-500 Nom du compte : Administrateur Domaine du compte : RS ID d’ouverture de session : 0x5cba0 Compte cible : ID de sécurité : S-1-5-21-3077753346-2009837333-1327024817-1105 Nom du compte : fpo Domaine du compte : RS Attributs modifiés : Nom du compte SAM : - Nom complet : - Nom principal de l’utilisateur : - Répertoire de base : - Lecteur de base : - Chemin d’accès au script : - Chemin d’accès au profil : - Stations de travail utilisateurs : - Dernière modification du mot de passe le : - Le compte expire le : - ID de groupe principal : - Délégué autorisé : - Ancienne valeur UAC : 0x15 Nouvelle valeur UAC : 0x211 Contrôle du compte d’utilisateur : 'Mot de passe non nécessaire' - Désactivé 'Ne pas faire expirer le mot de passe' - Activé Paramètres utilisateur : - Historique SID : - Horaire d’accès : - Informations supplémentaires : Privilèges: - 12538 #LOG:Aug 4 10:43:59 WIN-EDVLDBQ49OJ.rs.prelude MSWinEventLog 1 Security 648 Thu Aug 04 10:43:59 2016 4738 Microsoft-Windows-Security-Auditing N/A N/A Success Audit WIN-EDVLDBQ49OJ.rs.prelude Gestion des comptes d’utilisateur Un compte d’utilisateur a été modifié. Sujet : ID de sécurité : S-1-5-21-3077753346-2009837333-1327024817-500 Nom du compte : Administrateur Domaine du compte : RS ID d’ouverture de session : 0x5cba0 Compte cible : ID de sécurité : S-1-5-21-3077753346-2009837333-1327024817-1105 Nom du compte : fpo Domaine du compte : RS Attributs modifiés : Nom du compte SAM : - Nom complet : - Nom principal de l’utilisateur : - Répertoire de base : - Lecteur de base : - Chemin d’accès au script : - Chemin d’accès au profil : - Stations de travail utilisateurs : - Dernière modification du mot de passe le : - Le compte expire le : - ID de groupe principal : - Délégué autorisé : - Ancienne valeur UAC : 0x211 Nouvelle valeur UAC : 0x210 Contrôle du compte d’utilisateur : Compte activé Paramètres utilisateur : - Historique SID : - Horaire d’accès : - Informations supplémentaires : Privilèges: - 12539 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit\s+(\S+)\s+Gestion des comptes d.utilisateur.*Un compte d.utilisateur a .t. modifi.\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte; \ id=110021; \ revision=1; \ classification.text=Password changed; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$2; \ source(0).user.user_id(0).name=$3; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=An user account password has been changed; \ last prelude-lml-rules-5.1.0/ruleset/openhostapd.rules0000664000175000017500000001116413537533463022335 0ustar tandrejatandreja#FULLNAME: hostapd #VERSION: 1.0 #DESCRIPTION: hostapd is a user space daemon for wireless access point and authentication servers. ##### # # Copyright (C) 2005 Reyk Floeter # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:IEEE 802.11 $7 flooding #CATEGORY:Wireless Network #LOG:ath0: (rate: 100/3 sec) 00:02:dc:ed:3d:3f > 00:05:4e:45:d3:b8, bssid 00:05:4e:45:d3:b8: authentication request, regex=([a-z0-9]+):\s\(rate:\s(\d+)\/(\d+)\ssec\)\s([a-f\d\:]+)\s\>\s([a-f\d\:]+)\,\sbssid\s([a-f\d\:]+)\:\s([^\,]+); \ classification.text=IEEE 802.11 $7 flooding; \ id=2500; \ revision=1; \ analyzer(0).name=openhostapd; \ analyzer(0).manufacturer=http://www.openbsd.org; \ analyzer(0).class=Router; \ assessment.impact.type=dos; \ assessment.impact.severity=high; \ assessment.impact.description=IEEE 802.11 $7 flooding from $4 to $5 on BSSID $6; \ source(0).interface=$1; \ target(0).node.address(0).category=mac; \ target(0).node.address(0).address=$5; \ target(0).node.address(1).category=mac; \ target(0).node.address(1).address=$6; \ additional_data(0).type=string; \ additional_data(0).meaning=Event detection rate; \ additional_data(0).data=$2/$3 sec; \ last #DESCRIPTION:IEEE 802.11 flooding #CATEGORY:Wireless Network #LOG:Nov 23 19:05:49 ath0: (rate: 100/3 sec) regex=([a-z0-9]+):\s\(rate:\s(\d+)\/(\d+)\ssec\); \ classification.text=IEEE 802.11 flooding; \ id=2501; \ revision=1; \ analyzer(0).name=openhostapd; \ analyzer(0).manufacturer=http://www.openbsd.org; \ analyzer(0).class=Router; \ assessment.impact.type=dos; \ assessment.impact.severity=high; \ assessment.impact.description=IEEE 802.11 flooding on interface $1; \ source(0).interface=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=Event detection rate; \ additional_data(0).data=$2/$3 sec; \ last #DESCRIPTION:Removed IEEE 802.11 node #CATEGORY:Wireless Network #LOG:ath0: removed node 00:05:4e:45:d3:b8 regex=([a-z0-9]+):\sremoved\snode\s([a-f\d\:]+); \ classification.text=Removed IEEE 802.11 node; \ id=2502; \ revision=1; \ analyzer(0).name=openhostapd; \ analyzer(0).manufacturer=http://www.openbsd.org; \ analyzer(0).class=Router; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=Removed node $2 on interface $1; \ assessment.impact.completion=succeeded; \ source(0).interface=$1; \ target(0).node.address(0).category=mac; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:Added IEEE 802.11 node #CATEGORY:Wireless Network #LOG:ath0/sis0: sent ADD notification for 00:05:4e:45:d3:b8 regex=([a-z0-9]+)\/([a-z0-9]+):\ssent\sADD\snotification\sfor\s([a-f\d\:]+); \ classification.text=Added IEEE 802.11 node; \ id=2503; \ revision=1; \ analyzer(0).name=openhostapd; \ analyzer(0).manufacturer=http://www.openbsd.org; \ analyzer(0).class=Router; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=Added node $3 on interface $1; \ assessment.impact.completion=succeeded; \ source(0).interface=$1; \ target(0).interface=$2; \ target(0).node.address(0).category=mac; \ target(0).node.address(0).address=$3; \ last #DESCRIPTION:Attached IEEE 802.11 Host AP #CATEGORY:Wireless Network #LOG:ath0/sis0: attached Host AP interface with BSSID 00:05:4e:45:d3:b8 regex=([a-z0-9]+)\/([a-z0-9]+):\sattached\sHost\sAP\sinterface\swith\sBSSID\s([a-f\d\:]+); \ classification.text=Attached IEEE 802.11 Host AP; \ id=2504; \ revision=1; \ analyzer(0).name=openhostapd; \ analyzer(0).manufacturer=http://www.openbsd.org; \ analyzer(0).class=Router; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=Attached Host AP $3 on interface $1; \ assessment.impact.completion=succeeded; \ source(0).interface=$1; \ target(0).node.address(0).category=mac; \ target(0).node.address(0).address=$3; \ target(0).interface=$2; \ last prelude-lml-rules-5.1.0/ruleset/pam.rules0000664000175000017500000001143013537533463020562 0ustar tandrejatandreja#FULLNAME: PAM #VERSION: 1.0 #DESCRIPTION: PAM is a mechanism to integrate multiple low-level authentication schemes into a high-level application programming interface. ##### # # Copyright (C) 2004 Yoann Vandoorselaere # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Old pam format (< 0.99): #DESCRIPTION:Ignore opened or closed sessions #CATEGORY:Authentication #LOG:Apr 20 11:55:01 piche CRON[23295]: (pam_unix) session opened for user root by (uid=0) #LOG:Apr 20 11:55:01 piche CRON[23293]: (pam_unix) session closed for user root #LOG:Dec 14 09:31:58 piche sshd[8778]: pam_unix(ssh:session): session opened for user pollux by (uid=0) regex=CRON\[\d+\]: \(pam_unix\) session (opened|closed) for user; \ silent; \ last #DESCRIPTION:New pam format #DESCRIPTION:Ignore opened or closed sessions (for all pam modules) #CATEGORY:Authentication #LOG:Dec 14 09:09:01 piche CRON[5898]: pam_unix(cron:session): session opened for user root by (uid=0) #LOG:Dec 14 09:09:01 piche CRON[5898]: pam_unix(cron:session): session closed for user root #LOG:Dec 14 09:31:58 piche sshd[8778]: pam_unix(ssh:session): session opened for user pollux by (uid=0) regex=CRON\[\d+\]: \S+\(cron:\S+\): session (opened|closed) for user; \ silent; \ last #DESCRIPTION:Session opened for user root #CATEGORY:Authentication #LOG:Apr 20 11:55:01 piche CRON[23295]: (pam_unix) session opened for user root by (uid=0) regex=for user root by; \ id=4; \ assessment.impact.type=admin; \ chained; silent #DESCRIPTION:Session opened for user #CATEGORY:Authentication #LOG:Aug 14 17:32:19 blah su(pam_unix)[17944]: session opened for user root by (uid=123) #LOG:Dec 9 18:47:10 devel5 sshd(pam_unix)[13189]: session opened for user yyyy by xxxx(uid=0) regex=session opened for user (\S+) by (\S*)\(uid=(\d*)\); \ optgoto=4; \ classification.text=Credentials Change; \ id=1; \ revision=2; \ analyzer(0).name=PAM; \ analyzer(0).manufacturer=Sun Microsystems; \ analyzer(0).class=Authentication; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=low; \ assessment.impact.description=User $2 authenticated to $1 successfuly; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ source(0).user.user_id(0).number=$3; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ last #DESCRIPTION:Authentication failure #CATEGORY:Authentication #LOG:Dec 21 21:18:46 share2 sshd(pam_unix)[15525]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=a.b.c.d user=root regex=authentication failure\; logname=([^ ]*)[ ]*uid=([^ ]*)[ ]*euid=.* tty=([^ ]*)[ ]*ruser=([^ ]*)[ ]*rhost=([^ ]*)[ ]*user=([^ ]*); \ classification.text=Credentials Change; \ optgoto=4; \ id=2; \ revision=2; \ analyzer(0).name=PAM; \ analyzer(0).manufacturer=Sun Microsystems; \ analyzer(0).class=Authentication; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=high; \ assessment.impact.description=User $4 tried to authenticate as $6 and failed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$5; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$4; \ source(0).user.user_id(0).tty=$3; \ source(0).user.user_id(0).number=$2; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$6; \ last #DESCRIPTION:No such user #CATEGORY:Authentication #LOG:Dec 21 21:18:46 share2 sshd[15525]: pam_tally(sshd:auth): pam_get_uid; no such user regex=no such user; \ classification.text=Invalid User; \ id=3; \ revision=1; \ analyzer(0).name=PAM; \ analyzer(0).manufacturer=Sun Microsystems; \ analyzer(0).class=Authentication; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to log in using a non-existant user; \ last prelude-lml-rules-5.1.0/ruleset/pcanywhere.rules0000664000175000017500000000530413537533463022155 0ustar tandrejatandreja#FULLNAME: pcAnywhere #VERSION: 1.0 #DESCRIPTION: pcAnywhere is a suite of computer programs which allows a user of the pcAnywhere remote program on a computer to connect to a personal computer host if both are connected and the password is known. The rules included here were developed using pcAnywhere 10.5.1 and NTSyslog 1.13. ##### # # Copyright (C) 2004 G Ramon Gomez # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Remote control user connection #CATEGORY:Authentication #LOG:Apr 13 10:31:03 12.34.56.78 pcanywhere[info] 127 NT AUTHORITY\SYSTEM Host In Session Host Name: DB3 Host Licensee: MAXIMUS Remote Name: JM15575 Remote User: NUT&BOLT Device Type: TCP/IP regex=Host In Session Host Name: (\S+) Host Licensee: \S+ Remote Name: (\S+) Remote User: (\S+); \ classification.text=Remote control user connected; \ id=3000; \ revision=1; \ analyzer(0).name=pcAnywhere; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Remote Control; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.severity=low; \ assessment.impact.description=User $3 successfully connected to $1 from $2; \ source(0).node.name=$2; \ target(0).node.name=$3; \ source(0).user.category=application; \ source(0).user.user_id(0).type=original-user; \ source(0).user.user_id(0).name=$3; \ last #DESCRIPTION:Remote control user disconnection #CATEGORY:Authentication #LOG:Apr 14 06:29:55 db3 pcanywhere[info] 123 NT AUTHORITY\SYSTEM Host End Session Device Type: TCP/IP Description: Remote logged off regex=Host End Session Device Type: \S+ Description: (.+); \ classification.text=Remote control user disconnected; \ id=3001; \ revision=1; \ analyzer(0).name=pcAnywhere; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Remote Control; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.severity=low; \ assessment.impact.description=Session ended with status: $1; \ last prelude-lml-rules-5.1.0/ruleset/pcre.rules0000664000175000017500000001605513537533463020746 0ustar tandrejatandreja# # Rule format : # # For information about the fields and their meanings, please have a look at # the IDMEF Draft located at : # # http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-16.txt # # CREATING AND CONTRIBUTING RULES: # Rulesets that you contribute to the Prelude-LML maintainer should follow # these guidelines: # - Avoid using .+ or .* in regex entries unless actually neccessary. Doing so # will make your rule CPU-costly to implement. # - Avoid capturing variables which you don't use. This causes unneccessary # memory consumption. # - At a minimum, include regex, classification().text, # assessment.impact.severity, assessment.impact.type, # assessment.impact.description. # - If it's correct for this application, include last. # - Put only a single field on each line of your rules. # - Include a sample log entry with each rule. # - Gather as many pieces of data, and fill as many IDMEF fields as possible # from the log entry. # - If a similar rule exists in another ruleset (same function, different # software), use the classification().text from the other rule. # - Use only the actual log message, none of the syslog headers (this generally # includes timestamp, originating node, originating process, and pid). # - Submit new rulesets to the prelude-devel mailing list for consideration. # # See the existing rulesets for examples. # # LML-specific fields: # # - regex: # A perl regex instruction to the rule on the correct way to parse the log # entry concerned. # # - id: # A unique number identifying this rule in the Prelude-LML ruleset. Rulesets # are assigned IDs in blocks of 100, so if the first rule in a ruleset is # 2300, all of the rules in that ruleset will be 23xx. # # - revision: # The current revision of the rule. Higher numbers indicate more recent # versions. # # - last: # Indicates to LML that if this rule is triggered, stop checking for further # regex matches. # Prevent LML from matching its own output and creating a logging loop in case # of odd syslog configurations regex=no appropriate format defined for log entry; \ silent; \ last regex=EMU; include = apc-emu.rules; regex=(anomaly|since|firstSeen); include = arbor.rules; regex=arpwatch; include = arpwatch.rules; regex=chan_sip.c; include = asterisk.rules; regex=CactiTholdLog; include = cacti-thold.rules; regex=product:; include = checkpoint.rules; #regex=%\S+-\d+-\S+; include = cisco-asa.rules; \ regex=%ACE-\d+-\S+:; include = cisco-ace.rules; regex=-\S+:; include = cisco-asa.rules; regex=%\S+-\d+-\S+; include = cisco-common.rules; \ include = cisco-router.rules; regex=(IPV4|SSHD|NETMAN)-\d+; include = cisco-css.rules; regex=(snmptrapd); include = cisco-ips-2.rules; #regex=snmptrapd; include = cisco-ips.rules; regex=SEV=; include = cisco-vpn.rules; # Using this regex rather than simpler clamd to handle events from clamav # logging format regex=radiusd\[(\d+)\]; include = radiusd.rules; regex=Juniper:; include = juniper-vpn.rules; regex=SymantecServer \S+:; include = symantec-epm.rules; regex=snmptrapd; include = symantec-scsp.rules; regex=(FOUND|virus); include = clamav.rules; regex=server administrator; include = dell-om.rules; regex=(kernel|grsec); include = grsecurity.rules; regex=(bigconf|kernel); include = f5-bigip.rules; regex=devname=; include = fortigate.rules; regex=(honeyd|icmp|tcp|udp); include = honeyd.rules; regex=\[([0-9-]+) ([0-9:]+)\]; include = honeytrap.rules; regex=\[(SSHChannel|SSHService); include = kojoney.rules; regex=ModSecurity; include = modsecurity.rules; # Using this somewhat complex regex instead of the simpler httpd due to the # fact that we might be directly monitoring httpd logs instead of httpd syslog # entries (in which case we won't have the process name to match against) regex=(\[error\]|Pass|httpd); include = httpd.rules; regex=(kernel|ulogd); include = ipchains.rules; \ include = netfilter.rules; \ include = bonding.rules; regex=ipfw; include = ipfw.rules; regex=[Ww]ireless; include = linksys-wap11.rules; regex=clussvc; include = ms-cluster.rules; regex=mssql; include = ms-sql.rules; regex=nagios; include = nagios.rules; regex=norton; include = navce.rules; regex=\[[^:]*:[^\]]*\]:; include = netapp-ontap.rules; regex=system-(emergency|alert)-; include = netscreen.rules; regex=security\[; include = ntsyslog.rules; regex=[Pp][Aa][Mm]_; include = pam.rules; regex=[Ss][Uu]:; include = su.rules; regex=pcanywhere; include = pcanywhere.rules; regex=portsentry; include = portsentry.rules; regex=postfix/; include = postfix.rules; regex=proftpd; include = proftpd.rules; regex=popper; include = qpopper.rules; regex=(ppp|pptpd); include = ppp.rules; regex=INFO\s+srcIP; include = rishi.rules; regex=avc:; include = selinux.rules; regex=sendmail; include = sendmail.rules; regex=(user|group)(mod|add|del); include = shadow-utils.rules; regex=id=firewall; include = sonicwall.rules; regex=spamd; include = spamassassin.rules; # More complex regex to handle data coming directly from Squid log files regex=(Acceptin|Squid|Disabled|DENIED); include = squid.rules; regex=sshd; include = ssh.rules; regex=sudo; include = sudo.rules; regex=suhosin; include = suhosin.rules; regex=tripwire; include = tripwire.rules; regex=[wl]an @Group:; include = vigor.rules; regex=vpopmail; include = vpopmail.rules; regex=webmin; include = webmin.rules; regex=ftpd; include = wu-ftp.rules; regex=MSWinEventLog; include = snare_windows.rules; \ include = nxlog_windows.rules; # Openhostapd.rules doesn't have specific stuff we can match: regex=(removed node|\(rate:\s(\d+)\/(\d+)\ssec\)|sent ADD notification|attached Host AP interface); include = openhostapd.rules; # All rules that are standalone/not part of a ruleset go into single.rules include = single.rules; prelude-lml-rules-5.1.0/ruleset/portsentry.rules0000664000175000017500000001117113537533463022240 0ustar tandrejatandreja#FULLNAME: PortSentry #VERSION: 1.0 #DESCRIPTION: PortSentry will watch unused ports for activity and depending on how it is configured take action upon excessive access to watched ports. ##### # # Copyright (C) 2003 Stephane Loeuillet (stephane.loeuillet@tiscali.fr) # All Rights Reserved # # RulesID: 1503 # Copyright (C) 2004-2005 G Ramon Gomez # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Someone performed a scan #CATEGORY:Recognition #LOG:May 11 23:29:48 icecube portsentry[791]: attackalert: SYN/Normal scan from host: server1.miniclip.com/64.23.60.30 to TCP port: 443 #LOG:May 8 08:58:22 icecube portsentry[795]: attackalert: UDP scan from host: 193.63.249.24/193.63.249.24 to UDP port: 177 #LOG:Apr 18 10:42:51 20.0.0.3 portsentry[2549]: attackalert: TCP SYN/Normal scan from host: 2.0.0.3/2.0.0.3 to TCP port: 119 regex=attackalert:.*?(\S+) scan from\s+host: (\S+)/([\d\.]+|[\dA-Fa-f\:]+) to (TCP|UDP) port: (\d+); \ classification.text=$1 Scan; \ id=1500; \ revision=1; \ analyzer(0).name=PortSentry; \ analyzer(0).manufacturer=sentrytools.sourceforge.net; \ analyzer(0).class=HIDS; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=PortSentry found someone performed a '$1' scan; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).node.name=$2; \ source(0).service.iana_protocol_name=$4; \ target(0).service.iana_protocol_name=$4; \ source(0).service.port=$5; \ last #DESCRIPTION:Connection logged #CATEGORY:Recognition #LOG:Mar 28 00:03:25 hoste portsentry[103]: attackalert: Connect from host: 217.33.28.29/217.33.28.29 to TCP port: 111 regex=attackalert: Connect from host: (\S+)/([\d\.]+|[\dA-Fa-f\:]+) to (TCP|UDP) port: (\d+); \ classification.text=Connection logged; \ id=1501; \ revision=1; \ analyzer(0).name=PortSentry; \ analyzer(0).manufacturer=sentrytools.sourceforge.net; \ analyzer(0).class=HIDS; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=PortSentry found someone connecting to port $3/$4; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).node.name=$1; \ source(0).service.iana_protocol_name=$3; \ target(0).service.iana_protocol_name=$3; \ target(0).service.port=$4; \ last #DESCRIPTION:Host blocked #CATEGORY:Recognition #LOG:Oct 15 13:50:07 basile portsentry[28412]: attackalert: Host 195.220.107.15 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 195.220.107.15 -j DENY" regex=attackalert: Host ([\d\.]+) has been blocked via dropped route using command: "([^"]+)"; \ classification.text=Host blocked; \ id=1502; \ revision=1; \ analyzer(0).name=PortSentry; \ analyzer(0).manufacturer=sentrytools.sourceforge.net; \ analyzer(0).class=HIDS; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=PortSentry saw your firewall blocked a host via : $2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Host already blocked #CATEGORY:Recognition #LOG:Apr 18 10:42:51 20.0.0.3 portsentry[2549]: attackalert: Host: 2.0.0.3/2.0.0.3 is already blocked Ignoring regex=attackalert: Host: (\S+)/([\d\.]+) is\s+already blocked; \ classification.text=Host blocked; \ id=1503; \ revision=1; \ analyzer(0).name=PortSentry; \ analyzer(0).manufacturer=sentrytools.sourceforge.net; \ analyzer(0).class=HIDS; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=PortSentry saw your firewall blocked a host.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).node.name=$1; \ last prelude-lml-rules-5.1.0/ruleset/postfix.rules0000664000175000017500000001033313537533463021502 0ustar tandrejatandreja#FULLNAME: Postfix #VERSION: 1.0 #DESCRIPTION: Postfix is a mail transfer agent (MTA) that routes and delivers electronic mail. This ruleset aims for analyzing postfix log. Tested with postfix-2.0.11. ##### # # Copyright (C) 2004 Exaprotect Technology # Currently supported by John R Shannon # All Rights Reserved # # Author: David Maciejak # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Mail server - Relay access denied #CATEGORY:Email #LOG:May 3 17:41:05 exademo postfix/smtpd[6161]: 7F70283BF6: reject: RCPT from unknown[212.180.111.248]: 554 : Relay access denied; from= to= proto=SMTP helo= regex=reject: RCPT from [\w\-\.]+\[([\d\.]+)\]: .* Relay access denied. from=<(\S+)> to=<(\S+)> proto=SMTP; \ classification.text=Mail server: Relay access denied; \ id=3500; \ revision=1; \ analyzer(0).name=Postfix; \ analyzer(0).manufacturer=www.postfix.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description=$2 from $1 attempted to use mail server as relay; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).node.address(1).category=e-mail; \ source(0).node.address(1).address=$2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.port=25; \ target(0).service.name=smtp; \ target(0).node.address(0).category=e-mail; \ target(0).node.address(0).address=$3; \ last #DESCRIPTION:Mail server - Startup #CATEGORY:Email #LOG:May 3 12:22:14 exademo postfix/postfix-script: starting the Postfix mail system regex=starting the Postfix mail system; \ classification.text=Mail server startup; \ id=3501; \ revision=1; \ analyzer(0).name=Postfix; \ analyzer(0).manufacturer=www.postfix.org; \ analyzer(0).class=Service; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Mail server started; \ assessment.impact.type=other; \ assessment.impact.severity=info; \ last #DESCRIPTION:Mail server - Shutdown #CATEGORY:Email #LOG:May 4 11:43:10 exademo postfix/postfix-script: stopping the Postfix mail system regex=stopping the Postfix mail system; \ classification.text=Mail server shutdown; \ id=3502; \ revision=1; \ analyzer(0).name=Postfix; \ analyzer(0).manufacturer=www.postfix.org; \ analyzer(0).class=Service; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Mail server stopped; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ last #DESCRIPTION:Mail server - Suspicious access #CATEGORY:Email #LOG:May 4 09:26:15 exademo postfix/smtpd[8472]: lost connection after CONNECT from localhost[127.0.0.1] regex=lost connection after (\S+) from [\w\-\.]+\[([\d\.]+)\]; \ classification.text=Mail server suspicious access; \ id=3503; \ revision=1; \ analyzer(0).name=Postfix; \ analyzer(0).manufacturer=www.postfix.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.description=Lost connection from $2 after $1 action; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.port=25; \ target(0).service.name=smtp; \ last prelude-lml-rules-5.1.0/ruleset/ppp.rules0000664000175000017500000000614213537533463020610 0ustar tandrejatandreja#FULLNAME: Cisco PPP #VERSION: 1.0 #DESCRIPTION: This is the PPP Cisco connection protocol. ##### # # Copyright (C) 2009-2019 CS-SI # Copyright (C) 2008 Alexander Afonyashin # Author: Alexander Afonyashin # All Rights Reserved. # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### # Dec 4 23:01:24 beorc pptpd[24795]: CTRL: Client 1.2.3.4 control connection started # Dec 4 23:01:24 beorc pptpd[24795]: CTRL: Starting call (launching pppd, opening GRE) # Dec 4 23:01:25 beorc ppp[24796]: tun2: IPCP: Selected IP address 5.6.7.8 #DESCRIPTION:Logging succeed #CATEGORY:Authentication #LOG:Dec 4 23:01:36 beorc ppp[24796]: tun2: Phase: Chap Input: RESPONSE (49 bytes from afonyashin) regex=ppp\[(\d+)\]: (\S+): Phase: \S+ Input: RESPONSE \(\d+ bytes from (\S+)\); \ new_context=PPP_$1,expire:0; \ classification.text=VPN user authentication; \ assessment.impact.description=Authenticated attempt; \ target(0).interface=$2; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$3; \ silent #DESCRIPTION:Output SUCCESS #CATEGORY:Authentication #LOG:Dec 4 23:01:36 beorc ppp[24796]: tun2: Phase: Chap Output: SUCCESS regex=ppp\[(\d+)\]: \S+: Phase: \S+ Output: SUCCESS; \ require_context=PPP_$1; \ id=10100; \ revision=1; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ silent #DESCRIPTION:Output FAILURE #CATEGORY:Authentication #LOG:Dec 4 23:01:36 beorc ppp[24796]: tun2: Phase: Chap Output: FAILURE regex=ppp\[(\d+)\]: \S+: Phase: \S+ Output: FAILURE; \ require_context=PPP_$1; \ id=10101; \ revision=1; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ silent #DESCRIPTION:CTRL #CATEGORY:Authentication #LOG:Dec 4 23:01:49 beorc pptpd[24795]: CTRL: Reaping child PPP[24796] regex=pptpd\[(\d+)\]: CTRL: \S+ \S+ PPP\[(\d+)\]; \ require_context=PPP_$2; \ new_context=PPTPD_$1,expire:5; \ destroy_context=PPP_$2; \ silent #DESCRIPTION:CTRL Client control #CATEGORY:Authentication #LOG:Dec 4 23:01:49 beorc pptpd[24795]: CTRL: Client 1.2.3.4 control connection finished regex=pptpd\[(\d+)\]: CTRL: Client (\S+) control; \ require_context=PPTPD_$1; \ analyzer(0).name=ppp; \ analyzer(0).class=VPN; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ last prelude-lml-rules-5.1.0/ruleset/proftpd.rules0000664000175000017500000001035013537533463021463 0ustar tandrejatandreja#FULLNAME: ProFTPD #VERSION: 1.0 #DESCRIPTION: ProFTPD is an FTP server. ##### # # Copyright (C) 2003 Stephane Loeuillet (stephane.loeuillet@tiscali.fr) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Authentication failure #CATEGORY:Authentication #LOG:Jan 13 22:19:52 (none) proftpd[7804]: leroutier.net (193.249.231.232[193.249.231.232]) - PAM(leroutier): Authentication failure. regex=[\w\-\.]+ \(([\d\.]+)\[[\d\.]+\]\) - PAM\(([\w\-\.]+)\): Authentication failure; \ classification.text=FTP login; \ id=1600; \ revision=2; \ analyzer(0).name=ProFTPD; \ analyzer(0).manufacturer=www.proftpd.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description= Someone tried to login to your FTP server as user '$2' but failed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=21; \ target(0).service.name=ftp; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last #DESCRIPTION:No such user #CATEGORY:Authentication #LOG:Jan 13 22:19:58 (none) proftpd[7805]: leroutier.net (193.249.231.232[193.249.231.232]) - no such user 'uh' regex=[\w\-\.]+ \(([\d\.]+)\[[\d\.]+\]\) - no such user '(\S+)'; \ classification.text=FTP login; \ id=1601; \ revision=2; \ analyzer(0).name=ProFTPD; \ analyzer(0).manufacturer=www.proftpd.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description= Someone tried to login to your FTP server as a non-existant user '$2' but failed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=21; \ target(0).service.name=ftp; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last #DESCRIPTION:No such user found from @IP #CATEGORY:Authentication #LOG:Jan 13 22:39:03 (none) proftpd[8023]: leroutier.net (193.249.231.232[193.249.231.232]) - USER rr: no such user found from 193.249.231.232 [193.249.231.232] to 81.91.66.90:21 regex=[\w\-\.]+ \(([\d\.]+)\[[\d\.]+\]\) - USER (\S+): no such user found from [\w\-\.]+ \[[\w\-\.]+\] to ([\w\-\.]+):(\d+); \ classification.text=FTP login; \ id=1602; \ revision=2; \ analyzer(0).name=ProFTPD; \ analyzer(0).manufacturer=www.proftpd.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description= Someone tried to login to your FTP server as a non-existant user '$2' but failed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$3; \ target(0).service.port=$4; \ target(0).service.name=ftp; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last prelude-lml-rules-5.1.0/ruleset/qpopper.rules0000664000175000017500000000622313537533463021477 0ustar tandrejatandreja#FULLNAME: Qpopper #VERSION: 1.0 #DESCRIPTION: Qpopper is a server implementations of POP3. ##### # # Copyright (C) 2003 Stephane Loeuillet (stephane.loeuillet@tiscali.fr) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Mail server - Invalid password for this user #CATEGORY:Email #LOG:Jan 13 21:05:09 myhostname popper[6950]: [AUTH] Failed attempted login to vegeta from host (Mix-Dijon-114-2-232.abo.wanadoo.fr) 193.249.231.232 regex=\[AUTH\] Failed attempted login to (\S+) from host \(?([\w\-\.]+)\)? ([\d\.]+); \ classification.text=Mail server - invalid password for this user; \ id=1700; \ revision=1; \ analyzer(0).name=Qpopper; \ analyzer(0).manufacturer=Eudora; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description= Someone tried to login to your POP3 server as user '$1' but failed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=110; \ target(0).service.name=pop3; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ last #DESCRIPTION:Mail server - Invalid password for user #CATEGORY:Email #LOG:Jan 13 20:42:31 myhostname popper[6752]: azerty at www.leroutier.net (81.91.66.90): -ERR [AUTH] Password supplied for "myuser" is incorrect. regex=(\S+) at [\w\-\.]+ \(([\d\.]+)\): -ERR \[AUTH\] Password supplied for "\S+" is incorrect; \ classification.text=Mail server - invalid password for user; \ id=1701; \ revision=1; \ analyzer(0).name=Qpopper; \ analyzer(0).manufacturer=Eudora; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description= Someone tried to login to your POP3 server as user '$1' but failed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=110; \ target(0).service.name=pop3; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ last prelude-lml-rules-5.1.0/ruleset/radiusd.rules0000664000175000017500000001232013537533463021437 0ustar tandrejatandreja#FULLNAME: Radius #VERSION: 1.0 #DESCRIPTION: Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. These rules monitor Freeradius 1.1.7. ##### # # Copyright (C) 2012 Seguridadx # twitter: www.twitter.com/seguridad_x # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Ready to process requests #CATEGORY:Account Management #LOG:May 3 14:43:38 SERVER_NAME radiusd[2081]: Ready to process requests. regex=: Ready to process requests; \ classification.text=Radius Server has started.; \ id=35000; \ revision=2; \ analyzer(0).name=FreeRadius; \ analyzer(0).manufacturer=freeradius.org; \ analyzer(0).class=Authentication; \ assessment.impact.severity=low; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Radius Server has started.; \ last #DESCRIPTION:Login incorrect #CATEGORY:Authentication #LOG:May 3 14:43:48 SERVER_NAME radiusd[name3]: Login incorrect: [USER] (from client HOST_NAME port xxx cli x.x.x.x) regex=: Login incorrect: \[(\S+)\] \(from client (\S+) port (\d+) cli ([\d\.]+)\); \ classification.text=Radiusd: Login incorrect.; \ id=35001; \ revision=2; \ analyzer(0).name=FreeRadius; \ analyzer(0).manufacturer=freeradius.org; \ analyzer(0).class=Authentication; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Radius Server Said: Login incorrect.; \ additional_data(0).type=string; \ additional_data(0).meaning=User Name; \ additional_data(0).data=$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:Login incorrect #CATEGORY:Authentication #LOG:May 3 14:43:48 SERVER_NAME radiusd[name2]: Login incorrect: [USER] (from client HOST_NAME port xxx cli ip:source-ip=x.x.x.x) regex=: Login incorrect: \[(\S+)\] \(from client (\S+) port (\d+) cli ip:source-ip\=([\d\.]+)\); \ classification.text=Radiusd: Login incorrect.; \ id=35002; \ revision=2; \ analyzer(0).name=FreeRadius; \ analyzer(0).manufacturer=freeradius.org; \ analyzer(0).class=Authentication; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Radius Server Said: Login incorrect.; \ additional_data(0).type=string; \ additional_data(0).meaning=User Name; \ additional_data(0).data=$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:Login OK #CATEGORY:Authentication #LOG:May 3 14:44:12 SERVER_NAME radiusd[name1]: Login OK: [USER] (from client HOST_NAME port xxx cli x.x.x.x) regex=: Login OK: \[(\S+)\] \(from client (\S+) port (\d+) cli ([\d\.]+)\); \ classification.text=Radiusd: Login OK.; \ id=35003; \ revision=2; \ analyzer(0).name=FreeRadius; \ analyzer(0).manufacturer=freeradius.org; \ analyzer(0).class=Authentication; \ assessment.impact.severity=low; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Radius Server Said: Login OK.; \ additional_data(0).type=string; \ additional_data(0).meaning=User Name; \ additional_data(0).data=$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:Login OK #CATEGORY:Authentication #LOG:May 3 15:25:21 SERVER_NAME radiusd[xxx]: Login OK: [USER] (from client HOST_NAME port x) regex=: Login OK: \[(\S+)\] \(from client (\S+); \ classification.text=Radiusd: Login OK.; \ id=35004; \ revision=2; \ analyzer(0).name=FreeRadius; \ analyzer(0).manufacturer=freeradius.org; \ analyzer(0).class=Authentication; \ assessment.impact.severity=low; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Radius Server Said: Login OK.; \ additional_data(0).type=string; \ additional_data(0).meaning=User Name; \ additional_data(0).data=$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last prelude-lml-rules-5.1.0/ruleset/rishi.rules0000664000175000017500000001055313537533463021130 0ustar tandrejatandreja#FULLNAME: Rishi #VERSION: 1.0 #DESCRIPTION: Rishi identifies bot-contaminated hosts by IRC nickname evaluation. ##### # # Copyright (C) 2007 Bjoern Weiland # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:IRC Connections with fairly high value (>= 5 and <= 10) #CATEGORY:Botnet #LOG:2007-05-20 12:49:57,644 INFO srcIP: 129.13.x.y srcPort: 1312 dstIP: 80.64.x.y dstPort: 6666 Nick: myFunnyNick Value: 5 regex=INFO srcIP: (\S+)\s+srcPort: (\d+)\s+dstIP: (\S+)\s+dstPort: (\d+)\s+Nick: (\S+)\s+Value: (?!0|1|2|3|4)(\d)$; \ classification.text=Possible IRC bot connection; \ id=30000; \ revision=1; \ analyzer(0).name=Rishi; \ analyzer(0).manufacturer=http://zero.ram.rwth-aachen.de/rishi/; \ analyzer(0).class=NIDS; \ source(0).node.address(0).address=$1; \ source(0).service.port=$2; \ target(0).node.address(0).address=$3; \ target(0).service.port=$4; \ target(0).user.category=application; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$5; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description=A yet unknown bot might have initiated a connection to a C&C Server, investigation required; \ additional_data(0).type=integer; \ additional_data(0).meaning=Calculated Value; \ additional_data(0).data=$6; \ last #DESCRIPTION:Connections to a non-standard port with a low value (< 5) #CATEGORY:Botnet #LOG:2007-05-20 12:49:57,644 INFO srcIP: 129.13.x.y srcPort: 1312 dstIP: 80.64.x.y dstPort: 1501 Nick: myFunnyNick Value: 3 regex=INFO srcIP: (\S+)\s+srcPort: (\d+)\s+dstIP: (\S+)\s+dstPort: (?!6665|6666|6667|6668)(\d+)\s+Nick: (\S+)\s+Value: (0|1|2|3|4)$; \ classification.text=IRC Connection to non-standard port; \ id=30001; \ revision=1; \ analyzer(0).name=Rishi; \ analyzer(0).manufacturer=http://zero.ram.rwth-aachen.de/rishi/; \ analyzer(0).class=NIDS; \ source(0).node.address(0).address=$1; \ source(0).service.port=$2; \ target(0).node.address(0).address=$3; \ target(0).service.port=$4; \ target(0).user.category=application; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$5; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=low; \ assessment.impact.description=To be investigated, probably false positive that needs to be whitelisted; \ additional_data(0).type=integer; \ additional_data(0).meaning=Calculated Value; \ additional_data(0).data=$6; \ last #DESCRIPTION:Connection with a very high value (>= 10) #CATEGORY:Botnet #LOG:2007-05-20 12:49:57,644 INFO srcIP: 129.13.x.y srcPort: 1312 dstIP: 80.64.x.y dstPort: 4545 Nick: [LsasS]213242344 Value: 11 regex=INFO srcIP: (\S+)\s+srcPort: (\d+)\s+dstIP: (\S+)\s+dstPort: (\d+)\s+Nick: (\S+)\s+Value: (?!0$|1$|2$|3$|4$|5$|6$|7$|8$|9$)(\d+); \ classification.text=Possible IRC Bot identified; \ id=30002; \ revision=1; \ analyzer(0).name=Rishi; \ analyzer(0).manufacturer=http://zero.ram.rwth-aachen.de/rishi/; \ analyzer(0).class=NIDS; \ source(0).node.address(0).address=$1; \ source(0).service.port=$2; \ target(0).node.address(0).address=$3; \ target(0).service.port=$4; \ target(0).user.category=application; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$5; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=high; \ assessment.impact.description=Possible bot contaminated host identified; \ additional_data(0).type=integer; \ additional_data(0).meaning=Calculated Value; \ additional_data(0).data=$6; \ last prelude-lml-rules-5.1.0/ruleset/selinux.rules0000664000175000017500000002617713537533463021512 0ustar tandrejatandreja#FULLNAME: SELinux #VERSION: 1.0 #DESCRIPTION: Security-Enhanced Linux is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). The rules included here are EXPERIMENTAL. ##### # # Copyright (C) 2005 G Ramon Gomez # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:RBAC authentication file failure #CATEGORY:Authentication #LOG:Nov 18 10:12:08 new-selinux2 kernel: avc: denied { relabelto } for pid=12296 exe=/usr/bin/chcon name=shadow dev=03:02 ino=230036 scontext=takeuchi:user_r:user_t tcontext=system_u:object_r:shadow_t tclass=file regex=denied \{ ([\w\ ]+) \} for pid=(\d+) exe=(\S+) name=(shadow|passwd|group) dev=\S+ ino=\S+ scontext=(\S+):(\S+):\S+ tcontext=(\S+):\S+:; \ classification.text=RBAC authentication file $1 failure; \ id=4000; \ revision=1; \ analyzer(0).name=SELinux; \ analyzer(0).manufacturer=NSA; \ analyzer(0).class=Kernel; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.description=An $1 attempt was made against the file $4 using $3. This attempt was blocked.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$5; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$6; \ source(0).process.name=$3; \ source(0).process.pid=$2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$7; \ target(0).decoy=no; \ last #DESCRIPTION:RBAC shell failure #CATEGORY:Authentication #LOG:Aug 3 17:53:22 192 kernel: avc: denied { execute } for pid=1007 exe=/usr/sbin/httpd path=/bin/bash dev=08:02 ino=162980 scontext=system_u:system_r:httpd_t tcontext=system_u:object_r:shell_exec_t tclass=file regex=denied \{ ([\w\ ]+) \} for pid=(\d+) exe=(\S+) path=(\S*bin\S*sh) dev=\S+ ino=\S+ scontext=(\S+):(\S+):\S+ tcontext=(\S+):\S+:; \ classification.text=RBAC shell $1 failure; \ id=4001; \ revision=1; \ analyzer(0).name=SELinux; \ analyzer(0).manufacturer=NSA; \ analyzer(0).class=Kernel; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.description=An $1 attempt was made by $3 on $4. This attempt was blocked.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$5; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$6; \ source(0).process.name=$3; \ source(0).process.pid=$2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$7; \ last #DESCRIPTION:RBAC shell failure (This rule might have a high false-positive rate) #CATEGORY:Authentication #LOG:Nov 18 11:43:18 new-selinux2 kernel: avc: denied { execute } for pid=14500 exe=/usr/bin/perl name=bash dev=03:02 ino=7995406 scontext=system_u:system_r:httpd_sys_script_process_t tcontext=system_u:object_r:shell_exec_t tclass=file regex=denied \{ ([\w\ ]+) \} for pid=(\d+) exe=(\S+) name=(\S*sh) dev=\S+ ino=\S+ scontext=(\S+):(\S+):\S+ tcontext=(\S+):\S+:; \ classification.text=RBAC shell $1 failure; \ id=4002; \ revision=1; \ analyzer(0).name=SELinux; \ analyzer(0).manufacturer=NSA; \ analyzer(0).class=Kernel; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.description=An $1 attempt was made by $3 on $4. This attempt was blocked.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$5; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$6; \ source(0).process.name=$3; \ source(0).process.pid=$2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$7; \ last #DESCRIPTION:RBAC log failure #CATEGORY:Authentication #LOG:Nov 18 11:43:18 new-selinux2 kernel: avc: denied { read append } for pid=14499 exe=/usr/bin/perl path=/var/log/httpd/error_log dev=03:02 ino=5177929 scontext=system_u:system_r:httpd_sys_script_process_t tcontext=root:object_r:unlabeled_t tclass=file regex=denied \{ ([\w\ ]+) \} for pid=(\d+) exe=(\S+) path=(\/var\/log\/\S+) dev=\S+ ino=\S+ scontext=(\S+):(\S+):\S+ tcontext=(\S+):\S+:; \ classification.text=RBAC log $1 failure; \ id=4003; \ revision=1; \ analyzer(0).name=SELinux; \ analyzer(0).manufacturer=NSA; \ analyzer(0).class=Kernel; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.description=An $1 attempt was made by $3 on $4. This attempt was blocked.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$5; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$6; \ source(0).process.name=$3; \ source(0).process.pid=$2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$7; \ last #DESCRIPTION:RBAC failure #CATEGORY:Authentication #LOG:Aug 2 01:15:10 192 kernel: avc: denied { execute } for pid=32440 exe=/usr/sbin/smbd path=/bin/bash dev=08:02 ino=162980 scontext=system_u:system_r:smbd_t tcontext=system_u:object_r:shell_exec_t tclass=file regex=denied \{ ([\w\ ]+) \} for pid=(\d+) exe=(\S+) path=(\S+) dev=\S+ ino=\S+ scontext=(\S+):(\S+):\S+ tcontext=(\S+):\S+:; \ classification.text=RBAC $1 failure; \ id=4005; \ revision=1; \ analyzer(0).name=SELinux; \ analyzer(0).manufacturer=NSA; \ analyzer(0).class=Kernel; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.description=An $1 attempt was made against $4 using $3. This attempt was blocked.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$5; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$6; \ source(0).process.name=$3; \ source(0).process.pid=$2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$7; \ last #DESCRIPTION:RBAC failure #CATEGORY:Authentication #LOG:Nov 18 11:43:18 new-selinux2 kernel: avc: denied { execute } for pid=14500 path=/lib/libnss_files-2.3.2.so dev=03:02 ino=8503320 scontext=system_u:system_r:httpd_sys_script_process_t tcontext=system_u:object_r:var_spool_t tclass=file regex=denied \{ ([\w\ ]+) \} for pid=(\d+) path=(\S+) dev=\S+ ino=\S+ scontext=(\S+):(\S+):\S+ tcontext=(\S+):\S+:; \ classification.text=RBAC $1 failure; \ id=4006; \ revision=1; \ analyzer(0).name=SELinux; \ analyzer(0).manufacturer=NSA; \ analyzer(0).class=Kernel; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.description=An $1 attempt was made against $3. This attempt was blocked.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$4; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$5; \ source(0).process.pid=$2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$6; \ last #DESCRIPTION:RBAC failure #CATEGORY:Authentication #LOG:Aug 6 15:08:02 localhost kernel: avc: denied { dac_override } for pid=535 exe=/usr/bin/suidperl capability=1 scontext=system_u:user_r:user_t tcontext=system_u:user_r:user_t tclass=capability regex=denied \{ ([\w\ ]+) \} for pid=(\d+) exe=(\S+) capability=\S+\s+scontext=(\S+):(\S+):\S+\s+tcontext=(\S+):\S+:; \ classification.text=RBAC $1 failure; \ id=4007; \ revision=1; \ analyzer(0).name=SELinux; \ analyzer(0).manufacturer=NSA; \ analyzer(0).class=Kernel; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.description=An $1 attempt was made against $3. This attempt was blocked.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$4; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$5; \ source(0).process.name=$3; \ source(0).process.pid=$2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$6; \ last #DESCRIPTION:RBAC failure #CATEGORY:Authentication #LOG:Nov 18 11:09:24 new-selinux2 kernel: avc: denied { unlink } for pid=10667 exe=/usr/local/java/j2sdk1.4.2_02/bin/java name=.index.log dev=03:02 ino=98986 scontext=user_u:user_r:user_t tcontext=user_u:object_r:unlabeled_t tclass=file regex=denied \{ ([\w\ ]+) \} for pid=(\d+) exe=(\S+) name=(\S+) dev=\S+ ino=\S+ scontext=(\S+):(\S+):\S+ tcontext=(\S+):\S+:; \ classification.text=RBAC $1 failure; \ id=4008; \ revision=1; \ analyzer(0).name=SELinux; \ analyzer(0).manufacturer=NSA; \ analyzer(0).class=Kernel; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.description=An $1 attempt was made against the file $4 using $3. This attempt was blocked.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$5; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$6; \ source(0).process.name=$3; \ source(0).process.pid=$2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$7; \ last #DESCRIPTION:RBAC failure #CATEGORY:Authentication #LOG:Nov 18 11:09:24 new-selinux2 kernel: avc: denied { unlink } for pid=10667 exe=/usr/local/java/j2sdk1.4.2_02/bin/java name=.index.log dev=03:02 ino=98986 scontext=user_u:user_r:user_t tcontext=user_u:object_r:unlabeled_t tclass=file #LOG:Nov 18 11:09:24 new-selinux2 kernel: avc: denied { unlink } for pid=10667 exe=/home/dev/My Documents/j2sdk1.4.2_02/bin/java name=.index.log dev=03:02 ino=98986 scontext=user_u:user_r:user_t tcontext=user_u:object_r:unlabeled_t tclass=file regex=denied \{ ([\w\ ]+) \} for pid=(\d+) exe=(.*) name=.* dev=.* ino=.* scontext=(\S+):(\S+):\S+ tcontext=(\S+):(\S+):; \ classification.text=RBAC $1 failure; \ id=4009; \ revision=1; \ analyzer(0).name=SELinux; \ analyzer(0).manufacturer=NSA; \ analyzer(0).class=Kernel; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.description=An $1 attempt was made against $3. This attempt was blocked.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$4; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$5; \ source(0).process.name=$3; \ source(0).process.pid=$2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$6; \ last prelude-lml-rules-5.1.0/ruleset/sendmail.rules0000664000175000017500000003503713537533463021612 0ustar tandrejatandreja#FULLNAME: Sendmail #VERSION: 1.0 #DESCRIPTION: Sendmail is an email routing facility that supports many kinds of mail-transfer and delivery methods, including the Simple Mail Transfer Protocol (SMTP) used for email transport over the Internet. The rules included here were developed using Sendmail 8.12.8-9.90. ##### # # Copyright (C) 2004 G Ramon Gomez # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Mail server relay access denied #CATEGORY:Email #LOG:Jun 20 04:21:33 mail sendmail[28792]: ruleset=check_relay, arg1=c-67-181-100-174.client.comcast.net, arg2=67.181.100.174, relay=c-67-181-100-174.client.comcast.net [67.181.100.174], reject=550 5.7.1 Mail from 67.181.100.174 refused - see http://dsbl.org/ #LOG:Jun 22 09:01:52 mail sendmail[5475]: ruleset=check_relay, arg1=[61.102.237.129], arg2=61.102.237.129, relay=[61.102.237.129], reject=550 5.7.1 Mail from 61.102.237.129 refused - see http://dsbl.org/ regex=ruleset=check_relay, arg1=([\[\]\w\-\.]+), arg2=([\d\.]+), relay=.*\[[\d\.]+\], reject=550 5\.7\.1 (.+); \ classification.text=Mail server relay access denied; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=rfc821_id; \ classification.reference(0).name=550; \ classification.reference(0).url=http://rfc.net/rfc821.html; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=rfc2476_id; \ classification.reference(1).name=5.7.1; \ classification.reference(1).url=http://rfc.net/rfc2476.html; \ id=3700; \ revision=2; \ analyzer(0).name=Sendmail; \ analyzer(0).manufacturer=www.sendmail.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=$1 attempted to use mail server as relay, and was denied.; \ source(0).node.name=$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.port=25; \ target(0).service.name=smtp; \ additional_data(0).type=string; \ additional_data(0).meaning=ACL; \ additional_data(0).data=check_relay; \ additional_data(1).type=string; \ additional_data(1).meaning=Failure reason; \ additional_data(1).data=$3; \ last #DESCRIPTION:Mail server relay access denied #CATEGORY:Email #LOG:Jun 19 23:20:27 mail sendmail[28096]: i5K6KJmk028096: ruleset=check_rcpt, arg1=, relay=[211.243.40.167], reject=550 5.7.1 ... Relaying denied. IP name lookup failed [211.243.40.167] regex=(\S+): ruleset=check_rcpt, arg1=<(\S+@\S+)>, relay=.*\[([\d\.]+)\], reject=550 5\.7\.1 (.+); \ classification.text=Mail server relay access denied; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=rfc821_id; \ classification.reference(0).name=550; \ classification.reference(0).url=http://rfc.net/rfc821.html; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=rfc2476_id; \ classification.reference(1).name=5.7.1; \ classification.reference(1).url=http://rfc.net/rfc2476.html; \ id=3701; \ revision=2; \ analyzer(0).name=Sendmail; \ analyzer(0).manufacturer=www.sendmail.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=$2 attempted to use mail server as relay, and was denied.; \ source(0).node.address(0).category=e-mail; \ source(0).node.address(0).address=$2; \ source(0).node.address(1).category=ipv4-addr; \ source(0).node.address(1).address=$3; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.port=25; \ target(0).service.name=smtp; \ additional_data(0).type=string; \ additional_data(0).meaning=Session ID; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=ACL; \ additional_data(1).data=check_rcpt; \ additional_data(2).type=string; \ additional_data(2).meaning=Failure reason; \ additional_data(2).data=$4; \ last #DESCRIPTION:Mail server relay access denied #CATEGORY:Email #LOG:Jun 25 17:30:55 mail sendmail[29822]: i5Q0Ukjt029822: ruleset=check_mail, arg1=, relay=[211.210.172.167], reject=553 5.1.8 ... Domain of sender address vrrfvbvwzihdz@cninfo.net does not exist regex=(\S+): ruleset=check_mail, arg1=<(\S+@\S+)>, relay=.*\[([\d\.]+)\], reject=553 5\.1\.8 (.+); \ classification.text=Mail server relay access denied; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=rfc821_id; \ classification.reference(0).name=553; \ classification.reference(0).url=http://rfc.net/rfc821.html; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=rfc2476_id; \ classification.reference(1).name=5.1.8; \ classification.reference(1).url=http://rfc.net/rfc2476.html; \ id=3702; \ revision=2; \ analyzer(0).name=Sendmail; \ analyzer(0).manufacturer=www.sendmail.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=$2 attempted to use mail server as relay, and was denied.; \ source(0).node.address(0).category=e-mail; \ source(0).node.address(0).address=$2; \ source(0).node.address(1).category=ipv4-addr; \ source(0).node.address(1).address=$3; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.port=25; \ target(0).service.name=smtp; \ additional_data(0).type=string; \ additional_data(0).meaning=Session ID; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=ACL; \ additional_data(1).data=check_mail; \ additional_data(2).type=string; \ additional_data(2).meaning=Failure reason; \ additional_data(2).data=$4; \ last #DESCRIPTION:Mail server shutdown #CATEGORY:Service Management #LOG:Jun 22 09:23:54 mail sendmail: sendmail shutdown succeeded regex=sendmail shutdown succeeded; \ classification.text=Mail server shutdown; \ id=3703; \ revision=1; \ analyzer(0).name=Sendmail; \ analyzer(0).manufacturer=www.sendmail.org; \ analyzer(0).class=Service; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Sendmail reported a shutdown; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ last #DESCRIPTION:Mail server startup #CATEGORY:Service Management #LOG:Jun 22 09:23:54 mail sendmail: sendmail startup succeeded regex=sendmail startup succeeded; \ classification.text=Mail server startup; \ id=3704; \ revision=1; \ analyzer(0).name=Sendmail; \ analyzer(0).manufacturer=www.sendmail.org; \ analyzer(0).class=Service; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Sendmail reported a startup; \ assessment.impact.type=other; \ assessment.impact.severity=info; \ last #DESCRIPTION:Mail server suspicious access #CATEGORY:Email #LOG:Jun 22 06:43:01 mail sendmail[5195]: i5MDgomk005195: AClermont-Ferrand-108-1-6-103.w81-49.abo.wanadoo.fr [81.49.192.103] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA regex=(\S+): ([\w\-\.]+) \[([\d\.]+)\] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA; \ classification.text=Mail server suspicious access; \ id=3705; \ revision=2; \ analyzer(0).name=Sendmail; \ analyzer(0).manufacturer=www.sendmail.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.description=Lost connection from $2. Might be a version scanner or a spammer.; \ assessment.impact.type=recon; \ assessment.impact.severity=low; \ source(0).node.name=$2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.port=25; \ target(0).service.name=smtp; \ additional_data(0).type=string; \ additional_data(0).meaning=Session ID; \ additional_data(0).data=$1; \ last #DESCRIPTION:Mail server unknown user #CATEGORY:Email #LOG:Jun 25 18:59:39 mail sendmail[29873]: i5Q1xRjt029873: ... User unknown regex=(\S+): <(\S+@\S+)>... User unknown; \ classification.text=Mail server unknown user; \ id=3706; \ revision=2; \ analyzer(0).name=Sendmail; \ analyzer(0).manufacturer=www.sendmail.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.description=Mail was sent to unknown user $2. This could be a scan for valid email addresses, or email to an old, now invalid account.; \ assessment.impact.type=recon; \ assessment.impact.severity=low; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).node.address(0).category=e-mail; \ target(0).node.address(0).address=$2; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.port=25; \ target(0).service.name=smtp; \ additional_data(0).type=string; \ additional_data(0).meaning=Session ID; \ additional_data(0).data=$1; \ last #DESCRIPTION:Mail server user obfuscation #CATEGORY:Email #LOG:Jun 4 12:25:26 mail sendmail[21691]: i54JPQCi021691: Authentication-Warning: mail.somehost.com: apache set sender to someguy@somehost.com using -f regex=(\S+): Authentication-Warning: ([\w\-\.]+): (\S+) set sender to (\S+@\S+) using; \ classification.text=Mail server user obfuscation; \ id=3707; \ revision=2; \ analyzer(0).name=Sendmail; \ analyzer(0).manufacturer=www.sendmail.org; \ analyzer(0).class=Service; \ assessment.impact.completion=succeeded; \ assessment.impact.description=$3 sent email as $4 instead of the assigned e-mail address. This may be normal (webmail systems do this), or it could be an attempt to hide the email originator.; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$3; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).node.name=$2; \ target(0).node.address(0).category=e-mail; \ target(0).node.address(0).address=$4; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.port=25; \ target(0).service.name=smtp; \ additional_data(0).type=string; \ additional_data(0).meaning=Session ID; \ additional_data(0).data=$1; \ last #DESCRIPTION:Mail server user discovery #CATEGORY:Email #LOG:Jul 3 06:10:43 mail sendmail[17436]: i63DAajt017436: PPPa1736.tokyo-ip.dti.ne.jp [210.170.207.236]: VRFY somebody [rejected] regex=(\S+): ([\w\-\.]+) \[([\d\.]+)\]: VRFY (\S+) \[rejected\]; \ classification.text=Mail server user discovery; \ id=3708; \ revision=2; \ analyzer(0).name=Sendmail; \ analyzer(0).manufacturer=www.sendmail.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.description=$2 tried to establish whether $4 existed or not. This could be a scan for valid email addresses.; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ source(0).node.name=$2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).node.address(0).category=e-mail; \ target(0).node.address(0).address=$3; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.port=25; \ target(0).service.name=smtp; \ additional_data(0).type=string; \ additional_data(0).meaning=Session ID; \ additional_data(0).data=$1; \ last #DESCRIPTION:Mail server group member discovery #CATEGORY:Email #LOG:Jul 3 06:10:43 mail sendmail[17436]: i63DAajt017436: PPPa1736.tokyo-ip.dti.ne.jp [210.170.207.236]: EXPN somegroup [rejected] regex=(\S+): ([\w\-\.]+) \[([\d\.]+)\]: EXPN (\S+) \[rejected\]; \ classification.text=Mail server group member discovery; \ id=3709; \ revision=2; \ analyzer(0).name=Sendmail; \ analyzer(0).manufacturer=www.sendmail.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.description=$2 tried to establish group memberships for $4. This could be a scan for valid email addresses.; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ source(0).node.name=$2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).node.address(0).category=e-mail; \ target(0).node.address(0).address=$4; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.port=25; \ target(0).service.name=smtp; \ additional_data(0).type=string; \ additional_data(0).meaning=Session ID; \ additional_data(0).data=$1; \ last #DESCRIPTION:Generic message #CATEGORY:Email #LOG:Apr 5 16:59:43 vm-mail sendmail[1821]: k35NxhZA001821: from=ccook@xxx.com, size=357, class=0, nrcpts=1, msgid=<443459EF.mail1EK1XC3LT@xxx.com>, relay=root@localhost regex=from=(\S+), size=(\d+), class=\d+, nrcpts=\d+, msgid=<(\S+@\S+)>; \ new_context=SPAMASSASSIN_$3,expire:10; \ source(0).node.address(0).category=e-mail; \ source(0).node.address(0).address=$1; \ additional_data(0).type=integer; \ additional_data(0).meaning=Size; \ additional_data(0).data=$2; \ silent prelude-lml-rules-5.1.0/ruleset/shadow-utils.rules0000664000175000017500000004172213537533463022437 0ustar tandrejatandreja#FULLNAME: shadow-utils #VERSION: 1.0 #DESCRIPTION: The shadow-utils includes programs for converting UNIX password files to the shadow password format, as well as tools for managing user and group accounts. The rules included here were developed using shadow-utils 4.0.3-12. ##### # # Copyright (C) 2004 G Ramon Gomez # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Group created #CATEGORY:Account Management #LOG:Oct 30 10:18:37 localhost groupadd[3491]: new group: name=test, GID=1003 #LOG:May 10 16:37:57 somehost groupadd[618]: new group: name=clamav, gid=46 regex=new group: name=(\S+), [gG][iI][dD]=(?!0)(\d+); \ classification.text=Group Created; \ id=3300; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=The group $1 was created with gid $2; \ target(0).user.user_id(0).type=current-group; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).number=$2; \ last #DESCRIPTION:Group created with GID 0 (wheel) #CATEGORY:Account Management #LOG:Oct 30 10:19:22 localhost groupadd[3491]: new group: name=wheel, GID=0 #LOG:May 10 16:37:57 somehost groupadd[618]: new group: name=wheel, gid=0 regex=new group: name=(\S+), [gG][iI][dD]=0; \ classification.text=Group Created with GID 0; \ id=3301; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The group $1 was created with gid 0; \ target(0).user.user_id(0).type=current-group; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).number=0; \ last #DESCRIPTION:User created #CATEGORY:Account Management #LOG:Oct 30 10:18:37 localhost useradd[3495]: new user: name=test, UID=1005, GID=1003, home=/home/test, shell=/bin/bash #LOG:May 10 16:37:57 somehost useradd[621]: new user: name=clamav, uid=46, gid=46, home=/tmp, shell=/sbin/nologin regex=new user: name=(\S+), [uU][iI][dD]=(?!0)(\d+), [gG][iI][dD]=(?!0)(\d+), home=(\S+), shell=(\S+); \ classification.text=User Created; \ id=3302; \ revision=2; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=The user $1 was created with uid $2 and gid $3; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).number=$2; \ target(0).user.user_id(1).type=current-group; \ target(0).user.user_id(1).number=$3; \ additional_data(0).type=string; \ additional_data(0).meaning=Home directory; \ additional_data(0).data=$4; \ additional_data(1).type=string; \ additional_data(1).meaning=Shell; \ additional_data(1).data=$5; \ last #DESCRIPTION:User created with UID 0 #CATEGORY:Account Management #LOG:Oct 30 10:18:37 localhost useradd[3495]: new user: name=test, UID=0, GID=45, home=/home/test, shell=/bin/bash #LOG:May 10 16:37:57 somehost useradd[621]: new user: name=someuser, uid=0, gid=46, home=/tmp, shell=/sbin/nologin regex=new user: name=(\S+), [uU][iI][dD]=0, [gG][iI][dD]=(?!0)(\d+), home=(\S+), shell=(\S+); \ classification.text=User Created with UID 0; \ id=3303; \ revision=2; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The user $1 was created with uid 0 and gid $2; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).number=0; \ target(0).user.user_id(1).type=current-group; \ target(0).user.user_id(1).number=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Home directory; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Shell; \ additional_data(1).data=$4; \ last #DESCRIPTION:User created with GID 0 #CATEGORY:Account Management #LOG:Oct 30 10:18:37 localhost useradd[3495]: new user: name=test, UID=55, GID=0, home=/home/test, shell=/bin/bash #LOG:May 10 16:37:57 somehost useradd[621]: new user: name=someuser, uid=46, gid=0, home=/tmp, shell=/sbin/nologin regex=new user: name=(\S+), [uU][iI][dD]=(?!0)(\d+), [gG][iI][dD]=0, home=(\S+), shell=(\S+); \ classification.text=User Created with GID 0; \ id=3304; \ revision=2; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The user $1 was created with uid $2 and gid 0; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).number=$2; \ target(0).user.user_id(1).type=current-group; \ target(0).user.user_id(1).number=0; \ additional_data(0).type=string; \ additional_data(0).meaning=Home directory; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Shell; \ additional_data(1).data=$4; \ last #DESCRIPTION:User created with UID/GID 0 #CATEGORY:Account Management #LOG:Oct 30 10:18:37 localhost useradd[3495]: new user: name=test, UID=0, GID=0, home=/home/test, shell=/bin/bash #LOG:May 10 16:37:57 somehost useradd[621]: new user: name=someuser, uid=0, gid=0, home=/tmp, shell=/sbin/nologin regex=new user: name=(\S+), [uU][iI][dD]=0, [gG][iI][dD]=0, home=(\S+), shell=(\S+); \ classification.text=User Created with UID/GID 0; \ id=3305; \ revision=2; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The user $1 was created with uid and gid 0; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).number=0; \ target(0).user.user_id(1).type=current-group; \ target(0).user.user_id(1).number=0; \ additional_data(0).type=string; \ additional_data(0).meaning=Home directory; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Shell; \ additional_data(1).data=$3; \ last #DESCRIPTION:User name changed #CATEGORY:Account Management #LOG:May 12 16:16:34 metatron usermod[14432]: change user name `bogususer' to `nonbogususer' #LOG:Dec 4 10:23:20 maximus usermod[2939]: change user name 'tartempion' to 'tartuf' regex=change user name ['`](\S+)' to ['`](\S+)'; \ classification.text=User Name Changed; \ id=3306; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=The user $1 was renamed $2; \ target(0).user.user_id(0).type=original-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(1).type=current-user; \ target(0).user.user_id(1).name=$2; \ last #DESCRIPTION:User UID changed #CATEGORY:Account Management #LOG:May 12 16:16:34 metatron usermod[14432]: change user `nonbogususer' UID from `555' to `503' #LOG:Dec 4 10:28:51 maximus usermod[3081]: change user 'tartuf' UID from '502' to '888' regex=change user ['`](\S+)' UID from ['`](\d+)' to ['`](?!0)(\d+)'; \ classification.text=User UID Changed; \ id=3307; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=The user $1 had its UID changed from $2 to $3; \ target(0).user.user_id(0).type=original-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).number=$2; \ target(0).user.user_id(1).type=current-user; \ target(0).user.user_id(1).name=$1; \ target(0).user.user_id(1).number=$3; \ last #DESCRIPTION:User UID changed to 0 #CATEGORY:Account Management #LOG:May 12 16:16:34 metatron usermod[14432]: change user `nonbogususer' UID from `555' to `0' #LOG:Dec 4 10:28:51 maximus usermod[3081]: change user 'tartuf' UID from '502' to '0' regex=change user ['`](\S+)' UID from ['`](\d+)' to ['`]0'; \ classification.text=User UID Changed to 0; \ id=3308; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The user $1 had its UID changed from $2 to 0; \ target(0).user.user_id(0).type=original-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).number=$2; \ target(0).user.user_id(1).type=current-user; \ target(0).user.user_id(1).name=$1; \ target(0).user.user_id(1).number=0; \ last #DESCRIPTION:User primary GID changed #CATEGORY:Account Management #LOG:May 12 16:16:34 metatron usermod[14432]: change user `nonbogususer' GID from `503' to `503' #LOG:Dec 4 10:32:33 maximus usermod[3368]: change user 'tartuf' GID from '503' to '500' regex=change user ['`](\S+)' GID from ['`](\d+)' to ['`](?!0)(\d+)'; \ classification.text=User Primary GID Changed; \ id=3309; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=The user $1 had its GID changed from $2 to $3; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(1).type=current-group; \ target(0).user.user_id(1).number=$3; \ last #DESCRIPTION:User primary GID changed to 0 #CATEGORY:Account Management #LOG:May 12 16:16:34 metatron usermod[14432]: change user `nonbogususer' GID from `503' to `0' #LOG:Dec 4 10:32:33 maximus usermod[3368]: change user 'tartuf' GID from '503' to '0' regex=change user ['`](\S+)' GID from ['`](\d+)' to ['`]0'; \ classification.text=User Primary GID Changed to 0; \ id=3310; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The user $1 had its GID changed from $2 to 0; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(1).type=current-group; \ target(0).user.user_id(1).number=0; \ last #DESCRIPTION:Group GID changed #CATEGORY:Account Management #LOG:May 12 16:11:01 metatron groupmod[9873]: change gid for `nonbogusgroup' to 504 regex=change gid for `(\S+)' to (?!0)(\d+); \ classification.text=Group GID Changed; \ id=3311; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=The group $1 had its GID changed to $2; \ target(0).user.user_id(0).type=current-group; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).number=$2; \ last #DESCRIPTION:Group GID changed to 0 #CATEGORY:Account Management #LOG:May 12 16:11:01 metatron groupmod[9873]: change gid for `nonbogusgroup' to 0 regex=change gid for `(\S+)' to 0; \ classification.text=Group GID Changed to 0; \ id=3312; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The group $1 had its GID changed to 0; \ target(0).user.user_id(0).type=current-group; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(0).number=0; \ last #DESCRIPTION:User added to group #CATEGORY:Account Management #LOG:May 13 15:55:12 metatron usermod[20587]: add `bogususer' to group `slocate' #LOG:Dec 4 11:03:18 maximus usermod[5438]: add 'tartuf' to group 'tonton' regex=add ['`](\S+)' to group ['`](?!wheel|root|sudo)(\S+)'; \ classification.text=User Added to Group; \ id=3313; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=The user $1 was added to group $2; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(1).type=current-group; \ target(0).user.user_id(1).name=$2; \ last #DESCRIPTION:User added to group #CATEGORY:Account Management #LOG:May 13 15:55:12 metatron usermod[20587]: add `test' to group `sudo' #LOG:May 13 15:55:12 metatron usermod[20587]: add `bogususer' to group `wheel' #LOG:Dec 4 11:03:18 maximus usermod[5438]: add 'tartuf' to group 'wheel' regex=add ['`](\S+)' to group ['`](wheel|root|sudo)'; \ classification.text=User Added to Group $2; \ id=3314; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The user $1 was added to group $2; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$1; \ target(0).user.user_id(1).type=current-group; \ target(0).user.user_id(1).name=$2; \ last #DESCRIPTION:Group GID changed #CATEGORY:Account Management #LOG:Dec 4 10:43:35 maximus groupmod[5097]: group changed in /etc/passwd (group tonton/504, new gid: 888) #LOG:Dec 4 10:43:35 maximus groupmod[5097]: group changed in /etc/group (group tonton/504, new gid: 888) regex=group changed in (/etc/passwd|/etc/group) \(group ([^/]+)\/(\d+), new gid: (?!0)(\d+)\); \ classification.text=Group GID Changed; \ id=3315; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=The group $2 had its GID changed from $3 to $4; \ target(0).file(0).path=$1; \ target(0).user.user_id(0).type=current-group; \ target(0).user.user_id(0).name=$2; \ target(0).user.user_id(0).number=$4; \ last #DESCRIPTION:Group GID changed to 0 #CATEGORY:Account Management #LOG:Dec 4 10:43:35 maximus groupmod[5097]: group changed in /etc/passwd (group tonton/504, new gid: 0) #LOG:Dec 4 10:43:35 maximus groupmod[5097]: group changed in /etc/group (group tonton/504, new gid: 0) regex=group changed in (/etc/passwd|/etc/group) \(group ([^/]+)\/(\d+), new gid: 0\); \ classification.text=Group GID Changed to 0; \ id=3316; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The group $2 had its GID changed from $3 to 0; \ target(0).file(0).path=$1; \ target(0).user.user_id(0).type=current-group; \ target(0).user.user_id(0).name=$2; \ target(0).user.user_id(0).number=0; \ last #DESCRIPTION:User deleted #CATEGORY:Account Management #LOG:Nov 4 15:18:16 exatest1 userdel[10259]: delete user `testuser' #LOG:Dec 4 11:14:44 maximus userdel[5627]: delete user 'tartuf' regex=userdel\[\d+\]: delete user ['`]([^']+)'; \ classification.text=User deleted; \ id=3317; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=User account $1 was deleted; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$1; \ last #DESCRIPTION:Group deleted #CATEGORY:Account Management #LOG:Dec 4 11:15:55 maximus groupdel[5648]: group 'tonton' removed regex=groupdel\[\d+\]: group ['`]([^']+)' removed; \ classification.text=Group deleted; \ id=3318; \ revision=1; \ analyzer(0).name=shadow-utils; \ analyzer(0).class=Administration; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=Group $1 was deleted; \ target(0).user.user_id(0).type=current-group; \ target(0).user.user_id(0).name=$1; \ last prelude-lml-rules-5.1.0/ruleset/single.rules0000664000175000017500000003350313537533463021273 0ustar tandrejatandreja#FULLNAME: Single rules #VERSION: 1.0 #DESCRIPTION: Single and standalone rules that don't match up with any particular ruleset. All of these rules are single, standalone rules that don't match up with any particular ruleset. All of these rules are single, standalone rules that don't match up with any particular ruleset. ##### # # Copyright (C) 2004 Yoann Vandoorselaere # All Rights Reserved # # RulesID "Execution attempt" # Copyright (C) 2002 Brad Spengler # All Rights Reserved # # RulesID 403, 411 # Copyright (C) 2004-2005 G Ramon Gomez # All Rights Reserved # # RulesID 410 # Copyright (C) 2005 M LeBlanc # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Promiscuous mode detected #CATEGORY:Network Security #LOG:Mar 28 12:30:01 gtsdmzuxids1 kernel: device eth1 entered promiscuous mode regex=device (\S+) entered promiscuous mode; \ classification.text=Promiscuous mode detected; \ id=400; \ revision=1; \ analyzer(0).name=kernel; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=A sniffer is probably running on this machine; \ target(0).interface=$1; \ last #DESCRIPTION:PAX - Execution attempt #CATEGORY:Command Execution #LOG:Apr 9 20:56:41 emma kernel: PAX: From 1.2.3.4: execution attempt in: /usr/lib/paxtest/shlibtest.so, 25891000-25892000 00001000 regex=From (\S+): execution attempt in:; \ add_context=PAX_OVERFLOW_SOURCE; \ source(0).node.address(>>).address = $1; \ silent; last #DESCRIPTION:PAX - Possible buffer overflow #CATEGORY:Monitoring #LOG:Sep 6 18:21:18 amoeba PAX: terminating task: /usr/X11R6/bin/glxinfo(glxinfo):7661, uid/euid: 9999/9999, PC: 25755afc, SP: 5bc95e2c #LOG:Oct 13 20:56:41 emma kernel: PAX: terminating task: /usr/bin/localedef(localedef):5208, uid/euid: 0/0, EIP: BFF4C330, ESP: BFF4C21C regex=terminating task: ([^(]+)\(([^)]+)\):(\d+), uid/euid: (\d+)/(\d+); \ optional_context=PAX_OVERFLOW_SOURCE; \ destroy_context=PAX_OVERFLOW_SOURCE; \ classification.text=Possible buffer overflow; \ id=402; \ revision=2; \ analyzer(0).name=PAX; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Memory Violation; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ source(0).process.path = $1; \ source(0).process.name=$2; \ source(0).process.pid=$3; \ source(0).user.category=application; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).number=$4; \ source(0).user.user_id(1).type=original-user; \ source(0).user.user_id(1).number=$5; \ assessment.impact.description=A possible buffer overflow occured in $1. You should consider this an attack against your system.; \ last #DESCRIPTION:Oracle - Command audit #CATEGORY:Command Execution #LOG:Apr 13 11:31:55 12.34.56.78 oracle.pr[info] 34 Audit trail: ACTION : 'connect internal' OSPRIV : DBA CLIENT USER: linc CLIENT TERMINAL: DB3 STATUS: SUCCEEDED ( 0 ) . regex=Audit trail: ACTION : ('.+') OSPRIV : DBA CLIENT USER: (\S+) CLIENT TERMINAL: (\S+); \ classification.text=Command audit; \ id=403; \ revision=2; \ analyzer(0).name=Database; \ analyzer(0).manufacturer=Oracle; \ analyzer(0).class=Database; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The command $1 was executed; \ source(0).user.category=application; \ source(0).user.user_id(0).type=original-user; \ source(0).user.user_id(0).name=$2; \ source(0).node.name=$3; \ additional_data(0).type=string; \ additional_data(0).meaning=Command; \ additional_data(0).data=$1; \ last #DESCRIPTION:Xinetd - TFTP Session #CATEGORY:Authentication #LOG:Apr 28 08:56:46 somehost xinetd[17300]: START: tftp pid=10590 from=12.34.56.78 regex=START: tftp pid=(\d+) from=([\d\.]+); \ classification.text=TFTP Session; \ id=404; \ revision=1; \ analyzer(0).name=xinetd; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=A TFTP session was initiated; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=udp; \ source(0).service.iana_protocol_number=17; \ target(0).service.port=69; \ target(0).service.name=tftp; \ target(0).service.iana_protocol_name=udp; \ target(0).service.iana_protocol_number=17; \ target(0).process.pid=$1; \ last #DESCRIPTION:P3Scan - Virus found #CATEGORY:Malware #LOG:Jun 14 05:38:52 oahu p3scan[5973]: '/var/spool/p3scan/children/5973/p3scan.Pu3u8g' contains a virus (Infection: W32/Zafi.B@mm)! #LOG:Jul 13 19:44:44 localhost p3scan[529]: '/var/spool/p3scan/children/529/p3scan.ASA1Cl' contains a virus (Worm.Mytob.GH)! regex='(\S+)' contains a virus \((Infection: )?(\S+)\); \ classification.text=Virus found: $3; \ id=405; \ revision=2; \ analyzer(0).name=P3Scan; \ analyzer(0).manufacturer=p3scan.sourceforge.net; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=A virus has been identified by P3Scan; \ additional_data(0).type=string; \ additional_data(0).meaning=File; \ additional_data(0).data=$1; \ last #DESCRIPTION:Syslogd (startup|shutdown) succeeded #CATEGORY:Service Management #LOG:Jun 22 12:58:25 mail syslog: syslogd shutdown succeeded #LOG:Jun 22 12:58:55 mail syslog: syslogd startup succeeded regex=syslogd (startup|shutdown) succeeded; \ classification.text=Syslog $1; \ id=406; \ revision=1; \ analyzer(0).name=syslog; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.type=dos; \ assessment.impact.completion=succeeded; \ assessment.impact.description=The syslogd service reported a $1; \ last #DESCRIPTION:DLink Syslog - Packet denied #CATEGORY:Packet Filtering #LOG:Apr 11 19:59:02 penguin dlink-syslog[28178]: Apr/11/2005 14:26:01 Drop TCP packet from WAN 80.231.184.68:3685 12.34.56.78:17300 Rule: Default deny #LOG:Apr 11 19:59:02 penguin dlink-syslog[28178]: Apr/11/2005 15:08:57 Drop UDP packet from WAN 218.83.153.58:54234 12.34.56.78:1026 Rule: Default deny regex=Drop (TCP|UDP) packet from ([LW]AN) ([\d\.]+):(\d+) ([\d\.]+):(\d+) Rule: (.+); \ classification.text=Packet denied; \ id=407; \ revision=2; \ analyzer(0).name=Wireless Router; \ analyzer(0).manufacturer=D-Link; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=A packet was dropped by D-Link rule "$7".; \ source(0).interface=$2; \ source(0).service.iana_protocol_name=$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ target(0).service.iana_protocol_name=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ additional_data(0).type=string; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$7; \ last #DESCRIPTION:Identd - Ident response issued #CATEGORY:Authentication #LOG:Apr 17 17:44:59 mail identd[27274]: reply to 82.96.64.2: 3937, 6667 : USERID : OTHER :[75PrAJ2FwE4EG1wv3UoKG55njQibNgOU] regex=reply to ([\d\.]+): (\d+), (\d+) : USERID : \S+ :(.+); \ classification.text=Ident response issued; \ id=408; \ revision=2; \ analyzer(0).name=identd; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=identd issued a response to $1.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ additional_data(0).type=integer; \ additional_data(0).meaning=Ident session source port; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Ident session destination port; \ additional_data(1).data=$3; \ last #DESCRIPTION:Systrace - Deny User #CATEGORY:Authentication #LOG:Apr 17 05:43:08 src@sphere systrace: deny user: neonman, prog: /usr/bin/groups, pid: 27090(7)[6914], policy: /usr/bin/groups, filters: 0, syscall: native-sigaction(46), args: 12 #LOG:Apr 17 05:43:08 src@sphere systrace: deny user: neonman, prog: /usr/bin/groups, pid: 27090(7)[6914], policy: /usr/bin/groups, filters: 0, syscall: native-kill(37), pidname: , signame: SIGABRT regex=deny user: (\S+), prog: (\D+), pid: \d+\(\d+\)\[(\d+)\], policy: (\S+) filters: (\d+), syscall: (\S+),; \ classification.text=$4 attempt denied; \ id=409; \ revision=2; \ analyzer(0).name=systrace; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=systrace blocked a $6 attempt against $2.; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ target(0).process.pid=$3; \ target(0).process.name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$4; \ additional_data(1).type=integer; \ additional_data(1).meaning=Filters; \ additional_data(1).data=$5; \ additional_data(2).type=string; \ additional_data(2).meaning=System call; \ additional_data(2).data=$6; \ last #DESCRIPTION:PureFTPD - Authentication failed #CATEGORY:Authentication #LOG:May 10 15:24:21 mighty pure-ftpd: (?@127.0.0.1) [WARNING] Authentication failed for user [asdfasdf] regex=([\d\.]+)\) \[WARNING\] Authentication failed for user \[(.+)\]; \ classification.text=FTP login; \ id=410; \ revision=2; \ analyzer(0).name=PureFTPD; \ analyzer(0).manufacturer=www.pureftpd.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to login to your FTP server as a non-existant user '$2' but failed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=21; \ target(0).service.name=ftp; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last #DESCRIPTION:Yum - Package (Installed|Updated) #CATEGORY:Update #LOG:Oct 19 16:44:12 localhost yum: Installed: mysql-server.i386 4.1.20-1.RHEL4.1 #LOG:Oct 20 09:03:55 localhost yum: Updated: tzdata.noarch 2006m-2.el4 #LOG:Feb 17 11:37:36 Installed: python-lxml-3.0.1-1.rhel6.x86_64 #LOG:Feb 17 13:35:35 Installed: tree-1.5.3-2.el6.x86_64 #LOG:Feb 17 11:57:14 Updated: glibc-devel-2.12-1.149.el6_6.5.x86_64 #LOG:Feb 17 12:11:52 Updated: nss-softokn-freebl-3.14.3-22.el6_6.x86_64 regex=(Installed|Updated): (\S+)[-| ]([^-]*-[^-]*)$; \ classification.text=Package $1; \ id=411; \ revision=1; \ analyzer(0).name=yum; \ analyzer(0).manufacturer=http://linux.duke.edu/projects/yum/; \ analyzer(0).class=Package Manager; \ assessment.impact.completion=succeeded; \ assessment.impact.type=file; \ assessment.impact.severity=low; \ assessment.impact.description=The package $2 was $1 to version $3.; \ additional_data(0).type=string; \ additional_data(0).meaning=Package; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Package version; \ additional_data(1).data=$3; \ last #DESCRIPTION:Yum - Package Erased #CATEGORY:Update #LOG:Oct 05 18:39:58 Erased: libreoffice-presenter-screen #LOG:Nov 26 19:01:28 Erased: ossec-hids-server regex=Erased: (\S+); \ classification.text=Package Erased; \ id=412; \ revision=1; \ analyzer(0).name=yum; \ analyzer(0).manufacturer=http://linux.duke.edu/projects/yum/; \ analyzer(0).class=Packet Manager; \ assessment.impact.completion=succeeded; \ assessment.impact.type=file; \ assessment.impact.severity=low; \ assessment.impact.description=The package $1 was Erased.; \ additional_data(0).type=string; \ additional_data(0).meaning=Package; \ additional_data(0).data=$1; \ last #DESCRIPTION:Operating system halted #CATEGORY:Monitoring #LOG:Oct 13 14:27:36 CentOS shutdown[2142]: shutting down for system halt regex=shutting down for system (?:halt|reboot); \ id=414; \ revision=1; \ classification.text=Operating system halted; \ assessment.impact.completion=succeeded; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.description=An operating system has been halted; \ last #DESCRIPTION:Operating system started #CATEGORY:Monitoring #LOG:Nov 4 16:00:34 CentOS kernel: [ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-2.6.32.59-custom64.grsec.mediumsec+build-20120614193912 root=/dev/mapper/VG_Debian-LV--Root ro clocksource=acpi_pm quiet regex=kernel: .*Command line: BOOT_IMAGE=; \ id=415; \ revision=1; \ classification.text=Operating system started; \ assessment.impact.completion=succeeded; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.description=An operating system has been started; \ last prelude-lml-rules-5.1.0/ruleset/snare_windows.rules0000664000175000017500000021312013537533463022667 0ustar tandrejatandreja#FULLNAME: Snare Windows #VERSION: 1.0 #DESCRIPTION: Snare is a collection of software tools that collect audit log data from operating systems and applications to facilitate centralised log analysis. ##### # # Copyright Nicholas Nachefski # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Logon process #CATEGORY:Authentication regex=(\d+)\s+Security\s+(?:ANONYMOUS LOGON|\S+\$|\S+)?\s+\w+\s+(Success Audit|Failure Audit)\s+(\S+)\s+Logon\/Logoff\s+(Successful Logon|Logon Failure):\s+(Reason:\s+(.+)\s+)?User Name: (ANONYMOUS LOGON|\S+\$|\S+)\s+Domain: (\w+|\w+ \w+)\s+(Logon ID: (\S+)\s+)?Logon Type: (10|2|3|4)\s+Logon Process: (\S+)\s+Authentication Package: (\S*)\s+Workstation Name: \S+\s+(Logon GUID: (\S+)\s+)?Caller User Name: \S+\s+Caller Domain: \S+\s+Caller Logon ID: \S+\s+Caller Process ID: (\d*)-?\s+Transited Services: \S+\s+Source Network Address: (\S+)\s+Source Port: \d*\s+\d*; \ id=99991; \ chained; silent; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ assessment.impact.description=$4 $6; \ source(0).node.address(0).address=$17; \ source(0).user.category=os-device; \ target(0).node.name=$3; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$7; \ target(0).process.name=$12; \ target(0).process.pid=$16; \ additional_data(0).type=integer; \ additional_data(0).meaning=Event ID; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Logon Type; \ additional_data(1).data=$11; \ additional_data(2).type=string; \ additional_data(2).meaning=Audit; \ additional_data(2).data=$2; \ additional_data(3).type=string; \ additional_data(3).meaning=Domain; \ additional_data(3).data=$8 #DESCRIPTION:Event ID 528 - Type 10 = Successful remote interactive logon (Windows 2000/2003 Style Events) #CATEGORY:Authentication #LOG:Nov 23 12:36:59 10.1.1.1 testbox01 MSWinEventLog 1 Security 460 Mon Nov 23 12:36:38 2009 528 Security test.user User Success Audit TESTBOX01 Logon/Logoff Successful Logon: User Name: test.user Domain: DOMAIN Logon ID: (0x0,0xEBEF666E) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: testbox01 Logon GUID: {009a469d-5738-ebf8-f94e-02e649bf5c61} Caller User Name: testbox01$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 5116 Transited Services: - Source Network Address: 10.1.1.2 Source Port: 43923 441 regex=528\s+Security\s+.+Logon Type: 10; \ id=99992; \ goto=99991; \ revision=5; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Remote Login; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ last #DESCRIPTION:Event ID 528 - Type 2 = Successful local interactive logon (Windows 2000/2003 Style Events) #CATEGORY:Authentication #LOG:Nov 30 10:11:23 10.1.1.1 testbox01.TESTDOMAIN.local MSWinEventLog 1 Security 535 Mon Nov 30 10:11:23 2009 528 Security test.user User Success Audit testbox01 Logon/Logoff Successful Logon: User Name: test.user Domain: TESTDOMAIN Logon ID: (0x0,0x2553F4) Logon Type: 2 Logon Process: User32 Authentication Package: Negotiate Workstation Name: testbox01 Logon GUID: {48bb687b-448f-629e-cd90-55f8165b7266} Caller User Name: testbox01$ Caller Domain: TESTDOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 416 Transited Services: - Source Network Address: 127.0.0.1 Source Port: 0 21 regex=528\s+Security\s+.+Logon Type: 2; \ id=99993; \ goto=99991; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Login; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ last #DESCRIPTION:Event ID 529 - Type 10 - Failed remote interactive logon (Windows 2000/2003 Style Events) #CATEGORY:Authentication #LOG:Oct 20 13:11:41 10.1.1.2 wintestbox01 MSWinEventLog 1 Security 1627 Tue Oct 20 13:11:37 2009 529 Security SYSTEM User Failure Audit WINTESTBOX01 Logon/Logoff Logon Failure: Reason: Unknown user name or bad password User Name: test.user Domain: testdomain Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: WINTESTBOX01 Caller User Name: WINTESTBOX01$ Caller Domain: testdomain Caller Logon ID: (0x0,0x3E7) Caller Process ID: 72384 Transited Services: - Source Network Address: 10.1.1.3 Source Port: 60236 554 regex=529\s+Security\s+.+Logon Type: 10; \ id=99994; \ goto=99991; \ revision=4; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Remote Login; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ last #DESCRIPTION:Event ID 529 - Type 3 & 4 - Failed network logon (Windows 2000/2003 Style Events) #CATEGORY:Authentication #LOG:Nov 24 14:42:26 10.1.1.2 testbox01 MSWinEventLog 1 Security 26719 Tue Nov 24 14:42:26 2009 529 Security SYSTEM User Failure Audit TESTBOX01 Logon/Logoff Logon Failure: Reason: Unknown user name or bad password User Name: test.user Domain: testdomain Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: TESTBOX02 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.1.1.3 Source Port: 4451 15619 regex=529\s+Security\s+.+Logon Type: (3|4); \ id=99995; \ goto=99991; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Login; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ last #DESCRIPTION:Event ID 531 - A logon attempt was made using a disabled account. (Windows 2000/2003 Style Events) #CATEGORY:Authentication #LOG:Nov 23 13:14:22 10.1.1.1 testbox01 MSWinEventLog 1 Security 611 Mon Nov 23 13:14:19 2009 531 Security SYSTEM User Failure Audit testbox01 Logon/Logoff Logon Failure: Reason: Account currently disabled User Name: test.user Domain: DOMAIN Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: testbox01 Caller User Name: testbox01$ Caller Domain: DOMAIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 5484 Transited Services: - Source Network Address: 10.1.1.2 Source Port: 37487 585 regex=531\s+Security\s+.+Logon Type: (\d{1,2}); \ id=99996; \ goto=99991; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Login; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ last #DESCRIPTION:Logon Process (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Nov 23 13:14:22 10.1.1.1 testbox01 MSWinEventLog 1 Security: AUDIT_SUCCESS(4624): Microsoft-Windows-Security-Auditing: test: test: test: An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: Test$ Account Domain: WORKGROUP Logon ID: 0x3e7 Logon Type: 7 New Logon: Security ID: S-1-5-21-4057735974-3357861449-790453786-1000 Account Name: test Account Domain: Test Logon ID: 0x2407fe3 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x320 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: TEST Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. regex=(4624)\s+Microsoft-Windows-Security-Auditing\s+(?:N\/A\s*)*?Information\s+(\S+)\s+\w+\s+(An account was successfully logged on)\.\s+Subject:\s+\S*\s*Security ID:\s+\S*\s*Account Name:\s+(?:ANONYMOUS LOGON*|\S*\$|\S*)?\s*Account Domain:\s+\S*\s*Logon ID:\s+\S*\s*Logon Type:\s+(\d+)\s+New Logon:\s+\S*\s*Security ID:\s+\S*\s*Account Name:\s+(\S*)\s*Account Domain:\s+(\S*)\s*Logon ID:\s+\S*\s*Logon GUID:\s+\S*\s*Process Information:\s+Process ID:\s+(\S*)\s*Process Name:\s+(?:C\:\\Windows\\System32\\)?(\S*)\s*Network Information:\s+Workstation Name:\s+\S*\s*Source Network Address:\s+(\S+)\s*; \ id=99997; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.description=$3; \ assessment.impact.type=user; \ source(0).node.address(0).address=$9; \ source(0).user.category=os-device; \ target(0).node.name=$2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$5; \ target(0).process.pid=$7; \ target(0).process.name=$8; \ additional_data(0).type=integer; \ additional_data(0).meaning=Event ID; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Logon Type; \ additional_data(1).data=$4; \ additional_data(2).type=string; \ additional_data(2).meaning=Domain; \ additional_data(2).data=$6; \ silent; chained #DESCRIPTION:Event ID 4624 - Type 10 RemoteInteractive (Terminal Services, Remote Desktop or Remote Assistance). An account has successfully logged on (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Nov 23 15:49:03 10.1.1.1 testbox01 MSWinEventLog 1 Security 13469 Mon Nov 23 15:48:59 2009 4624 Microsoft-Windows-Security-Auditing N/AN/A Information testbox01.TESTDOMAIN.local None An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: testbox01$ Account Domain: TESTDOMAIN Logon ID: 0x3e7 Logon Type: 10 New Logon: Security ID: S-1-5-21-1481646799-3140499893-3922762874-3132 Account Name: test.user Account Domain: TESTDOMAIN Logon ID: 0x3373f5a03 Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x1a3c Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: testbox01 Source Network Address: 10.1.1.2 Source Port: 43637 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 13317 regex=4624\s+Microsoft-Windows-Security-Auditing.*Logon Type:\s+10; \ id=99998; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ goto=99997; \ classification.text=Remote Login; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ last #DESCRIPTION:Event ID 4624 - Type 2 = Interactive LOCAL logon (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Nov 24 10:25:57 10.1.1.1 testbox01 MSWinEventLog 1 Security 27250 Tue Nov 24 10:25:55 2009 4624 Microsoft-Windows-Security-Auditing N/AN/AInformation testbox01.TESTDOMAIN.local None An account was successfully logged on. Subject: Security ID: S-1-5-18 Account Name: testbox01$ Account Domain: TESTDOMAIN Logon ID: 0x3e7 Logon Type: 2 New Logon: Security ID: S-1-5-21-1481646799-3140499893-3922762874-3132 Account Name: test.user Account Domain: TESTDOMAIN Logon ID: 0xa3b2cc3b Logon GUID: {00000000-0000-0000-0000-000000000000} Process Information: Process ID: 0x260 Process Name: C:\Windows\System32\winlogon.exe Network Information: Workstation Name: testbox01 Source Network Address: 127.0.0.1 Source Port: 0 Detailed Authentication Information: Logon Process: User32 Authentication Package: Negotiate Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 25044 regex=4624\s+Microsoft-Windows-Security-Auditing.*Logon Type:\s+2; \ id=99999; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ goto=99997; \ classification.text=Login; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ last #DESCRIPTION:Event ID 4625 - Nom d’utilisateur inconnu ou mot de passe incorrect (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Oct 15 15:11:38 192.168.206.133 MSWinEventLog 1 Security 364 Thu Oct 15 15:11:36 2015 4625 Microsoft-Windows-Security-Auditing PRELUDE\administrateur N/A Failure Audit WIN-U34BEJH3ME1.prelude.pro Ouvrir la session Échec d’ouverture de session d’un compte. Sujet : ID de sécurité : S-1-5-18 Nom du compte : WIN-U34BEJH3ME1$ Domaine du compte : PRELUDE ID d’ouverture de session : 0x3e7 Type d’ouverture de session : 2 Compte pour lequel l’ouverture de session a échoué : ID de sécurité : S-1-0-0 Nom du compte : administrateur Domaine du compte : PRELUDE Informations sur l’échec : Raison de l’échec : Nom d’utilisateur inconnu ou mot de passe incorrect. État : 0xc000006d Sous-état : 0xc000006a Informations sur le processus : ID du processus de l’appelant : 0x174 Nom du processus de l’appelant : C:\Windows\System32\winlogon.exe Informations sur le réseau : Nom de la station de travail : WIN-U34BEJH3ME1 Adresse du réseau source : 127.0.0.1 Port source : 0 Informations ... regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Failure Audit (\S+) Ouvrir la session\s*.chec d.ouverture de session d.un compte.*Type d.ouverture de session.:\s*2\s*Compte pour lequel l.ouverture de session a .chou..:.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Raison de l..chec.:\s*Nom d.utilisateur inconnu ou mot de passe incorrect; \ id=100001; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=User Logon; \ target(0).user.user_id(0).name=$2; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=A user has tried to open a Windows session; \ last #DESCRIPTION:Event ID 4624 - Nouvelle ouverture de session (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Oct 15 14:09:46 192.168.206.133 MSWinEventLog 1 Security 375 Thu Oct 15 14:09:45 2015 4624 Microsoft-Windows-Security-Auditing PRELUDE\administrateur N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Ouvrir la session L’ouverture de session d’un compte s’est correctement déroulée. Sujet : ID de sécurité : S-1-5-18 Nom du compte : WIN-U34BEJH3ME1$ Domaine du compte : PRELUDE ID d’ouverture de session : 0x3e7 Type d’ouverture de session : 2 Nouvelle ouverture de session : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-500 Nom du compte : administrateur Domaine du compte : PRELUDE ID d’ouverture de session : 0x2bea3 GUID d’ouverture de session : {D88AC2F8-D5B0-F133-5027-47F8A618DE15} Informations sur le processus : ID du processus : 0x174 Nom du processus : C:\Windows\System32\winlogon.exe Informations sur le réseau : Nom de la station de travail : WIN-U34BEJH3ME1 Adresse du réseau source : 127.0.0.1 Port source : 0 Informations ... regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Ouvrir la session.*L.ouverture de session d.un compte s.est correctement d.roul.e.*Type d.ouverture de session.:\s*2\s*Nouvelle ouverture de session.:.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.:; \ id=100002; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=User Logon; \ target(0).user.user_id(0).name=$2; \ target(0).node.name=$1; \ target(0).process.name=Winlogon; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=A user has opened a Windows session; \ last #DESCRIPTION:Event ID 4688 - Privilege escalation (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Oct 7 12:44:13 192.168.206.133 MSWinEventLog 0 Security 2895 Wed Oct 07 12:44:10 2015 4688 Microsoft-Windows-Security-Auditing PRELUDE\WIN-U34BEJH3ME1$ N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Création du processus Un nouveau processus a été créé. Sujet : ID de sécurité : S-1-5-18 Nom du compte : WIN-U34BEJH3ME1$ Domaine du compte : PRELUDE ID d’ouverture de session : 0x3e7 Informations sur le processus : ID du nouveau processus : 0x5e0 Nom du nouveau processus : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Type d’élévation du jeton : Type d’élévation de jeton complet (2) ID du processus créateur : 0xb88 ... regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Cr.ation du processus.*Nom du nouveau processus.:..*\\(\S+).*Type.*Type d..l.vation de jeton complet \(2\).*; \ id=100003; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Privilege escalation; \ target(0).node.name=$1; \ target(0).process.name=$2; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=$2 program ran with administrator privilege; \ last #DESCRIPTION:Event ID 4624 - Nouvelle ouverture de session (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Oct 7 15:25:12 192.168.206.133 MSWinEventLog 1 Security 1364 Wed Oct 07 15:25:00 2015 4624 Microsoft-Windows-Security-Auditing PRELUDE\avinash N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Ouvrir la session L’ouverture de session d’un compte s’est correctement déroulée. Sujet : ID de sécurité : S-1-5-18 Nom du compte : WIN-U34BEJH3ME1$ Domaine du compte : PRELUDE ID d’ouverture de session : 0x3e7 Type d’ouverture de session : 10 Nouvelle ouverture de session : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x9e64f GUID d’ouverture de session : {7FC2F7A5-3CE0-6308-E567-2019A9C2DBB0} Informations sur le processus : ID du processus : 0x7c8 Nom du processus : C:\Windows\System32\winlogon.exe Informations sur le réseau : Nom de la station de travail : WIN-U34BEJH3ME1 Adresse du réseau source : fe80::3585:8489:3749:70a6 Port source : 50588 Informations détaillées sur l’authentification ... regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Ouvrir la session\s*L.ouverture de session d.un compte s.est correctement d.roul.e\..*Type d.ouverture de session.:\s*10\s*Nouvelle ouverture de session.:.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom de la station de travail.:\s*\S+\s*Adresse du r.seau source.:\s*(\S+)\s*Port source.:\s*(\d+); \ id=100004; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Remote Login; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$2; \ target(0).process.name=Winlogon; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=user $2 has opened a remote session; \ last #DESCRIPTION:Event ID 7036 - Service Snare shutdown (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 15 08:42:10 192.168.206.133 MSWinEventLog 1 System 116 Thu Oct 15 08:40:24 2015 7036 Service Control Manager N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None Le service Snare est entré dans l’état : arrêté. 24 regex=MSWinEventLog.*Service Control Manager.*Information (\S+) .*Le service Snare est entr. dans l..tat.: arr.t.\.; \ id=100005; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Snare shutdown; \ target(0).node.name=$1; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Snare has been shutdown; \ last #DESCRIPTION:Event ID 7036 - Service Snare startup (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 15 08:42:10 192.168.206.133 MSWinEventLog 1 System 178 Thu Oct 15 08:42:07 2015 7036 Service Control Manager N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None Le service Snare est entré dans l’état : en cours d’exécution. 86 regex=MSWinEventLog.*Service Control Manager.*Information (\S+) .*Le service Snare est entr.{1,2} dans l..tat.: en cours d.ex.cution\.; \ id=100006; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Snare startup; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Snare has been startup; \ last #DESCRIPTION:Event ID 4608 - Windows startup (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 15 17:20:51 192.168.206.133 MSWinEventLog 1 Security 14 Thu Oct 15 17:20:11 2015 4608 Microsoft-Windows-Security-Auditing N/A N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Modification de l’état de la sécurité Windows démarre. Cet événement est journalisé lorsque LSASS.EXE démarre et que le sous-système d’audit est initialisé. 13 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Modification de l..tat de la s.curit.\s*Windows d.marre; \ id=100008; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Windows startup; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Window has been started; \ last #DESCRIPTION:Event ID 12 - Windows OS started (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 15 15:10:52 192.168.206.133 MSWinEventLog 1 System 108 Thu Oct 15 15:09:53 2015 12 Microsoft-Windows-Kernel-General AUTORITE NT\Syst�me N/A Information WIN-U34BEJH3ME1.prelude.pro None Le système d’exploitation a démarré à l’heure système ‎2015‎-‎10‎-‎15T13:09:53.500000000Z. 40 regex=MSWinEventLog.*Microsoft-Windows-Kernel-General.*Information (\S+) .*Le syst.me d.exploitation a d.marr. . l.heure syst.me \D*(\d{4})\D*(\d\d)\D*(\d\d).?(\d\d:\d\d:\d\d); \ id=100009; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Windows OS started; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Windows OS has been started the $2-$3-$4 at $5; \ last #DESCRIPTION:Event ID 1074 - Windows shutdown (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 15 18:07:20 192.168.206.133 MSWinEventLog 1 System 1463 Thu Oct 15 18:07:20 2015 1074 USER32 PRELUDE\avinash N/A Information WIN-U34BEJH3ME1.prelude.pro None Le processus Explorer.EXE a lancé le s’arrêter. de l’ordinateur WIN-U34BEJH3ME1 pour l’utilisateur PRELUDE\avinash pour la raison suivante : Système d’exploitation : Récupération (planifiée) . Code : 0x4020002 . Type d’extinction : s’arrêter. . Commentaire : . 128 regex=MSWinEventLog.*Information (\S+) .*Le processus Explorer.EXE a lanc. le \S+ de l.ordinateur \S+ pour l.utilisateur [^\\]*\\(\S+) pour la raison suivante.: (.*)\.\s*Code.:.*Type d.extinction.:\s*(\S+).*Commentaire.: (.*)\.\s*\d*; \ id=100010; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Windows shutdown; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$2; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Windows OS has been shutdown for several reasons; \ additional_data(0).data=$3; \ additional_data(0).type=string; \ additional_data(0).meaning=shutdown reason; \ additional_data(1).data=$4; \ additional_data(1).type=string; \ additional_data(1).meaning=Extinction type; \ additional_data(2).data=Additional comments: $5; \ additional_data(2).type=string; \ additional_data(2).meaning=Additional comments; \ last #DESCRIPTION:Event ID 4648 - Active Directory connection (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Oct 7 12:52:47 192.168.206.133 MSWinEventLog 1 Security 75 Wed Oct 07 12:52:46 2015 4648 Microsoft-Windows-Security-Auditing PRELUDE.PRO\avinash N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Ouvrir la session Tentative d’ouverture de session en utilisant des informations d’identification explicites. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0xe8aea GUID d’ouverture de session : {00000000-0000-0000-0000-000000000000} Compte dont les informations d’identification ont été utilisées : Nom du compte : avinash Domaine du compte : PRELUDE.PRO GUID d’ouverture de session : {25EAB0DC-DC7B-7409-52F9-D7D9BB4DA265} Serveur cible : Nom du serveur cible : WIN-U34BEJH3ME1.prelude.pro Informations supplémentaires : ldap/WIN-U34BEJH3ME1.prelude.pro/prelude.pro Informations sur le processus : ID du processus : 0xbbc Nom du processus : C:\Windows\System32\ldp.exe Informations sur le réseau : Adresse du réseau : - Port : - ... regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit \S+ Ouvrir la session.*Tentative d.ouverture de session en utilisant des informations d.identification explicites\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du serveur cible.: (\S+)\s*Informations suppl.mentaires.: ldap\/.*Nom du processus.:..*\\(\S+); \ id=100011; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Active Directory connection; \ target(0).node.name=$3; \ target(0).user.user_id(0).name=$2; \ source(0).user.user_id(0).name=$1; \ target(0).process.name=$4; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=Active Directory connection by $2 user; \ last #DESCRIPTION:Event ID 4625 - Expired account login (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Oct 7 12:55:09 192.168.206.133 MSWinEventLog 1 Security 93 Wed Oct 07 12:55:08 2015 4625 Microsoft-Windows-Security-Auditing PRELUDE\ATest N/A Failure Audit WIN-U34BEJH3ME1.prelude.pro Ouvrir la session Échec d’ouverture de session d’un compte. Sujet : ID de sécurité : S-1-5-18 Nom du compte : WIN-U34BEJH3ME1$ Domaine du compte : PRELUDE ID d’ouverture de session : 0x3e7 Type d’ouverture de session : 2 Compte pour lequel l’ouverture de session a échoué : ID de sécurité : S-1-0-0 Nom du compte : ATest Domaine du compte : PRELUDE Informations sur l’échec : Raison de l’échec : Le compte d’utilisateur spécifié a expiré. État : 0xc0000193 Sous-état : 0xc0000193 Informations sur le processus : ID du processus de l’appelant : 0x10c Nom du processus de l’appelant : C:\Windows\System32\winlogon.exe Informations sur le réseau : Nom de la station de travail : WIN-U34BEJH3ME1 Adresse du réseau source : 127.0.0.1 Port source : 0 Informations détaillées ... regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Failure Audit (\S+) Ouvrir la session\s*.chec d.ouverture de session d.un compte.*Compte pour lequel l.ouverture de session a .chou..:.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Raison de l..chec.:\s*Le compte d.utilisateur sp.cifi. a expir.\.; \ id=100012; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Expired account login; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$2; \ target(0).process.name=Winlogon; \ assessment.impact.severity=medium; \ assessment.impact.completion=Failed; \ assessment.impact.type=user; \ assessment.impact.description=An expired account has tried to logon; \ last #DESCRIPTION:Event ID 4673 - Sensitive privilege used (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Oct 7 12:58:25 192.168.206.133 MSWinEventLog 1 Security 174 Wed Oct 07 12:58:23 2015 4673 Microsoft-Windows-Security-Auditing PRELUDE\avinash N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Utilisation de privilèges sensibles Un service privilégié a été appelé. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0xe8ade Service : Serveur : PlugPlayManager Nom du service : Activer le périphérique Processus : ID du processus : 0x258 Nom du processus : C:\Windows\System32\svchost.exe Informations sur la demande de service : Privilèges : SeLoadDriverPrivilege 99 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Utilisation de privil.ges sensibles\s*Un service privil.gi. a .t. appel.\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du service.: (.*)\s*Processus.:.*Nom du processus.{1,2}:..*\\(\S+).*Privil.ges.:\s*(\S+); \ id=100013;\ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Sensitive privilege used; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$2; \ target(0).service.name=$3; \ target(0).process.name=$4; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$2 user has used a sensitive privilege; \ additional_data(0).data=$5; \ additional_data(0).type=string; \ additional_data(0).meaning=Privilege used; \ last #DESCRIPTION:Event ID 4625 - Disabled account login (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Oct 5 12:29:03 192.168.206.133 MSWinEventLog 1 Security 178 Mon Oct 05 12:29:01 2015 4625 Microsoft-Windows-Security-Auditing PRELUDE\ATest N/A Failure Audit WIN-U34BEJH3ME1.prelude.pro Ouvrir la session Échec d’ouverture de session d’un compte. Sujet : ID de sécurité : S-1-5-18 Nom du compte : WIN-U34BEJH3ME1$ Domaine du compte : PRELUDE ID d’ouverture de session : 0x3e7 Type d’ouverture de session : 2 Compte pour lequel l’ouverture de session a échoué : ID de sécurité : S-1-0-0 Nom du compte : ATest Domaine du compte : PRELUDE Informations sur l’échec : Raison de l’échec : Le compte est actuellement désactivé. État : 0xc000006e Sous-état : 0xc0000072 Informations sur le processus : ID du processus de l’appelant : 0x47c Nom du processus de l’appelant : C:\Windows\System32\winlogon.exe Informations sur le réseau : Nom de la station de travail : WIN-U34BEJH3ME1 Adresse du réseau source : 127.0.0.1 Port source : 0 Informations détaillées ... regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Failure Audit (\S+) Ouvrir la session\s*.chec d.ouverture de session d.un compte\..*Compte pour lequel l.ouverture de session a .chou..:.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Raison de l..chec.:\s*Le compte est actuellement d.sactiv.\.; \ id=100014; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Disabled account login; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$2; \ target(0).process.name=Winlogon; \ assessment.impact.severity=medium; \ assessment.impact.completion=Failed; \ assessment.impact.type=user; \ assessment.impact.description=A user has tried to open a Windows session with a disabled account; \ last #DESCRIPTION:Event ID 7036 - Active Directory shutdown (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 15 16:12:58 192.168.206.133 MSWinEventLog 1 System 96 Thu Oct 15 16:11:05 2015 7036 Service Control Manager N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None Le service Services de domaine Active Directory est entré dans l’état : arrêté. 32 regex=MSWinEventLog.*Service Control Manager.*Information (\S+) .*Le service Services de domaine Active Directory est entr. dans l..tat.: arr.t.\.; \ id=100015; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Active Directory shutdown; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Active Directory has been shutdown; \ last #DESCRIPTION:Event ID 7036 - Active Directory startup (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 15 16:12:59 192.168.206.133 MSWinEventLog 1 System 112 Thu Oct 15 16:12:24 2015 7036 Service Control Manager N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None Le service Services de domaine Active Directory est entré dans l’état : en cours d’exécution. 48 regex=MSWinEventLog.*Service Control Manager.*Information (\S+) .*Le service Services de domaine Active Directory est entr. dans l..tat.: en cours d.ex.cution\.; \ id=100016; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Active Directory startup; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Active Directory service has been started; \ last #DESCRIPTION:Event ID 7036 - ILEX Sign&go shutdown (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Aug 28 17:01:04 192.168.206.133 MSWinEventLog 1 System 41 ven. août 28 17:01:03 201 7036 Service Control Manager N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None Le service ILEX Sign&go v5.1 Workstation Security Service est entré dans l'état : arrêté. 2 regex=MSWinEventLog.*Service Control Manager.*Information (\S+) .*Le service ILEX Sign&go (\S*) Workstation Security Service est entr. dans l..tat.: arr.t.\.; \ id=100017; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=ILEX Sign&go shutdown; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=ILEX Sign&go $2 Workstation Security Service has been shutdown; \ last #DESCRIPTION:Event ID 7036 - ILEX Sign&go startup (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Aug 28 17:01:04 192.168.206.133 MSWinEventLog 1 System 43 ven. août 28 17:01:04 201 7036 Service Control Manager N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None Le service ILEX Sign&go v5.1 Workstation Security Service est entré dans l'état : en cours d'exécution. 4 regex=MSWinEventLog.*Service Control Manager.*Information (\S+) .*Le service ILEX Sign&go (\S*) Workstation Security Service est entr.{1,2} dans l..tat.: en cours d.ex.cution\.; \ id=100018; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=ILEX Sign&go startup; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=ILEX Sign&go $2 Workstation Security Service has been started; \ last #DESCRIPTION:Event ID 4738 - Account changed (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 5 12:27:43 192.168.206.133 MSWinEventLog 2 Security 92 Mon Oct 05 12:27:42 2015 4738 Microsoft-Windows-Security-Auditing PRELUDE\Atest N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Gestion des comptes d’utilisateur Un compte d’utilisateur a été modifié. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x387a1 Compte cible : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1109 Nom du compte : Atest Domaine du compte : PRELUDE Attributs modifiés : Nom du compte SAM : - Nom complet : - Nom principal de l’utilisateur : - Répertoire de base : - Lecteur de base : - Chemin d’accès au script : - Chemin d’accès au profil : - Stations de travail utilisateurs : - Dernière modification du mot de passe le : - Le compte expire le : 02/10/2015 00:00:00 ID de groupe principal : - Délégué autorisé : - Ancienne valeur UAC : - Nouvelle valeur UAC : - Contrôle du compte d’utilisateur : - Paramètres utilisateur : - Historique SID : - Horaire d’accès : - Informations supplémentaires : Privilèges: - 56 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Gestion des comptes d.utilisateur.*Un compte d.utilisateur a .t. modifi.\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte; \ id=100019; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Account changed; \ source(0).user.user_id(0).name=$2; \ target(0).user.user_id(0).name=$3; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$3 user account has been modified; \ last #DESCRIPTION:Event ID 1704 - Audit policy applied (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 5 12:38:27 192.168.206.133 MSWinEventLog 1 Application 419 Mon Oct 05 12:38:27 2015 1704 SceCli N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None La stratégie de sécurité dans les objets Stratégie de groupe a été appliquée correctement. 8 regex=MSWinEventLog.*Information (\S+) .*La strat.gie de s.curit. dans les objets Strat.gie de groupe a .t. appliqu.e correctement; \ id=100020; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Audit policy applied; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Audit policy has been applied correctly; \ last #DESCRIPTION:Event ID 4723 - Password changed (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 11 14:28:22 192.168.206.133 MSWinEventLog 2 Security 717 Sun Oct 11 14:28:21 2015 4723 Microsoft-Windows-Security-Auditing PRELUDE\avinash N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Gestion des comptes d’utilisateur Une tentative de modification de mot de passe d’un compte a été effectuée. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x49fcf Compte cible : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE Informations supplémentaires : Privilèges - 401 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Gestion des comptes d.utilisateur\s*Une tentative de modification de mot de passe d.un compte a .t. effectu.e\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte; \ id=100021; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Password changed; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$2; \ source(0).user.user_id(0).name=$3; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=An user account password has been changed; \ last #DESCRIPTION:Event ID 4728 - User added to a group (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 5 15:53:20 192.168.206.133 MSWinEventLog 2 Security 2432 Mon Oct 05 15:53:18 2015 4728 Microsoft-Windows-Security-Auditing PRELUDE\Admins du domaine N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Gestion des groupes de sécurité Un membre a été ajouté à un groupe global dont la sécurité est activée. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x3e5fd Membre : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1109 Nom du compte : CN=avi test,CN=Users,DC=prelude,DC=pro Groupe : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-512 Nom du groupe : Admins du domaine Domaine du groupe : PRELUDE Informations supplémentaires : Privilèges : - 1260 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Gestion des groupes de s.curit.\s*Un membre a .t. ajout. . un groupe (\S+) dont la s.curit. est activ.e\..*Nom du compte.:\s*(\S+[^ ])\s*Domaine du compte.*Nom du compte.:\s*(CN=.*)\s*Groupe.:.*Nom du (?:compte|groupe).:\s*(.*[^ ])\s*Domaine du (?:compte|groupe); \ id=100023; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=User added to a group; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$4; \ source(0).user.user_id(0).name=$3; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=User $4 has been added to a group; \ additional_data(0).data=$5; \ additional_data(0).type=string; \ additional_data(0).meaning=Group name; \ additional_data(1).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Group type; \ last #DESCRIPTION:Event ID 4647 - User logout (Windows 2008 Style Events) #CATEGORY:Authentication #LOG:Oct 2 16:30:14 192.168.206.133 MSWinEventLog 1 Security 394 Fri Oct 02 16:30:06 2015 4647 Microsoft-Windows-Security-Auditing PRELUDE\Atest N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Fermer la session Fermeture de session initiée par l’utilisateur : Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1109 Nom du compte : Atest Domaine du compte : PRELUDE ID d’ouverture de session : 0x277151 Cet événement est généré lorsqu’une fermeture de session est initiée. Aucune autre activité initiée par l’utilisateur ne peut se produire. Cet événement peut être interprété comme un événement de fermeture de session. 213 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Fermer la session\s*Fermeture de session initi.e par l.utilisateur.:.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte; \ id=100024; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=User logout; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$2; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=User $2 logout; \ last #DESCRIPTION:Event ID 4720 - User account created (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 5 16:04:46 192.168.206.133 MSWinEventLog 2 Security 2645 Mon Oct 05 16:04:46 2015 4720 Microsoft-Windows-Security-Auditing PRELUDE\ADupont N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Gestion des comptes d’utilisateur Un compte d’utilisateur a été créé. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x3e5fd Nouveau compte : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1110 Nom du compte : ADupont Domaine du compte : PRELUDE Attributs : Nom du compte SAM : ADupont Nom complet : alain dupont Nom principal de l’utilisateur : ADupont@prelude.pro Répertoire de base : - Lecteur de base : - Chemin d’accès au script : - Chemin d’accès au profil : - Stations de travail des utilisateurs : - Dernière modification du mot de passe le : Le compte expire le : ID de groupe principal : 513 Délégué autorisé : - Ancienne valeur UAC : 0x0 Nouvelle valeur UAC : 0x15 Contrôle du compte d’utilisateur (UAC) : Compte désactivé 'Mot de passe non nécessaire' - Activé 'Compte normal’ - Activé Paramètres d’utilisateur : - Historique SID : - Horaire d’accès : Informations supplémentaires : Privilèges - 1376 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Gestion des comptes d.utilisateur.*Un compte d.utilisateur a .t. cr..\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte SAM.:\s*(.*)\s*Nom complet.:\s*(.*)\s*Nom principal de l.utilisateur.: (\S*); \ id=100025; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=User account created; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$2; \ source(0).user.user_id(0).name=$3; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=A user account has been created; \ additional_data(0).data=$4; \ additional_data(0).type=string; \ additional_data(0).meaning=SAM account name; \ additional_data(1).data=$5; \ additional_data(1).type=string; \ additional_data(1).meaning=User full name; \ additional_data(2).data=$6; \ additional_data(2).type=string; \ additional_data(2).meaning=User principal name; \ last #DESCRIPTION:Event ID 4722 - User account enabled (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 5 12:28:47 192.168.206.133 MSWinEventLog 2 Security 160 Mon Oct 05 12:28:45 2015 4722 Microsoft-Windows-Security-Auditing PRELUDE\Atest N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Gestion des comptes d’utilisateur Un compte d’utilisateur a été activé. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x387a1 Compte cible : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1109 Nom du compte : Atest Domaine du compte : PRELUDE 90 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Gestion des comptes d.utilisateur.*Un compte d.utilisateur a .t. activ.\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte; \ id=100026; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=User account enabled; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$3; \ source(0).user.user_id(0).name=$2; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=A user account has been enabled; \ last #DESCRIPTION:Event ID 4724 - Password reinitialized (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 5 15:11:20 192.168.206.133 MSWinEventLog 2 Security 1146 Mon Oct 05 15:11:19 2015 4724 Microsoft-Windows-Security-Auditing PRELUDE\Atest N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Gestion des comptes d’utilisateur Une tentative de réinitialisation de mot de passe d’un compte a été effectuée. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x3e5fd Compte cible : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1109 Nom du compte : Atest Domaine du compte : PRELUDE 596 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Gestion des comptes d.utilisateur.*Une tentative de r.initialisation de mot de passe d.un compte a .t. effectu.e\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte; \ id=100027; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Password reinitialized; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$3; \ source(0).user.user_id(0).name=$2; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=A password has been reinitialized; \ last #DESCRIPTION:Event ID 4723 - Failed to change password (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 5 15:20:44 192.168.206.133 MSWinEventLog 2 Security 1523 Mon Oct 05 15:20:43 2015 4723 Microsoft-Windows-Security-Auditing PRELUDE\Atest N/A Failure Audit WIN-U34BEJH3ME1.prelude.pro Gestion des comptes d’utilisateur Une tentative de modification de mot de passe d’un compte a été effectuée. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1109 Nom du compte : Atest Domaine du compte : PRELUDE ID d’ouverture de session : 0x193d78 Compte cible : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1109 Nom du compte : Atest Domaine du compte : PRELUDE Informations supplémentaires : Privilèges - 766 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Failure Audit (\S+) Gestion des comptes d.utilisateur.*Une tentative de modification de mot de passe d.un compte a .t. effectu.e\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Compte cible.:.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte; \ id=100028; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Password changed; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$3; \ source(0).user.user_id(0).name=$2; \ assessment.impact.severity=info; \ assessment.impact.completion=Failed; \ assessment.impact.type=other; \ assessment.impact.description=A user has tried to change a password; \ last #DESCRIPTION:Event ID 4725 - Account disabled (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 5 12:28:49 192.168.206.133 MSWinEventLog 2 Security 166 Mon Oct 05 12:28:49 2015 4725 Microsoft-Windows-Security-Auditing PRELUDE\Atest N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Gestion des comptes d’utilisateur Un compte d’utilisateur a été désactivé. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x387a1 Compte cible : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1109 Nom du compte : Atest Domaine du compte : PRELUDE 96 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Gestion des comptes d.utilisateur.*Un compte d.utilisateur a .t. d.sactiv.\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte; \ id=100029; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Account disabled; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$3; \ source(0).user.user_id(0).name=$2; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=An account has been disabled; \ last #DESCRIPTION:Event ID 4767 - Account unlocked (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 5 12:27:43 192.168.206.133 MSWinEventLog 2 Security 93 Mon Oct 05 12:27:42 2015 4767 Microsoft-Windows-Security-Auditing PRELUDE\Atest N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Gestion des comptes d’utilisateur Un compte d’utilisateur a été déverrouillé. Sujet : ID de sécurité: S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x387a1 Compte cible : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1109 Nom du compte : Atest Domaine du compte : PRELUDE 57 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Gestion des comptes d.utilisateur.*Un compte d.utilisateur a .t. d.verrouill.\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte; \ id=100030; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Account unlocked; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$3; \ source(0).user.user_id(0).name=$2; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=An account has been unlocked; \ last #DESCRIPTION:Event ID 4726 - Account deleted (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 2 16:22:54 192.168.206.133 MSWinEventLog 2 Security 170 Fri Oct 02 16:22:52 2015 4726 Microsoft-Windows-Security-Auditing PRELUDE\Atest N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Gestion des comptes d’utilisateur Un compte d’utilisateur a été supprimé. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x2dafa Compte cible : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1104 Nom du compte : Atest Domaine du compte : PRELUDE Informations supplémentaires : Privilèges - 80 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Gestion des comptes d.utilisateur.*Un compte d.utilisateur a .t. supprim.\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte; \ id=100031; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Account deleted; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$3; \ source(0).user.user_id(0).name=$2; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=An account has been deleted; \ last #DESCRIPTION:Event ID 4737 - Group amended (Windows 2008 Style Events) #CATEGORY:Account Management #LOG:Oct 5 15:52:44 192.168.206.133 MSWinEventLog 2 Security 2423 Mon Oct 05 15:52:44 2015 4737 Microsoft-Windows-Security-Auditing PRELUDE\Admins du domaine N/A Success Audit WIN-U34BEJH3ME1.prelude.pro Gestion des groupes de sécurité Un groupe global dont la sécurité est activée a été modifié. Sujet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom du compte : avinash Domaine du compte : PRELUDE ID d’ouverture de session : 0x3e5fd Groupe : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-512 Nom du groupe : Admins du domaine Domaine du groupe : PRELUDE Attributs modifiés : Nom du compte SAM : - Historique SID : - Informations supplémentaires : Privilèges : - 1251 regex=MSWinEventLog.*Microsoft-Windows-Security-Auditing.*Success Audit (\S+) Gestion des groupes de s.curit.\s*Un groupe (\S+) dont la s.curit. est activ.e a .t. modifi.\..*Nom du compte.:\s*(.*[^ ])\s*Domaine du compte.*Nom du groupe.:\s*(.*[^ ])\s*Domaine du groupe; \ id=100032; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Group amended; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$3; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=A group has been modified; \ additional_data(0).data=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Group type; \ additional_data(1).data=$4; \ additional_data(1).type=string; \ additional_data(1).meaning=Group name; \ last #DESCRIPTION:Event ID 1102 - Audit log cleared (Windows 2008 Style Events) #CATEGORY:Integrity #LOG:Oct 5 14:19:41 192.168.206.133 MSWinEventLog 3 Security 272 Mon Oct 05 14:19:41 2015 1102 Microsoft-Windows-Eventlog N/A N/A Information WIN-U34BEJH3ME1.prelude.pro Effacement de journal Le journal d’audit a été effacé. Objet : ID de sécurité : S-1-5-21-2269591700-920990493-2532081251-1000 Nom de compte : avinash Nom de domaine : PRELUDE ID de connexion : 0x3e5fd 149 regex=MSWinEventLog.*Microsoft-Windows-Eventlog.*Information (\S+) Effacement de journal\s*Le journal d.audit a .t. effac.\s*.*Nom de compte.:\s*(.*)\s*Nom de domaine; \ id=100033; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Audit log cleared; \ target(0).node.name=$1; \ target(0).user.user_id(0).name=$2; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Windows audit log has been cleared; \ last #DESCRIPTION:Event ID 104 - Log cleared (Windows 2008 Style Events) #CATEGORY:Integrity #LOG:Oct 5 14:26:26 192.168.206.133 MSWinEventLog 1 System 394 Mon Oct 05 14:26:26 2015 104 Microsoft-Windows-Eventlog PRELUDE\avinash N/A Information WIN-U34BEJH3ME1.prelude.pro Effacement de journal Le fichier journal Application a été effacé. 30 regex=MSWinEventLog.*Microsoft-Windows-Eventlog [^\\]*\\?(\S+) .*Information (\S+) Effacement de journal\s*Le fichier journal (Application|System) . .t. effac.\.; \ id=100034; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=$4 log cleared; \ target(0).node.name=$2; \ target(0).user.user_id(0).name=$1; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Windows $4 log has been cleared; \ last #DESCRIPTION:Event ID 6006 - Event registration stopped (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 5 12:54:15 192.168.206.133 MSWinEventLog 1 System 53 Mon Oct 05 12:53:00 2015 6006 EventLog N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None Le service d’Enregistrement d’événement a été arrêté. 0 regex=MSWinEventLog.*EventLog.*Information (\S+) .*Le service d.Enregistrement d..v.nement a .t. arr.t.\.; \ id=100035; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Event registration stopped; \ target(0).node.name=$1; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Windows event registration has been stopped; \ last #DESCRIPTION:Event ID 6005 - Event registration started (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 5 12:54:15 192.168.206.133 MSWinEventLog 1 System 82 Mon Oct 05 12:53:42 2015 6005 EventLog N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None Le service d’Enregistrement d’événement a démarré. 29 regex=MSWinEventLog.*EventLog.*Information (\S+) .*Le service d.Enregistrement d..v.nement a d.marr.\.; \ id=100036; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Event registration started; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Windows event registration has been started; \ last #DESCRIPTION:Event ID 7036 - Event log stopped (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 5 12:54:15 192.168.206.133 MSWinEventLog 1 System 65 Mon Oct 05 12:53:00 2015 7036 Service Control Manager N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None Le service Journal d’événements Windows est entré dans l’état : arrêté. 12 regex=MSWinEventLog.*Service Control Manager.*Information (\S+) .*Le service Journal d..v.nements Windows est entr. dans l..tat.: arr.t.\.; \ id=100037; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Event log stopped; \ target(0).node.name=$1; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Windows event log has been stopped; \ last #DESCRIPTION:Event ID 7036 - Event log started (Windows 2008 Style Events) #CATEGORY:Service Management #LOG:Oct 5 12:54:15 192.168.206.133 MSWinEventLog 1 System 101 Mon Oct 05 12:53:42 2015 7036 Service Control Manager N/A N/A Information WIN-U34BEJH3ME1.prelude.pro None Le service Journal d’événements Windows est entré dans l’état : en cours d’exécution. 48 regex=MSWinEventLog.*Service Control Manager.*Information (\S+) .*Le service Journal d..v.nements Windows est entr. dans l..tat.: en cours d.ex.cution\.; \ id=100038; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Event log started; \ target(0).node.name=$1; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Windows event log has been started; \ last #DESCRIPTION:Event ID 800 - Virus found (Windows 2008 Style Events) #CATEGORY:Malware #LOG:Aug 28 14:38:51 MSWinEventLog 1 Application 59 ven. août 28 14:38:51 201 800 Control Manager Server \... N/A Information System Information Message: Control Manager () notification: Virus found action result. The second virus scan action has been applied to the virus detected in \\Local Folder\New Entity\<...>\\. Virus: Eicar_test_file Action result: File quarantined Infected file: eicar - Copy (8) - Copy File path: A:\ Scan engine: 9.205.1002 Virus pattern: 0.704.00 Event date/time: 28/08/2015 14:36:11 2 regex=MSWinEventLog.*Control Manager Server.*notification: Virus found action result.\s*The second virus scan action has been applied to the virus detected in .*Virus: (.+)\s*Action result: File quarantined\s*Infected file: (.+)\s*File path: (.+)\s*Scan engine: (.*)\s*Virus pattern: (.+)\s*Event date\/time: (\S+) (\S+); \ id=100039; \ revision=1; \ analyzer(0).name=Snare; \ analyzer(0).manufacturer=http://www.intersectalliance.com/projects/SnareWindows; \ analyzer(0).class=Service; \ classification.text=Virus found; \ analyzer(0).class=System; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=A virus has been found; \ additional_data(0).type=string; \ additional_data(0).meaning=Virus name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Virus filename; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Virus location; \ additional_data(2).data=$3; \ additional_data(3).type=string; \ additional_data(3).meaning=Scan engine; \ additional_data(3).data=$4; \ additional_data(4).type=string; \ additional_data(4).meaning=Virus pattern; \ additional_data(4).data=$5; \ additional_data(5).type=string; \ additional_data(5).meaning=Virus detect time; \ additional_data(5).data=$6 $7; \ last prelude-lml-rules-5.1.0/ruleset/sonicwall.rules0000664000175000017500000003113613537533463022005 0ustar tandrejatandreja#FULLNAME: SonicWALL #VERSION: 1.0 #DESCRIPTION: Range of Internet appliances primarily directed at content control and network security. ##### # # Copyright (C) 2006 Igor Manassypov # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Admin login #CATEGORY:Authentication #LOG:Mar 10 13:44:49 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-10 13:44:50" fw=216.123.166.2 pri=6 c=16 m=29 msg="Administrator login allowed" n=40 usr=netadm src=192.168.30.57:0:X0 dst=192.168.30.10:443:X0 regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg=\"(.+)\" n=(\d+) usr=(\S+) src=([\d\.]+):(\d+):(\S+) dst=([\d\.]+):(\d+):(\S+)$; \ classification.text=Admin login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=message-id; \ classification.reference(0).name=$4; \ classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=priority-id; \ classification.reference(1).name=$2; \ classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ id=4600; \ revision=1; \ analyzer(0).name=SonicWall; \ analyzer(0).manufacturer=SonicGuard; \ analyzer(0).class=Firewall; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.description=User $7 logged in. Message Priority = $2, Category = $3, ID = $4, Count = $6; \ source(0).interface=$10; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$8; \ source(0).service.port=$9; \ target(0).interface=$13; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$11; \ target(0).service.port=$12; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$7; \ additional_data(0).type=string; \ additional_data(0).meaning=Reporting firewall ip address; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Number of events; \ additional_data(1).data=$6; \ additional_data(2).type=string; \ additional_data(2).meaning=Legacy category; \ additional_data(2).data=$3; \ last #DESCRIPTION:Possible spoof attack #CATEGORY:Network Security #LOG:Mar 10 16:14:21 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-10 16:14:22" fw=216.123.166.2 pri=1 c=32 m=23 msg="IP spoof dropped" n=64224 src=192.168.85.94:123:X0 dst=192.5.41.209:123:X1 mac=00:d0:ff:8b:8f:fc regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg=\"(.+)\" n=(\d+) src=([\d\.]+):(\d+):(\S+) dst=([\d\.]+):(\d+):(\S+) mac=(\S+)$; \ classification.text=Possible spoof attack; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=message-id; \ classification.reference(0).name=$4; \ classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=priority-id; \ classification.reference(1).name=$2; \ classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ id=4601; \ revision=1; \ analyzer(0).name=SonicWall; \ analyzer(0).manufacturer=SonicGuard; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.description=$5. MAC: $13. Message Priority = $2, Category = $3, ID = $4, Count = $6; \ source(0).interface=$9; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).node.address(1).category=mac; \ source(0).node.address(1).address=$13; \ source(0).service.port=$8; \ target(0).interface=$12; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$10; \ target(0).service.port=$11; \ additional_data(0).type=string; \ additional_data(0).meaning=Reporting firewall ip address; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Number of events; \ additional_data(1).data=$6; \ additional_data(2).type=string; \ additional_data(2).meaning=Legacy category; \ additional_data(2).data=$3; \ last #DESCRIPTION:Malformed packets #CATEGORY:Network Security #LOG:Mar 13 02:58:36 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-13 02:58:19" fw=216.123.166.2 pri=1 c=32 m=522 msg="Malformed IP packet dropped." n=5090 src=207.0.188.16:0:X1 dst=216.123.166.2:1026 dstname="IP Protocol 17" regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg=\"(.+)\" n=(\d+) src=([\d\.]+):(\d+):(\S+) dst=([\d\.]+):(\d+) dstname="(.+)"$; \ classification.text=Malformed packets; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=message-id; \ classification.reference(0).name=$4; \ classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=priority-id; \ classification.reference(1).name=$2; \ classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ id=4602; \ revision=1; \ analyzer(0).name=SonicWall; \ analyzer(0).manufacturer=SonicGuard; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.description=$5 for $12. Message Priority = $2, Category = $3, ID = $4, Count = $6; \ source(0).interface=$9; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$10; \ target(0).service.port=$11; \ target(0).service.iana_protocol_name=$12; \ additional_data(0).type=string; \ additional_data(0).meaning=Reporting firewall ip address; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Number of events; \ additional_data(1).data=$6; \ additional_data(2).type=string; \ additional_data(2).meaning=Legacy category; \ additional_data(2).data=$3; \ last #DESCRIPTION:Connection from LAN denied #CATEGORY:Network Security #LOG:Mar 13 11:00:21 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-13 11:00:31" fw=216.123.166.2 pri=5 c=2048 m=173 msg="TCP connection from LAN denied" n=150 src=192.168.30.222:1:X0 dst=192.168.30.10:8:X0 proto=tcp/8 regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg=\"(.+)\" n=(\d+) src=([\d\.]+):(\d+):(\S+) dst=([\d\.]+):(\d+):(\S+) proto=(\S+)$; \ classification.text=Connection from LAN denied; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=message-id; \ classification.reference(0).name=$4; \ classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=priority-id; \ classification.reference(1).name=$2; \ classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ id=4603; \ revision=1; \ analyzer(0).name=SonicWall; \ analyzer(0).manufacturer=SonicGuard; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.description=$5 for $13. Message Priority = $2, Category = $3, ID = $4, Count = $6; \ source(0).interface=$9; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).interface=$12; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$10; \ target(0).service.port=$11; \ target(0).service.iana_protocol_name=$13; \ additional_data(0).type=string; \ additional_data(0).meaning=Reporting firewall ip address; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Number of events; \ additional_data(1).data=$6; \ additional_data(2).type=string; \ additional_data(2).meaning=Legacy category; \ additional_data(2).data=$3; \ last #DESCRIPTION:Possible SYN Flood attack #CATEGORY:Network Security #LOG:Mar 13 11:00:22 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-13 11:00:32" fw=216.123.166.2 pri=1 c=0 m=860 msg="Possible SYN Flood on IF X0 - src: 192.168.30.222:1 dst: 192.168.30.10:481" n=1 regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg="Possible SYN Flood on IF (\S+) - src: ([\d\.]+):(\d+) dst: ([\d\.]+):(\d+)" n=(\d+)$; \ classification.text=Possible SYN flood; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=message-id; \ classification.reference(0).name=$4; \ classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=priority-id; \ classification.reference(1).name=$2; \ classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ id=4604; \ revision=1; \ analyzer(0).name=SonicWall; \ analyzer(0).manufacturer=SonicGuard; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Possible SYN Flood attack. Message Priority = $2, Category = $3, ID = $4, Count = $10; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$6; \ source(0).service.port=$7; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$8; \ target(0).service.port=$9; \ additional_data(0).type=string; \ additional_data(0).meaning=Reporting firewall ip address; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Number of events; \ additional_data(1).data=$10; \ additional_data(2).type=string; \ additional_data(2).meaning=Legacy category; \ additional_data(2).data=$3; \ last #DESCRIPTION:Possible port scan attack #CATEGORY:Recognition #LOG:Mar 13 14:50:06 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-13 14:50:12" fw=216.123.166.2 pri=1 c=32 m=82 msg="Possible port scan dropped" n=268 src=70.29.251.124:20912:X1 dst=216.123.166.2:26917:X1 regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg="Possible port scan dropped" n=(\d+) src=([\d\.]+):(\d+):(\S+) dst=([\d\.]+):(\d+):(\S+)$; \ classification.text=Possible port scan; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=sonicwall-sn; \ classification.reference(0).name=$4; \ classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=priority-id; \ classification.reference(1).name=$2; \ classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \ id=4605; \ revision=1; \ analyzer(0).name=SonicWall; \ analyzer(0).manufacturer=SonicGuard; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Possible port scan attack. Message Priority = $2, Category = $3, ID = $4, Count = $10; \ source(0).interface=$8; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$6; \ source(0).service.port=$7; \ target(0).interface=$11; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$10; \ additional_data(0).type=string; \ additional_data(0).meaning=Reporting firewall ip address; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Number of events; \ additional_data(1).data=$10; \ additional_data(2).type=string; \ additional_data(2).meaning=Legacy category; \ additional_data(2).data=$3; \ last prelude-lml-rules-5.1.0/ruleset/spamassassin.rules0000664000175000017500000000706013537533463022516 0ustar tandrejatandreja#FULLNAME: SpamAssassin #VERSION: 1.0 #DESCRIPTION: Open Source mail filter, written in Perl, to identify spam using a wide range of heuristic tests on mail headers and body text. Each supported MTA should have a rule that creates a context to be used by the spamd rule to match up originator information. ##### # # Copyright (C) 2006 G Ramon Gomez # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Once the MTAs set up their contexts, the SpamAssassin-specific rule can be called #CATEGORY:Email #LOG:Apr 28 11:09:56 awale postfix/smtpd[30879]: 8144DC232CF: client=benji1.traduc.org[213.246.37.27] regex=(\S+): client=(\S+)[\S+]; \ id=5200; \ new_context=SPAMASSASSIN_$1,expire:10; \ source(0).node.name = $2; \ source(0).node.address(>>).address = $3; \ silent #DESCRIPTION:Once the MTAs set up their contexts, the SpamAssassin-specific rule can be called #CATEGORY:Email #LOG:Apr 28 11:09:56 awale postfix/qmgr[5304]: 8144DC232CF: from=, size=15179, nrcpt=1 (queue active) regex=(\S+): from=<(\S+)>, size=(\d+); \ id=5201; \ require_context=SPAMASSASSIN_$1; \ source(0).node.address(>>).address = $2; \ additional_data(0).type=integer; \ additional_data(0).meaning=Size; \ additional_data(0).data=$3; \ silent #DESCRIPTION:SpamAssassin detected a spam #CATEGORY:Email #LOG:Apr 5 16:59:44 vm-mail spamd[1819]: spamd: result: Y 999 - ALL_TRUSTED,GTUBE,NO_REAL_NAME scantime=0.1,size=769,user=jenny@yyy.com,uid=8,required_score=5.0,rhost=localhost,raddr=127.0.0.1,rport=38643,mid=<443459EF.mail1EK1XC3LT@xxx.com>,autolearn=no regex=spamd: result: Y (\d+) - (\S+) scantime=([\d\.]+),size=\d+,user=(\S+),uid=(\d+),required_score=([\d\.]+)\S+mid=<(\S+@\S+)>; \ id=5202; \ require_context=SPAMASSASSIN_$7; \ classification.text=Spam found; \ analyzer(0).name=SpamAssassin; \ analyzer(0).manufacturer=http://spamassassin.apache.org/; \ analyzer(0).class=Antispam; \ assessment.impact.severity=low; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=SpamAssassin detected spam being sent to $4. This spam scored $1 of a required $6 points.; \ target(0).node.address(0).category=e-mail; \ target(0).node.address(0).address=$4; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).number=$5; \ additional_data(0).type=string; \ additional_data(0).meaning=Signatures matched; \ additional_data(0).data=$2; \ additional_data(1).type=integer; \ additional_data(1).meaning=Score; \ additional_data(1).data=$1; \ additional_data(2).type=string; \ additional_data(2).meaning=Required Score; \ additional_data(2).data=$6; \ additional_data(3).type=string; \ additional_data(3).meaning=Scan time; \ additional_data(3).data=$3; \ additional_data(4).type=integer; \ additional_data(4).meaning=Size; \ additional_data(4).data=$2; \ last prelude-lml-rules-5.1.0/ruleset/squid.rules0000664000175000017500000002003213537533463021130 0ustar tandrejatandreja#FULLNAME: Squid #VERSION: 1.0 #DESCRIPTION: Squid is a caching and forwarding web proxy. ##### # # Copyright (C) 2003 Vincent Glaume # Currently supported by G Ramon Gomez # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Squid Proxy started #CATEGORY:Service Management #LOG:2005/11/28 06:00:42| Starting Squid Cache version 2.5.STABLE1 for i386-redhat-linux-gnu... regex=Starting Squid Cache version ([\w\.]+) for (\S+)\.\.\.; \ classification.text=Proxy started; \ id=1801; \ revision=2; \ analyzer(0).name=Squid; \ analyzer(0).manufacturer=www.squid-cache.org; \ analyzer(0).class=Proxy; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Squid Proxy was started; \ additional_data(0).type=string; \ additional_data(0).meaning=Version; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Platform; \ additional_data(1).data=$2; \ last #DESCRIPTION:Accepting connections or disabled services #CATEGORY:Service Management #LOG:2005/11/28 06:00:44| Accepting HTTP connections at 0.0.0.0, port 3128, FD 12. regex=Accepting HTTP connections at ([\d\.]+), port (\d+), FD (\d+)\.; \ classification.text=Proxy accepts HTTP; \ id=1802; \ revision=2; \ analyzer(0).name=Squid; \ analyzer(0).manufacturer=www.squid-cache.org; \ analyzer(0).class=Proxy; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Squid listens for incoming HTTP connections on $1:$2, file descriptor #$3; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ target(0).service.port=$2; \ target(0).service.name=HTTP; \ additional_data(0).type=integer; \ additional_data(0).meaning=File descriptor; \ additional_data(0).data=$3; \ last #DESCRIPTION:Proxy accepts ICP #CATEGORY:Service Management #LOG:2005/11/28 06:00:44| Accepting ICP messages at 0.0.0.0, port 3130, FD 13. regex=Accepting ICP messages at ([\d\.]+), port (\d+), FD (\d+)\.; \ classification.text=Proxy accepts ICP; \ id=1803; \ revision=2; \ analyzer(0).name=Squid; \ analyzer(0).manufacturer=www.squid-cache.org; \ analyzer(0).class=Proxy; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Squid listens for incoming ICP messages on $1:$2, file descriptor #$3; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ target(0).service.port=$2; \ target(0).service.name=ICP; \ additional_data(0).type=integer; \ additional_data(0).meaning=File descriptor; \ additional_data(0).data=$3; \ last #DESCRIPTION:Proxy accepts HTCP #CATEGORY:Service Management #LOG:2005/11/28 06:00:44| Accepting HTCP messages on port 4827, FD 15. regex=Accepting HTCP messages on port (\d+), FD (\d+)\.; \ classification.text=Proxy accepts HTCP; \ id=1804; \ revision=2; \ analyzer(0).name=Squid; \ analyzer(0).manufacturer=www.squid-cache.org; \ analyzer(0).class=Proxy; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Squid listens for incoming HTCP messages on port $1, file descriptor #$2; \ target(0).service.port=$1; \ target(0).service.name=HTCP; \ additional_data(0).type=integer; \ additional_data(0).meaning=File descriptor; \ additional_data(0).data=$2; \ last #DESCRIPTION:Proxy accepts WCCP #CATEGORY:Service Management #LOG:2005/11/28 06:00:44| Accepting WCCP messages on port 2048, FD 18. regex=Accepting WCCP messages on port (\d+), FD (\d+)\.; \ classification.text=Proxy accepts WCCP; \ id=1805; \ revision=2; \ analyzer(0).name=Squid; \ analyzer(0).manufacturer=www.squid-cache.org; \ analyzer(0).class=Proxy; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Squid listens for incoming WCCP messages on port $1, file descriptor #$2; \ target(0).service.port=$1; \ target(0).service.name=WCCP; \ additional_data(0).type=integer; \ additional_data(0).meaning=File descriptor; \ additional_data(0).data=$2; \ last #DESCRIPTION:Proxy started without HTCP #CATEGORY:Service Management #LOG:2005/11/28 06:00:44| HTCP Disabled. regex=HTCP Disabled\.; \ classification.text=Proxy started without HTCP; \ id=1806; \ revision=1; \ analyzer(0).name=Squid; \ analyzer(0).manufacturer=www.squid-cache.org; \ analyzer(0).class=Proxy; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.description=Squid was invoked without the HTCP service; \ last #DESCRIPTION:Proxy started without WCCP #CATEGORY:Service Management #LOG:2005/11/28 06:00:44| WCCP Disabled. regex=WCCP Disabled\.; \ classification.text=Proxy started without WCCP; \ id=1807; \ revision=1; \ analyzer(0).name=Squid; \ analyzer(0).manufacturer=www.squid-cache.org; \ analyzer(0).class=Proxy; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.description=Squid was invoked without the WCCP service; \ last #DESCRIPTION:A Squid child process exited #CATEGORY:Service Management #LOG:2005/11/28 06:00:44| Squid Parent: child process 10216 exited due to signal 6 regex=Squid Parent: child process (\d+) exited due to signal (\d+); \ classification.text=Proxy child process stopped; \ id=1808; \ revision=2; \ analyzer(0).name=Squid; \ analyzer(0).manufacturer=www.squid-cache.org; \ analyzer(0).class=Proxy; \ assessment.impact.severity=medium; \ assessment.impact.type=other; \ assessment.impact.description=A Squid child process (pid $1) exited after receiving the signal $2; \ target(0).process.pid=$1; \ last #DESCRIPTION:Host attempt to violate Squid ACL. Failed #CATEGORY:Network Security #LOG:1133224765.027 23 12.34.56.78 TCP_DENIED/403 1387 GET http://was.nld.l.google.com:81/hit? - NONE/- text/html regex=(\d+) ([\d\.]+) (\S+DENIED)/(\d+) (\d+) (\S+) (\S+); \ classification.text=Proxy ACL violation attempt; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=squid_id; \ classification.reference(0).name=$3; \ classification.reference(0).url=http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.7; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=squid_status; \ classification.reference(1).name=$4; \ classification.reference(1).url=http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.8; \ id=1809; \ revision=2; \ analyzer(0).name=Squid; \ analyzer(0).manufacturer=www.squid-cache.org; \ analyzer(0).class=Proxy; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.description=Host $2 tried to violate Squid ACL; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Elapsed time; \ additional_data(0).data=$1 ms; \ additional_data(1).type=integer; \ additional_data(1).meaning=Bytes transmitted; \ additional_data(1).data=$5; \ additional_data(2).type=string; \ additional_data(2).meaning=HTTP method; \ additional_data(2).data=$6; \ additional_data(3).type=string; \ additional_data(3).meaning=URL; \ additional_data(3).data=$7; \ last prelude-lml-rules-5.1.0/ruleset/ssh.rules0000664000175000017500000003271413537533463020612 0ustar tandrejatandreja#FULLNAME: SSH #VERSION: 1.0 #DESCRIPTION: SSH, is a cryptographic (encrypted) network protocol to allow remote login and other network services to operate securely over an unsecured network. ##### # # Copyright (C) 2002,2004 Nicolas Delon # Copyright (C) 2005 G Ramon Gomez # All Rights Reserved # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:SSH from root #CATEGORY:Authentication #LOG:Dec 8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2 regex=for root from|user root; \ id=1907; \ assessment.impact.type=admin; \ assessment.impact.severity=medium; \ silent; chained #DESCRIPTION:Remote Login succeeded #CATEGORY:Authentication #LOG:Dec 8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2 #LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for root from fec0:0:201::3 port 63018 ssh2 #LOG:Jan 14 03:30:44 mail sshd[20298]: Accepted publickey for john from fec0:0:201::3 port 63018 ssh2 #LOG:Dec 10 10:33:19 itguxweb2 sshd[29738]: Accepted password for ekwong from 12.34.56.78 port 39852 ssh2 regex=Accepted (\S+) for (\S+) from (\S+) port (\d+); \ classification.text=Remote Login; \ optgoto=1907; \ id=1908; \ revision=3; \ analyzer(0).name=sshd; \ analyzer(0).manufacturer=OpenSSH; \ analyzer(0).class=Authentication; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.description=User $2 logged in from $3 port $4 using the $1 method; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Authentication method; \ additional_data(0).data=$1; \ last #DESCRIPTION:Remote Login failed #CATEGORY:Authentication #LOG:Dec 9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from 12.34.56.78 port 1806 #LOG:Dec 9 21:29:56 devel5 sshd[17554]: Failed password for akarade from 12.34.56.78 port 4214 regex=Failed (\S+) for (\S+) from (\S+) port (\d+); \ optgoto=1907; \ classification.text=Remote Login; \ id=1902; \ revision=3; \ analyzer(0).name=sshd; \ analyzer(0).manufacturer=OpenSSH; \ analyzer(0).class=Authentication; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=Someone tried to login as $2 from $3 port $4 using the $1 method; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Authentication method; \ additional_data(0).data=$1; \ last #DESCRIPTION:Invalid (not existing) user tried to login #CATEGORY:Authentication #LOG:Jan 20 14:10:02 blah sshd[25443]: Invalid user admin from 213.201.222.134 regex=(Illegal|Invalid) user (\S+) from (\S+); \ classification.text=User login failed with an invalid user; \ id=1904; \ revision=2; \ analyzer(0).name=sshd; \ analyzer(0).manufacturer=OpenSSH; \ analyzer(0).class=Authentication; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=Someone tried to login with the invalid user "$2" from $3; \ source(0).node.address(0).address=$3; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last #DESCRIPTION:User listed in DenyGroups or DenyUsers (sshd_config directives) tried to login #CATEGORY:Authentication #LOG:Jan 6 22:50:24 localhost sshd[15489]: User nobody not allowed because none of user's groups are listed in AllowGroups regex=User (\S+) not allowed because (.*)listed in (\w+); \ classification.text=User login failed with a denied user; \ id=1905; \ revision=3; \ analyzer(0).name=sshd; \ analyzer(0).manufacturer=OpenSSH; \ analyzer(0).class=Authentication; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=User $1 failed to login because $2 listed in $3; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Failure reason; \ additional_data(1).data=$2 listed in $3; \ last #DESCRIPTION:Sshd did not receive the identification string from the client #DESCRIPTION:(maybe a ssh server recognition) #CATEGORY:Recognition #LOG:Jun 10 09:51:57 server sshd[9100]: Did not receive identification string from 1.2.3.4 regex=Did not receive identification string from (\S+); \ classification.text=Server recognition; \ id=1906; \ revision=2; \ analyzer(0).name=sshd; \ analyzer(0).manufacturer=OpenSSH; \ analyzer(0).class=Authentication; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=$1 is probably making a server recognition; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ additional_data(0).type=string; \ additional_data(0).meaning=Failure reason; \ additional_data(0).data=Did not receive identification string; \ last #DESCRIPTION:Forbidden root login (directive PermitRootLogin and keyword "no" or "forced-commands-only" #DESCRIPTION:of the sshd_config file) #CATEGORY:Authentication #LOG:Jan 5 01:31:41 www sshd[1643]: ROOT LOGIN REFUSED FROM 1.2.3.4 regex=ROOT LOGIN REFUSED FROM (\S+); \ classification.text=Admin login; \ id=1909; \ revision=2; \ analyzer(0).name=sshd; \ analyzer(0).manufacturer=OpenSSH; \ analyzer(0).class=Authentication; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=admin; \ assessment.impact.description=Root tried to login while it is forbidden; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=root; \ last #DESCRIPTION:Generic Message Exchange Authentication For SSH () #DESCRIPTION:Invalid|Illegal user #CATEGORY:Authentication #LOG:Jan 14 08:19:21 ras sshd[22774]: input_userauth_request: invalid user remote-mail regex=input_userauth_request: (illegal|invalid) user (\S+); \ classification.text=Invalid user in authentication request; \ id=1910; \ revision=3; \ analyzer(0).name=sshd; \ analyzer(0).manufacturer=OpenSSH; \ analyzer(0).class=Authentication; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=General purpose authentication request was blocked. Reason: invalid user $2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Failure reason; \ additional_data(0).data=$1 user; \ last #DESCRIPTION:Generic Message Exchange Authentication For SSH. () #DESCRIPTION:This rule catches several other combinations that can be output by input_userauth_request() in auth2.c #CATEGORY:Authentication #LOG:Jan 14 08:19:21 ras sshd[22774]: input_userauth_request: invalid user remote-mail regex=input_userauth_request: (.+); \ classification.text=Invalid user in authentication request; \ id=1911; \ revision=2; \ analyzer(0).name=sshd; \ analyzer(0).manufacturer=OpenSSH; \ analyzer(0).class=Authentication; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=General purpose authentication request was blocked. Reason: $1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.category=os-device; \ additional_data(0).type=string; \ additional_data(0).meaning=Failure reason; \ additional_data(0).data=$1; \ last #DESCRIPTION:Failed password|none|publickey for invalid|illegal user #CATEGORY:Authentication #LOG:Dec 9 18:48:29 itguxweb2 sshd[29536]: Failed password for illegal user ROOT from 12.34.56.78 port 2886 #LOG:Jan 14 08:19:21 ras sshd[22774]: Failed none for invalid user remote-mail from 192.168.1.22 port 65407 ssh2 #LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from fec0:0:201::3 port 62788 ssh2 #LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from 1.2.3.4 port 62788 ssh2 #LOG:Jan 14 11:29:17 ras sshd[18163]: Failed publickey for invalid user fred from hostname port 62788 ssh2 regex=Failed (\S+) for (illegal|invalid) user (\S+) from (\S+) port (\d+); \ classification.text=Remote Login; \ optgoto=1907; \ id=1912; \ revision=3; \ analyzer(0).name=sshd; \ analyzer(0).manufacturer=OpenSSH; \ analyzer(0).class=Authentication; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=admin; \ assessment.impact.description=Someone tried to login as $3 from $4 port $5 using the $1 method; \ source(0).node.address(0).address=$4; \ source(0).service.port=$5; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$3; \ additional_data(0).type=string; \ additional_data(0).meaning=Authentication method; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Failure reason; \ additional_data(1).data=$2 user; \ last #DESCRIPTION:Authentication failure #CATEGORY:Authentication #LOG:Oct 2 14:40:05 suse-9.2 sshd[18725]: error: PAM: Authentication failure for root from unknown.anywhere.net #LOG:Oct 2 14:46:52 suse-9.2 sshd[18804]: error: PAM: Authentication failure for foobar from unknown.anywhere.net regex=error: PAM: Authentication failure for (\S+) from (\S+); \ classification.text=Remote Login; \ optgoto=1907; \ id=1914; \ revision=2; \ analyzer(0).name=sshd; \ analyzer(0).manufacturer=OpenSSH; \ analyzer(0).class=Authentication; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=Someone tried to login as $1 from $2; \ source(0).node.name=$2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ last prelude-lml-rules-5.1.0/ruleset/su.rules0000664000175000017500000000562013537533463020440 0ustar tandrejatandreja#FULLNAME: su #VERSION: 1.0 #DESCRIPTION: The Unix command su is used by a computer user to execute a command with the privileges of another user account. ##### # # Copyright (C) 2016-2019 CS-SI # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Logon process to root on #CATEGORY:Authentication regex=to root on; \ id=10003; \ assessment.impact.type=admin; \ target(0).user.user_id(0).number=0; \ chained; silent #DESCRIPTION:Logon process to root on #CATEGORY:Authentication #LOG:Jul 18 17:12:49 hids su: afonyashin to root on /dev/ttyp0 #LOG:Jul 18 17:12:49 hids su: afonyashin to alice on /dev/ttyp0 optgoto=10003; regex=su: (\S+) to (\S+) on (\S+); \ classification.text=Credentials Change; \ id=10000; \ revision=1; \ analyzer(0).name=su; \ analyzer(0).manufacturer=GNU; \ analyzer(0).class=Authentication; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=low; \ assessment.impact.description=User $1 authenticated to $2 successfully; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(0).tty=$3; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last #DESCRIPTION:Login failed #CATEGORY:Authentication #LOG:Jul 18 17:12:44 hids su: BAD SU afonyashin to root on /dev/ttyp0 #LOG:Jul 18 17:12:44 hids su: BAD SU afonyashin to alice on /dev/ttyp0 regex=su: BAD SU (\S+) to (\S+) on (\S+); \ classification.text=Credentials Change; \ optgoto=10003; \ id=10002; \ revision=1; \ analyzer(0).name=su; \ analyzer(0).manufacturer=GNU; \ analyzer(0).class=Authentication; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=high; \ assessment.impact.description=User $1 tried to authenticate as $2 and failed; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ source(0).user.user_id(0).tty=$3; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ last prelude-lml-rules-5.1.0/ruleset/sudo.rules0000664000175000017500000000710313537533463020761 0ustar tandrejatandreja#FULLNAME: sudo #VERSION: 1.0 #DESCRIPTION: Sudo is a program for Unix-like computer operating systems that allows users to run programs with the security privileges of another user, by default the superuser. The rules included here were developed using sudo-1.6.6-3 on Linux. ##### # # Copyright (C) 2004 G Ramon Gomez # Tyco Fire and Security GTS (www.tycofireandsecurity.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Sudo command #CATEGORY:Authentication #LOG:Feb 11 06:52:09 12.34.56.78 sudo: cpatel : TTY=pts/0 ; PWD=/etc/rc.d/init.d ; USER=root ; COMMAND=./resin start regex=(\S+) : TTY=(\S+) \; PWD=(.+) \; USER=(\S+) \; COMMAND=(.+); \ classification.text=SUDO Command Executed; \ id=2700; \ revision=2; \ analyzer(0).name=sudo; \ analyzer(0).manufacturer=OpenBSD; \ analyzer(0).class=Credentials change; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=low; \ assessment.impact.description=User $1 successfully executed the command '$5' as $4.; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=original-user; \ source(0).user.user_id(0).name=$1; \ target(0).user.category = os-device; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$4; \ additional_data(0).type=string; \ additional_data(0).meaning=Source device; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Working directory; \ additional_data(1).data=$3; \ additional_data(2).type=string; \ additional_data(2).meaning=Command executed; \ additional_data(2).data=$5; \ last #DESCRIPTION:User NOT in sudoers #CATEGORY:Authentication #LOG:Jan 15 09:53:11 12.34.56.78 sudo: ekwong : user NOT in sudoers ; TTY=pts/2 ; PWD=/ ; USER=root ; COMMAND=/bin/ls regex=(\S+) : user NOT in sudoers \; TTY=(\S+) \; PWD=(.+) \; USER=(\S+) \; COMMAND=(.+); \ classification.text=SUDO from Unauthorized User; \ id=2701; \ revision=2; \ analyzer(0).name=sudo; \ analyzer(0).manufacturer=OpenBSD; \ analyzer(0).class=Credentials change; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description=Unauthorized user $1 tried to execute the command '$5' as $4.; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=original-user; \ source(0).user.user_id(0).name=$1; \ target(0).user.category = os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$4; \ additional_data(0).type=string; \ additional_data(0).meaning=Source device; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Working directory; \ additional_data(1).data=$3; \ additional_data(2).type=string; \ additional_data(2).meaning=Command executed; \ additional_data(2).data=$5; \ last prelude-lml-rules-5.1.0/ruleset/suhosin.rules0000664000175000017500000001171513537533463021503 0ustar tandrejatandreja#FULLNAME: Suhosin #VERSION: 1.0 #DESCRIPTION: Suhosin is a safety net that protects servers from insecure PHP coding practices. ##### # # Copyright (C) 2007 Sebastien Tricaud # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Configured request variable name length limit exceeded #CATEGORY:Hardening Features #LOG:Dec 30 05:18:11 zoubida suhosin[15086]: ALERT - configured request variable name length limit exceeded - dropped variable 'article2/include/engine/MakeXML4statusCounter_php?fileOreonConf' (attacker '192.168.3.4', file '/var/www/zorglub/www/htdocs/spip.php') regex=ALERT - configured request variable name length limit exceeded - dropped variable '(\S+)' \(attacker '(\S+)', file '(\S+)'\); \ classification.text=Variable length too long; \ id=8001; \ revision=1; \ analyzer(0).name=Suhosin; \ analyzer(0).manufacturer=http://www.hardened-php.net/suhosin/; \ analyzer(0).class=HIDS; \ source(0).node.address(0).address=$2; \ target(0).file(0).path=$3; \ assessment.impact.completion=failed; \ assessment.impact.type=dos; \ assessment.impact.severity=low; \ assessment.impact.description=Configured request variable name length limit exceeded - dropped variable; \ additional_data(0).type=string; \ additional_data(0).meaning=Variable; \ additional_data(0).data=$1; \ last #DESCRIPTION:Tried to register forbidden variable #CATEGORY:Hardening Features #LOG:Jan 2 12:36:27 zoubida suhosin[2258]: ALERT - tried to register forbidden variable '_REQUEST' through GET variables (attacker '62.193.236.107', file '/var/www/zorglub/www/htdocs/index.php') regex=ALERT - tried to register forbidden variable '(\S+)' through (.*) variables \(attacker '(\S+)', file '(\S+)'\); \ classification.text=Forbidden variable; \ id=8002; \ revision=1; \ analyzer(0).name=Suhosin; \ analyzer(0).manufacturer=http://www.hardened-php.net/suhosin/; \ analyzer(0).class=HIDS; \ source(0).node.address(0).address=$3; \ target(0).file(0).path=$4; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=Tried to register forbidden variable through '$2'; \ additional_data(0).type=string; \ additional_data(0).meaning=Variable; \ additional_data(0).data=$1; \ last #DESCRIPTION:Configured variable length limit exceeded #CATEGORY:Hardening Features #LOG:Jan 12 17:02:54 zoubida suhosin[27745]: ALERT - configured GET variable value length limit exceeded - dropped variable 'email' (attacker '131.158.223.4', file '/var/www/zorglub/www/htdocs/php/poll.php') regex=ALERT - configured (\S+) variable value length limit exceeded - dropped variable '(\S+)' \(attacker '(\S+)', file '(\S+)'\); \ classification.text=Variable length too long; \ id=8003; \ revision=1; \ analyzer(0).name=Suhosin; \ analyzer(0).manufacturer=http://www.hardened-php.net/suhosin/; \ analyzer(0).class=HIDS; \ source(0).node.address(0).address=$3; \ target(0).file(0).path=$4; \ assessment.impact.completion=failed; \ assessment.impact.type=dos; \ assessment.impact.severity=low; \ assessment.impact.description=Configured '$1' variable length limit exceeded - dropped variable '$2'; \ additional_data(0).type=string; \ additional_data(0).meaning=Variable; \ additional_data(0).data=$2; \ last #DESCRIPTION:ASCII-NUL chars not allowed within request variables #CATEGORY:Hardening Features #LOG:Jan 22 19:54:16 zoubida suhosin[2580]: ALERT - ASCII-NUL chars not allowed within request variables - dropped variable 'page' (attacker '85.18.136.89', file '/var/www/zorglub/www/htdocs/index.php') regex=ALERT - ASCII-NUL chars not allowed within request variables - dropped variable '(\S+)' \(attacker '(\S+)', file '(\S+)'\); \ classification.text=Invalid characters; \ id=8004; \ revision=1; \ analyzer(0).name=Suhosin; \ analyzer(0).manufacturer=http://www.hardened-php.net/suhosin/; \ analyzer(0).class=HIDS; \ source(0).node.address(0).address=$2; \ target(0).file(0).path=$3; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=ASCII-NUL chars not allowed within request variables - dropped variable '$1'; \ additional_data(0).type=string; \ additional_data(0).meaning=Variable; \ additional_data(0).data=$1; \ last prelude-lml-rules-5.1.0/ruleset/symantec-epm.rules0000664000175000017500000002017413537533463022414 0ustar tandrejatandreja#FULLNAME: Symantec EPM #VERSION: 1.0 #DESCRIPTION: Symantec Endpoint Protection is an antivirus and personal firewall software for centrally managed corporate environments providing security for both servers and workstations. ##### # # Copyright (C) 2012 Seguridadx # twitter: # All Rights Reserved # # Copyright (C) 2014-2019 CS-SI # All Rights Reserved. # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Allowed Messages #CATEGORY:Update #LOG:Dec 1 12:23:14 SymantecServer antivirus.example.com: Site: PLESSIS,Server: antivirus.example.com,Successfully downloaded the Virus and Spyware definitions regex=SymantecServer \S+:; \ classification.reference(0).origin=vendor-specific; \ id=172000000; \ chained; silent; \ revision=1; \ analyzer(0).name=Symantec Antivirus; \ analyzer(0).manufacturer=www.symantec.com; \ analyzer(0).class=Antivirus #DESCRIPTION:Symantec Virus and Spyware definitions have been updated #CATEGORY:Update #LOG:Dec 1 12:23:14 SymantecServer antivirus.example.com: Site: PLESSIS,Server: antivirus.example.com,Successfully downloaded the Virus and Spyware definitions regex=Site: (\S+),Server: (\S+),Successfully downloaded the Virus and Spyware definitions; \ classification.text=Virus and Spyware definition update; \ id=172000100; \ revision=2; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Symantec Virus and Spyware definitions have been updated; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Site Name; \ additional_data(0).data=$1; \ goto=172000000; \ last #DESCRIPTION:SONAR definitions have been updated #CATEGORY:Update #LOG:Dec 1 12:23:14 SymantecServer antivirus.example.com: Site: PLESSIS,Server: antivirus.example.com,Successfully downloaded the SONAR regex=Site: (\S+),Server: (\S+),Successfully downloaded the SONAR; \ classification.text=SONAR definition update; \ id=172000101; \ revision=2; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=SONAR definitions have been updated; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Site Name; \ additional_data(0).data=$1; \ goto=172000000; \ last #DESCRIPTION:Intrusion Prevention signatures definitions have been updated #CATEGORY:Update #LOG:Dec 1 12:23:14 SymantecServer antivirus.example.com: Site: PLESSIS,Server: antivirus.example.com,Successfully downloaded the Intrusion Prevention signatures regex=Site: (\S+),Server: (\S+),Successfully downloaded the Intrusion Prevention signatures; \ classification.text=Intrusion Prevention signatures definition update; \ id=172000102; \ revision=2; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Intrusion Prevention signatures definitions have been updated; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Site Name; \ additional_data(0).data=$1; \ goto=172000000; \ last #DESCRIPTION:Successfully downloaded the Revocation Data security definitions #CATEGORY:Update #LOG:Apr 9 10:47:33 SymantecServer antivirus.example.com: Site: PLESSIS,Server: antivirus.example.com,Successfully downloaded the Revocation Data security definitions from LiveUpdate regex=Site: (\S+),Server: (\S+),Successfully downloaded the Revocation Data security definitions from LiveUpdate; \ classification.text=Revocation Data security definitions; \ id=172000103; \ revision=2; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Successfully downloaded the Revocation Data security definitions; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Site Name; \ additional_data(0).data=$1; \ goto=172000000; \ last #DESCRIPTION:Virus found #CATEGORY:Malware #LOG:Dec 12 17:07:08 SymantecServer antivirus.example.com: Virus found,Computer name: A01LTFW21052,Source: Real Time Scan,Risk name: W32.Downadup!autorun,Occurrences: 1,E:\autorun.inf,"",Actual action: Cleaned by deletion regex=Virus found.+Computer name: (\S+),.+,Risk name: ([^,]+),Occurrences: (\d+),.+,Actual action: ([^,]+); \ classification.text=Virus found; \ id=172000104; \ revision=2; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Virus found, Computer name: $2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=Risk name; \ additional_data(0).data=$2; \ additional_data(1).type=integer; \ additional_data(1).meaning=Occurrences; \ additional_data(1).data=$3; \ additional_data(2).type=string; \ additional_data(2).meaning=Actual action; \ additional_data(2).data=$4; \ goto=172000000; \ last #DESCRIPTION:SONAR threat detected #CATEGORY:Malware #LOG:Dec 12 17:07:08 SymantecServer antivirus.example.com: ,Forced SONAR threat detected,Computer name: A01LTFW21052,Detection type: Heuristic,First Seen: Reputation was not used in this detection.,Application name: MAGic Screen Magnification,Application type: Trojan Worm,Application version: "11, 0, 4356, 400",Hash type: SHA-1,Application hash: 1ce39d44cc735db5788f07b25c5bb32c6ca48c09,Company name: "Freedom Scientific BLV Group, LLC",File size (bytes): 421144,Sensitivity: 0,Detection score: 0,COH Engine Version: ,Detection Submissions No,Permitted application reason: MDS,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,Risk Level: N/A,Detection Source: N/A,Source: Heuristic Scan,Risk name: ,Occurrences: 1,c:\program files\freedom scientific\magic\11.0\magengnt\mag.exe,"c:\program files\freedom scientific\magic\11.0\magengnt\mag.exe",Actual action: Left alone,Requested action: Left alone,Secondary action: Forced detection using file name,Event time: 2013-01-09 12:57:51,Inserted: 2013-01-09 12:58:47,End: 2013-01-09 12:57:51,Domain: Default,Group: My Company\klient\All Laptops\LaptopsW7,Server: a01mmfw016,User: R117493,Source computer: ,Source IP: regex=Forced SONAR threat detected,Computer name: (\S+),Detection type: (\S+),First Seen: Reputation was not used in this detection\.,Application name: ([^,]+); \ classification.text=Forced SONAR threat detected; \ id=172000200; \ revision=2; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=SONAR threat detected, Computer name: $1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=Detection type; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Application name; \ additional_data(1).data=$3; \ goto=172000000; \ last prelude-lml-rules-5.1.0/ruleset/symantec-scsp.rules0000664000175000017500000003070013537533463022577 0ustar tandrejatandreja#FULLNAME: Symantec SCSP #VERSION: 1.0 #DESCRIPTION: Symantec Critical System Protection combines intrusion monitoring, auditing, alerting, and protection. It integrates both intrusion detection and intrusion protection. Rules to monitor Symantec Critical System Protection 5.2. #The rules included here were developed using a Cisco IPS module running on an #ASA. Please report any inconsistencies on other models to G Ramon Gomez at #the address provided above #Special configuration is needed for this support: #* In your IDM interface, "SNMP" -> "Traps Configuration", "Enable SNMP Traps" # box must be on. "Enable detailed traps for alerts" must be off. #* In your IDM interface, "Signature Definition" -> "Signature Configuration", # all of the rules must be modified using the "Select All" button, followed # by the "Actions" button, and click the "Request SNMP Trap" box on. #* On your Prelude system, run snmptrapd using this command: # "snmptrapd -Ls 20 -Osq" ##### # # Copyright (C) 2012 Seguridadx # twitter: # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Symantec Critical System Protection Event #CATEGORY:Monitoring regex=snmptrapd\[(\d+)]:+.+011enterprises.393.273.1.1 "([\S ]+|\S+)"#011enterprises.393.273.1.2 "([\S ]+|\S+)"+.+011enterprises.393.273.1.3 "([\S ]+|\S+)"#011enterprises.393.273.1.4 +.+011enterprises.393.273.1.5 "([\S ]+|\S+)"#011enterprises.393.273.1.6 "([\d\.]+)"#011enterprises.393.273.1.7 "([\S ]+|\S+)"#011enterprises.393.273.1.8 +.+011enterprises.393.273.1.9 "(Information|Notice)"#011enterprises.393.273.1.10 "([\S ]+|\S+)"#011enterprises.393.273.1.11 +.+011enterprises.393.273.1.12 "(Success|Allow|R)"+.+011enterprises.393.273.1.16 "([\S ]+|\S+)"#011enterprises.393.273.1.17 +.+011enterprises.393.273.1.22 "([\S ]+|\S+); \ classification.text=$9 - $11; \ id=43201; \ revision=2; \ analyzer(0).name=$5; \ analyzer(0).manufacturer=www.symantec.com; \ analyzer(0).class=HIPS; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=$2 - Symantec Critical System Protection Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Policy Rule:; \ additional_data(0).data=$3, $4; \ additional_data(1).type=string; \ additional_data(1).meaning=User:; \ additional_data(1).data=$7; \ additional_data(2).type=string; \ additional_data(2).meaning=Process:; \ additional_data(2).data=$11; \ additional_data(3).type=string; \ additional_data(3).meaning=Event:; \ additional_data(3).data=$12; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=0.0.0.0; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ last #DESCRIPTION:Symantec Critical System Protection Event #CATEGORY:Monitoring regex=snmptrapd\[(\d+)]:+.+011enterprises.393.273.1.1 "([\S ]+|\S+)"#011enterprises.393.273.1.2 "([\S ]+|\S+)"+.+011enterprises.393.273.1.3 "([\S ]+|\S+)"#011enterprises.393.273.1.4 +.+011enterprises.393.273.1.5 "([\S ]+|\S+)"#011enterprises.393.273.1.6 "([\d\.]+)"#011enterprises.393.273.1.7 "([\S ]+|\S+)"#011enterprises.393.273.1.8 +.+011enterprises.393.273.1.9 "(Warning)"#011enterprises.393.273.1.10 "([\S ]+|\S+)"#011enterprises.393.273.1.11 +.+011enterprises.393.273.1.12 "(Success|Allow|R)"+.+011enterprises.393.273.1.16 "([\S ]+|\S+)"#011enterprises.393.273.1.17 +.+011enterprises.393.273.1.22 "([\S ]+|\S+); \ classification.text=$9 - $11; \ id=43202; \ revision=2; \ analyzer(0).name=$5; \ analyzer(0).manufacturer=www.symantec.com; \ analyzer(0).class=HIPS; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=$2 - Symantec Critical System Protection Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Policy Rule:; \ additional_data(0).data=$3, $4; \ additional_data(1).type=string; \ additional_data(1).meaning=User:; \ additional_data(1).data=$7; \ additional_data(2).type=string; \ additional_data(2).meaning=Process:; \ additional_data(2).data=$11; \ additional_data(3).type=string; \ additional_data(3).meaning=Event:; \ additional_data(3).data=$12; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=0.0.0.0; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ last #DESCRIPTION:Symantec Critical System Protection Event #CATEGORY:Monitoring regex=snmptrapd\[(\d+)]:+.+011enterprises.393.273.1.1 "([\S ]+|\S+)"#011enterprises.393.273.1.2 "([\S ]+|\S+)"+.+011enterprises.393.273.1.3 "([\S ]+|\S+)"#011enterprises.393.273.1.4 +.+011enterprises.393.273.1.5 "([\S ]+|\S+)"#011enterprises.393.273.1.6 "([\d\.]+)"#011enterprises.393.273.1.7 "([\S ]+|\S+)"#011enterprises.393.273.1.8 +.+011enterprises.393.273.1.9 "(Major|Critical)"#011enterprises.393.273.1.10 "([\S ]+|\S+)"#011enterprises.393.273.1.11 +.+011enterprises.393.273.1.12 "(Success|Allow|R)"+.+011enterprises.393.273.1.16 "([\S ]+|\S+)"#011enterprises.393.273.1.17 +.+011enterprises.393.273.1.22 "([\S ]+|\S+); \ classification.text=$9 - $11; \ id=43203; \ revision=2; \ analyzer(0).name=$5; \ analyzer(0).manufacturer=www.symantec.com; \ analyzer(0).class=HIPS; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=$2 - Symantec Critical System Protection Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Policy Rule:; \ additional_data(0).data=$3, $4; \ additional_data(1).type=string; \ additional_data(1).meaning=User:; \ additional_data(1).data=$7; \ additional_data(2).type=string; \ additional_data(2).meaning=Process:; \ additional_data(2).data=$11; \ additional_data(3).type=string; \ additional_data(3).meaning=Event:; \ additional_data(3).data=$12; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=0.0.0.0; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ last #DESCRIPTION:Symantec Critical System Protection Event #CATEGORY:Monitoring regex=snmptrapd\[(\d+)]:+.+011enterprises.393.273.1.1 "([\S ]+|\S+)"#011enterprises.393.273.1.2 "([\S ]+|\S+)"+.+011enterprises.393.273.1.3 "([\S ]+|\S+)"#011enterprises.393.273.1.4 +.+011enterprises.393.273.1.5 "([\S ]+|\S+)"#011enterprises.393.273.1.6 "([\d\.]+)"#011enterprises.393.273.1.7 "([\S ]+|\S+)"#011enterprises.393.273.1.8 +.+011enterprises.393.273.1.9 "(Information|Notice)"#011enterprises.393.273.1.10 "([\S ]+|\S+)"#011enterprises.393.273.1.11 +.+011enterprises.393.273.1.12 "(Denied|NULL|R|Failure)"+.+011enterprises.393.273.1.16 "([\S ]+|\S+)"#011enterprises.393.273.1.17 +.+011enterprises.393.273.1.22 "([\S ]+|\S+); \ classification.text=$9 - $11; \ id=43204; \ revision=2; \ analyzer(0).name=$5; \ analyzer(0).manufacturer=www.symantec.com; \ analyzer(0).class=HIPS; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=failed; \ assessment.impact.description=$2 - Symantec Critical System Protection Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Policy Rule:; \ additional_data(0).data=$3, $4; \ additional_data(1).type=string; \ additional_data(1).meaning=User:; \ additional_data(1).data=$7; \ additional_data(2).type=string; \ additional_data(2).meaning=Process:; \ additional_data(2).data=$11; \ additional_data(3).type=string; \ additional_data(3).meaning=Event:; \ additional_data(3).data=$12; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=0.0.0.0; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ last #DESCRIPTION:Symantec Critical System Protection Event #CATEGORY:Monitoring regex=snmptrapd\[(\d+)]:+.+011enterprises.393.273.1.1 "([\S ]+|\S+)"#011enterprises.393.273.1.2 "([\S ]+|\S+)"+.+011enterprises.393.273.1.3 "([\S ]+|\S+)"#011enterprises.393.273.1.4 +.+011enterprises.393.273.1.5 "([\S ]+|\S+)"#011enterprises.393.273.1.6 "([\d\.]+)"#011enterprises.393.273.1.7 "([\S ]+|\S+)"#011enterprises.393.273.1.8 +.+011enterprises.393.273.1.9 "(Warning)"#011enterprises.393.273.1.10 "([\S ]+|\S+)"#011enterprises.393.273.1.11 +.+011enterprises.393.273.1.12 "(Denied|NULL|R|Failure)"+.+011enterprises.393.273.1.16 "([\S ]+|\S+)"#011enterprises.393.273.1.17 +.+011enterprises.393.273.1.22 "([\S ]+|\S+); \ classification.text=$9 - $11; \ id=43205; \ revision=2; \ analyzer(0).name=$5; \ analyzer(0).manufacturer=www.symantec.com; \ analyzer(0).class=HIPS; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=failed; \ assessment.impact.description=$2 - Symantec Critical System Protection Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Policy Rule:; \ additional_data(0).data=$3, $4; \ additional_data(1).type=string; \ additional_data(1).meaning=User:; \ additional_data(1).data=$7; \ additional_data(2).type=string; \ additional_data(2).meaning=Process:; \ additional_data(2).data=$11; \ additional_data(3).type=string; \ additional_data(3).meaning=Event:; \ additional_data(3).data=$12; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=0.0.0.0; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ last #DESCRIPTION:Symantec Critical System Protection Event #CATEGORY:Monitoring regex=snmptrapd\[(\d+)]:+.+011enterprises.393.273.1.1 "([\S ]+|\S+)"#011enterprises.393.273.1.2 "([\S ]+|\S+)"+.+011enterprises.393.273.1.3 "([\S ]+|\S+)"#011enterprises.393.273.1.4 +.+011enterprises.393.273.1.5 "([\S ]+|\S+)"#011enterprises.393.273.1.6 "([\d\.]+)"#011enterprises.393.273.1.7 "([\S ]+|\S+)"#011enterprises.393.273.1.8 +.+011enterprises.393.273.1.9 "(Major|Critical)"#011enterprises.393.273.1.10 "([\S ]+|\S+)"#011enterprises.393.273.1.11 +.+011enterprises.393.273.1.12 "(Denied|NULL|R|Failure)"+.+011enterprises.393.273.1.16 "([\S ]+|\S+)"#011enterprises.393.273.1.17 +.+011enterprises.393.273.1.22 "([\S ]+|\S+); \ classification.text=$9 - $11; \ id=43206; \ revision=2; \ analyzer(0).name=$5; \ analyzer(0).manufacturer=www.symantec.com; \ analyzer(0).class=HIPS; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=failed; \ assessment.impact.description=$2 - Symantec Critical System Protection Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Policy Rule:; \ additional_data(0).data=$3, $4; \ additional_data(1).type=string; \ additional_data(1).meaning=User:; \ additional_data(1).data=$7; \ additional_data(2).type=string; \ additional_data(2).meaning=Process:; \ additional_data(2).data=$11; \ additional_data(3).type=string; \ additional_data(3).meaning=Event:; \ additional_data(3).data=$12; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=0.0.0.0; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ last #DESCRIPTION:Generic RULE - Symantec Critical System Protection Event #CATEGORY:Generic regex=snmptrapd\[(\d+)]:+.+011enterprises.393.273.1.5 "(\S+)"#011enterprises.393.273.1.6 "([\d\.]+)"+.+011enterprises.393.273.1.10 "([\S ]+)"#011enterprises.393.273.1.11 ; \ classification.text= Generic Rule: $4; \ id=43213; \ revision=2; \ analyzer(0).name=$2; \ analyzer(0).manufacturer=www.symantec.com; \ analyzer(0).class=HIPS; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=failed; \ assessment.impact.description=Symantec Critical System Protection Event.; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=0.0.0.0; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$3; \ last prelude-lml-rules-5.1.0/ruleset/tripwire.rules0000664000175000017500000001143313537533463021655 0ustar tandrejatandreja#FULLNAME: Tripwire #VERSION: 1.0 #DESCRIPTION: Open Source Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. ##### # # Copyright (C) 2004 G Ramon Gomez # Based on rules originally submitted by David Maciejak on behalf of # Exaprotect Technology # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Integrity check ran successfully without warnings #CATEGORY:Integrity #LOG:Jan 22 11:32:26 host tripwire[5265]: Integrity Check Complete: /usr/local/tripwire/tfs/report/host-.twr TWReport host 20040122113203 V:0 S:0 A:0 R:0 C:0 L:0 M:0 H:0 regex=(\S+) TWReport \S+ \d+ V:0; \ classification.text=Integrity Check OK; \ id=3400; \ revision=2; \ analyzer(0).name=Tripwire; \ analyzer(0).manufacturer=Tripwire, Inc.; \ analyzer(0).class=Integrity Checker; \ assessment.impact.severity=low; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Integrity check ran successfully without warnings; \ target(0).decoy=no; \ additional_data(0).type=string; \ additional_data(0).meaning=Report file; \ additional_data(0).data=$1; \ last #DESCRIPTION:Integrity check ran successfully, warning file(s) added #CATEGORY:Integrity #LOG:Jan 22 11:32:26 host tripwire[5265]: Integrity Check Complete: /usr/local/tripwire/tfs/report/host-.twr TWReport host 20040122113203 V:91 S:100 A:51 R:0 C:40 L:0 M:8 H:83 regex=(\S+) TWReport \S+ \d+ V:\d+ S:\d+ A:(?!0)(\d+); \ classification.text=Integrity Check Warning: file(s) added; \ id=3401; \ revision=2; \ analyzer(0).name=Tripwire; \ analyzer(0).manufacturer=Tripwire, Inc.; \ analyzer(0).class=Integrity Checker; \ assessment.impact.severity=low; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Integrity check ran successfully, warning: $2 file(s) added; \ target(0).decoy=no; \ additional_data(0).type=string; \ additional_data(0).meaning=Report file; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Files added; \ additional_data(1).data=$2 #DESCRIPTION:Integrity check ran successfully, warning file(s) removed #CATEGORY:Integrity #LOG:Jan 22 11:32:26 host tripwire[5265]: Integrity Check Complete: /usr/local/tripwire/tfs/report/host-.twr TWReport host 20040122113203 V:91 S:100 A:51 R:42 C:40 L:0 M:8 H:83 regex=(\S+) TWReport \S+ \d+ V:\d+ S:\d+ A:\d+ R:(?!0)(\d+); \ classification.text=Integrity Check Warning: file(s) removed; \ id=3402; \ revision=2; \ analyzer(0).name=Tripwire; \ analyzer(0).manufacturer=Tripwire, Inc.; \ analyzer(0).class=Integrity Checker; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Integrity check ran successfully, warning: $2 file(s) removed; \ target(0).decoy=no; \ additional_data(0).type=string; \ additional_data(0).meaning=Report file; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Files deleted; \ additional_data(1).data=$2 #DESCRIPTION:Integrity check ran successfully, warning file(s) modified #CATEGORY:Integrity #LOG:Jan 22 11:32:26 host tripwire[5265]: Integrity Check Complete: /usr/local/tripwire/tfs/report/host-.twr TWReport host 20040122113203 V:91 S:100 A:51 R:42 C:40 L:0 M:8 H:83 regex=(\S+) TWReport \S+ \d+ V:\d+ S:\d+ A:\d+ R:\d+ C:(?!0)(\d+); \ classification.text=Integrity Check Warning: file(s) modified; \ id=3403; \ revision=2; \ analyzer(0).name=Tripwire; \ analyzer(0).manufacturer=Tripwire, Inc.; \ analyzer(0).class=Integrity Checker; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Integrity check ran, warning: $2 files modified; \ target(0).decoy=no; \ additional_data(0).type=string; \ additional_data(0).meaning=Report file; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Files modified; \ additional_data(1).data=$2 prelude-lml-rules-5.1.0/ruleset/vigor.rules0000664000175000017500000001070613537533463021140 0ustar tandrejatandreja#FULLNAME: DrayTek Vigor #VERSION: 1.0 #DESCRIPTION: DrayTek is a manufacturer of broadband equipment, including firewalls, VPN devices, routers and wireless LAN devices. ##### # # Copyright (C) 2003 John Green # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Packet dropped #CATEGORY:Packet Filtering #LOG:Apr 27 02:55:31 81.2.127.129 r00t3r: 295:34:52.730 lan @Group:Rule=0:10 b 200.187.15.1,18775 -> 81.2.127.129,www PR tcp len 20 48 -S 895123185 0 16384 IN regex=([wl]an) @Group:Rule=(\d+:\d+) b ([\d\.]+),(\w+) -> ([\d\.]+),(\w+) PR (\S+) len (\d+) (\d+) (\S+) (\d+) (\d+) (\d+) (IN|OUT); \ classification.text=$7 Packet dropped; \ id=2000; \ revision=2; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Vigor dropped a $7 packet $3:$4 -> $5:$6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=$7; \ source(0).interface=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=$7; \ additional_data(0).type=string; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$2; \ additional_data(1).type=integer; \ additional_data(1).meaning=Header length (b); \ additional_data(1).data=$8; \ additional_data(2).type=integer; \ additional_data(2).meaning=Payload size (Kb); \ additional_data(2).data=$9; \ additional_data(3).type=string; \ additional_data(3).meaning=Flags; \ additional_data(3).data=$10; \ additional_data(4).type=integer; \ additional_data(4).meaning=ACK number; \ additional_data(4).data=$11; \ additional_data(5).type=integer; \ additional_data(5).meaning=Sequence number; \ additional_data(5).data=$12; \ additional_data(6).type=integer; \ additional_data(6).meaning=Window size; \ additional_data(6).data=$13; \ additional_data(7).type=string; \ additional_data(7).meaning=Direction; \ additional_data(7).data=$14; \ last #DESCRIPTION:ICMP Packet dropped #CATEGORY:Packet Filtering #LOG:Apr 27 00:38:25 81.2.127.129 r00t3r: 293:17:47.390 lan @Group:Rule=0:10 b 66.112.44.26 -> 81.2.127.142 PR icmp len 20 28 icmp 8/0 IN regex=([wl]an) @Group:Rule=(\d+:\d+) b ([\d\.]+) -> ([\d\.]+) PR icmp len (\d+) (\d+) icmp (\d+)/(\d+) (IN|OUT); \ classification.text=ICMP Packet dropped; \ id=2001; \ revision=2; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Vigor dropped an ICMP packet $3 -> $4 ($7/$8); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.iana_protocol_name=ICMP; \ source(0).service.iana_protocol_number=1; \ source(0).interface=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.iana_protocol_name=ICMP; \ target(0).service.iana_protocol_number=1; \ additional_data(0).type=string; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$2; \ additional_data(1).type=integer; \ additional_data(1).meaning=Header length (b); \ additional_data(1).data=$5; \ additional_data(2).type=integer; \ additional_data(2).meaning=Payload size (Kb); \ additional_data(2).data=$6; \ additional_data(3).type=integer; \ additional_data(3).meaning=ICMP type; \ additional_data(3).data=$7; \ additional_data(4).type=integer; \ additional_data(4).meaning=ICMP code; \ additional_data(4).data=$8; \ additional_data(5).type=string; \ additional_data(5).meaning=Direction; \ additional_data(5).data=$9; \ last prelude-lml-rules-5.1.0/ruleset/vpopmail.rules0000664000175000017500000000635113537533463021642 0ustar tandrejatandreja#FULLNAME: VPopMail #VERSION: 1.0 #DESCRIPTION: vpopmail is a free GPL software package, to provide a way to manage virtual e-mail domains and non /etc/passwd e-mail accounts on qmail mail servers. ##### # # Copyright (C) 2003 Stephane Loeuillet # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Mail server unknown user #CATEGORY:Authentication #LOG:Jan 14 17:23:02 spotk vpopmail[28353]: vchkpw: vpopmail user not found toto@:127.0.0.1 #LOG:Feb 24 13:19:49 c vpopmail[9505]: vchkpw: vpopmail user not found temp@alexus.org:66.181.160.250 #LOG:Jan 14 17:30:13 spotk vpopmail[28425]: vchkpw: vpopmail user not found toto@:192.168.100.50 regex=vchkpw: vpopmail user not found (\S+):([\d\.]+); \ classification.text=Mail server unknown user; \ id=2100; \ revision=1; \ analyzer(0).name=vpopmail; \ analyzer(0).manufacturer=inter7; \ analyzer(0).class=Administration; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description= Someone tried to log in to your POP3 server as a non-existant user '$1' but failed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=110; \ target(0).service.name=pop3; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ last #DESCRIPTION:Mail server user login #CATEGORY:Authentication #LOG:Jan 14 17:24:54 spotk vpopmail[28359]: vchkpw: password fail xxx@spotk.net:127.0.0.1 regex=vchkpw: password fail (\S+):([\d\.]+); \ classification.text=Mail server user login; \ id=2101; \ revision=3; \ analyzer(0).name=vpopmail; \ analyzer(0).manufacturer=inter7; \ analyzer(0).class=Administration; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to log in to your POP3 server as user '$1' but failed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=110; \ target(0).service.name=pop3; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ last prelude-lml-rules-5.1.0/ruleset/wu-ftp.rules0000664000175000017500000000655613537533463021244 0ustar tandrejatandreja#FULLNAME: WU-FTP #VERSION: 1.0 #DESCRIPTION: wu-ftp is a free FTP server software (daemon) for Unix-like operating systems. The rules included here were developed using WU-ftpd 2.6.2. ##### # # Copyright (C) 2003 G Ramon Gomez # Tyco Fire and Security GTS (www.tycofireandsecurity.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Anonymous FTP login #CATEGORY:Authentication #LOG:Oct 28 20:38:47 www.tyco-training.stag ftpd[12781]: ANONYMOUS FTP LOGIN FROM p508ee95a.dip.t-dialin.net [80.142.233.90], Igpuser@home.com regex=ANONYMOUS FTP LOGIN FROM ([\w\-\.]+) \[([\d\.)]+)\], (\S+); \ classification.text=Anonymous FTP login; \ id=2300; \ revision=3; \ analyzer(0).name=WU-FTPD; \ analyzer(0).manufacturer=www.wu-ftpd.org; \ analyzer(0).class=Service; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=low; \ assessment.impact.description=An anonymous FTP user has logged in; \ source(0).node.name=$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=21; \ target(0).service.name=ftp; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=anonymous; \ source(0).user.user_id(0).type=original-user; \ source(0).user.user_id(0).name=$3; \ last #DESCRIPTION:FTP login failed #CATEGORY:Authentication #LOG:Oct 28 20:38:48 itguxweb2 ftpd[19188]: FTP LOGIN FAILED (cannot set guest privileges) for p508ee95a.dip.t-dialin.net [80.142.233.90], ftp regex=FTP LOGIN FAILED \(([\w\s]+)\) for ([\w\-\.]+) \[([\d\.)]+)\], (\S+); \ classification.text=FTP login; \ id=2301; \ revision=3; \ analyzer(0).name=WU-FTPD; \ analyzer(0).manufacturer=www.wu-ftpd.org; \ analyzer(0).class=Service; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description=A user failed login due to $1; \ source(0).node.name=$2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.port=21; \ target(0).service.name=ftp; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$4; \ additional_data(0).type=string; \ additional_data(0).meaning=Failure reason; \ additional_data(0).data=$1; \ last prelude-lml-rules-5.1.0/ruleset/apc-emu.rules0000664000175000017500000001167013537533463021342 0ustar tandrejatandreja#FULLNAME: APC EMU #VERSION: 1.0 #DESCRIPTION: The APC Environmental Monitoring Unit is a rack-mountable product that monitors and controls the essential functions needed to ensure the availability of the racks in a room. The rules included here were developed using an unknown version of the APC EMU. ##### # # Copyright (C) 2003 G Ramon Gomez # Tyco Fire and Security GTS (www.tycofireandsecurity.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Environmental Monitoring - high humidity violation #CATEGORY:Environmental #LOG:Mar 28 04:22:18 enviro1 12.34.56.78 EMU: Probe 2 'Loc Env Probe 2' high humidity violation, '40%RH'. 0x101C regex=EMU: Probe (\d+) (\'.+\') high humidity violation, \'(\d+%); \ classification.text=High Environmental Humidity; \ id=2800; \ revision=2; \ analyzer(0).name=Environmental Monitoring Unit; \ analyzer(0).manufacturer=APC; \ analyzer(0).class=Power; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Environmental probe $2 has reported a high humidity: $3; \ additional_data(0).type=integer; \ additional_data(0).meaning=Probe; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Probe name; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Humidity; \ additional_data(2).data=$3; \ last #DESCRIPTION:Environmental Monitoring - high humidity violation cleared #CATEGORY:Environmental #LOG:Mar 28 04:06:27 enviro1 12.34.56.78 EMU: Probe 2 'Loc Env Probe 2' high humidity violation cleared, '39%RH'. 0x101D regex=EMU: Probe (\d+) (\'.+\') high humidity violation cleared, \'(\d+%); \ classification.text=Environmental Humidity Normal; \ id=2801; \ revision=2; \ analyzer(0).name=Environmental Monitoring Unit; \ analyzer(0).manufacturer=APC; \ analyzer(0).class=Power; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Environmental probe $2 has reported humidity has returned to normal: $3; \ additional_data(0).type=integer; \ additional_data(0).meaning=Probe; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Probe name; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Humidity; \ additional_data(2).data=$3; \ last #DESCRIPTION:Environmental Monitoring - Device Contact Opened #CATEGORY:Environmental #LOG:Mar 22 16:27:50 enviro1 12.34.56.78 EMU: Input Contact 4 'Rack 4 Front Door' opened, abnormal condition. 0x1013 regex=EMU: Input Contact (\d+) (\'.+\') opened, abnormal condition; \ classification.text=Device Contact Opened; \ id=2802; \ revision=2; \ analyzer(0).name=Environmental Monitoring Unit; \ analyzer(0).manufacturer=APC; \ analyzer(0).class=Power; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Contact $2 has reported an open condition; \ additional_data(0).type=integer; \ additional_data(0).meaning=Contact; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Contact name; \ additional_data(1).data=$2; \ last #DESCRIPTION:Environmental Monitoring - Device Contact Closed #CATEGORY:Environmental #LOG:Mar 22 16:28:51 enviro1 10.100.17.252 EMU: Input Contact 4 'Rack 4 Front Door' closed, abnormal condition cleared. 0x1014 regex=EMU: Input Contact (\d+) (\'.+\') closed, abnormal condition cleared; \ classification.text=Device Contact Closed; \ id=2803; \ revision=2; \ analyzer(0).name=Environmental Monitoring Unit; \ analyzer(0).manufacturer=APC; \ analyzer(0).class=Power; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Contact $2 has reported a closed condition; \ additional_data(0).type=integer; \ additional_data(0).meaning=Contact; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Contact name; \ additional_data(1).data=$2; \ last # Still needed: # * Low humidity? # * Low/High temperature? prelude-lml-rules-5.1.0/ruleset/arpwatch.rules0000664000175000017500000001214113537533463021616 0ustar tandrejatandreja#FULLNAME: arpwatch #VERSION: 1.0 #DESCRIPTION: arpwatch is a computer software tool for monitoring Address Resolution Protocol traffic on a computer network. The rules included here were developed using arpwatch-2.1a11-7.9.3. ##### # # Copyright (C) 2005 G Ramon Gomez # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:New ARP address detection #CATEGORY:Monitoring #LOG:Oct 14 00:47:50 hal arpwatch: new activity 12.34.56.78 0:20:a9:a:c:2a regex=new (station|activity) ([\d\.]+) ([\da-f:]+); \ classification.text=New ARP address detected; \ id=4200; \ revision=1; \ analyzer(0).name=arpwatch; \ analyzer(0).manufacturer=http://ee.lbl.gov; \ analyzer(0).class=NIDS; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=This ethernet/ip address pair ($3/$2) is either new or has not been used recently.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).node.address(1).category=mac; \ source(0).node.address(1).address=$3; \ last #DESCRIPTION:Ethernet address change detection #CATEGORY:Monitoring #LOG:Apr 21 23:05:00 192.168.1.35 arpwatch: flip flop 192.168.1.33 0:90:6d:f2:24:0 (8:0:20:c8:fe:15) regex=(flip flop|changed ethernet address|reused old ethernet address) ([\d\.]+) ([\da-f:]+) \(([\da-f:]+)\); \ classification.text=Ethernet address change detected; \ id=4201; \ revision=1; \ analyzer(0).name=arpwatch; \ analyzer(0).manufacturer=http://ee.lbl.gov; \ analyzer(0).class=NIDS; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=The ethernet address of $2 has changed from $3 to $4.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).node.address(1).category=mac; \ source(0).node.address(1).address=$3; \ source(0).node.address(2).category=mac; \ source(0).node.address(2).address=$4; \ last #DESCRIPTION:(ethernet|ip) broadcast address detection #CATEGORY:Monitoring #LOG:Apr 21 16:53:59 soledad arpwatch: ethernet broadcast 100.100.100.150 0:0:0:0:0:0 regex=(ethernet|ip) broadcast ([\d\.]+) ([\da-f:]+); \ classification.text=$1 broadcast address detected; \ id=4202; \ revision=1; \ analyzer(0).name=arpwatch; \ analyzer(0).manufacturer=http://ee.lbl.gov; \ analyzer(0).class=NIDS; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=The $1 address of this host is a broadcast address.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).node.address(1).category=mac; \ source(0).node.address(1).address=$3; \ last #DESCRIPTION:Bogus IP address detection #CATEGORY:Network Security #LOG:Nov 18 15:57:50 fw arpwatch: bogon 169.254.189.71 0:c:f1:16:87:d9 regex=bogon ([\d\.]+) ([\da-f:]+); \ classification.text=Bogus IP address detected; \ id=4203; \ revision=1; \ analyzer(0).name=arpwatch; \ analyzer(0).manufacturer=http://ee.lbl.gov; \ analyzer(0).class=NIDS; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$1 is not local to the local subnet.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).node.address(1).category=mac; \ source(0).node.address(1).address=$2; \ last #DESCRIPTION:MAC address mismatch detection #CATEGORY:Network Security #LOG:Feb 24 19:18:36 hal arpwatch: ethernet mismatch 195.215.178.10 0:4:c1:a7:f6:38 (0:50:4:40:c9:8f) regex=ethernet mismatch ([\d\.]+) ([\da-f:]+) \(([\da-f:]+)\); \ classification.text=MAC address mismatch detected; \ id=4204; \ revision=1; \ analyzer(0).name=arpwatch; \ analyzer(0).manufacturer=http://ee.lbl.gov; \ analyzer(0).class=NIDS; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=The source mac ethernet address ($2) didn't match the address inside the arp packet ($3).; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).node.address(1).category=mac; \ source(0).node.address(1).address=$2; \ source(0).node.address(2).category=mac; \ source(0).node.address(2).address=$3; \ last prelude-lml-rules-5.1.0/ruleset/bonding.rules0000664000175000017500000001563513537533463021440 0ustar tandrejatandreja#FULLNAME: Linux bonding driver #VERSION: 1.0 #DESCRIPTION: The Linux bonding driver provides a method for aggregating multiple network interfaces into a single logical "bonded" interface. ##### # # Copyright (C) 2016-2019 CS-SI # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Bonded interface - Status change #CATEGORY:Monitoring #LOG:Aug 24 00:54:18 blah kernel: bonding: bond0: backup interface eth0 is now up #LOG:Aug 24 00:54:18 blah kernel: bonding: bond0: backup interface eth0 is now down regex=bonding:\s(\w+):\s(\w+)\sinterface\s(\w+)\sis\snow\s(\w+); \ id=4800; \ revision=1; \ classification.text=bonded interface status change to $4; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=interface $3 which is the $2 member of $1 has changed link status to $4; \ source(0).interface=$3; \ target(0).interface=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=primary or backup interface; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=new interface state; \ additional_data(1).data=$4; \ last #DESCRIPTION:Bonded interface - Link status change #CATEGORY:Monitoring #LOG:Aug 24 00:54:18 blah kernel: bonding: bond0: link status down for active interface eth0, disabling it regex=bonding:\s(\w+):\slink\sstatus\s(\w+)\sfor\s(\w+)\sinterface\s(\w+),\s(\w+)\sit; \ id=4801; \ revision=1; \ classification.text=$5 bonded link $3 interface; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$5 $3 interface $4 which is a member of $1 due to status $2; \ source(0).interface=$4; \ target(0).interface=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=new interface state; \ additional_data(0).data=$2; \ last #DESCRIPTION:Bonded interface - New interface on bond #CATEGORY:Monitoring #LOG:Aug 24 00:54:18 blah kernel: bonding: bond0: making interface eth4 the new active one. regex=bonding:\s(\w+):\smaking\sinterface\s(\w+)\sthe\snew\s(\w+)\sone; \ id=4802; \ revision=1; \ classification.text=Setting new $3 interface on bond $1; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=setting bonded interface $2 to $3 on $1; \ source(0).interface=$2; \ target(0).interface=$1; \ last #DESCRIPTION:Bonded interface - Interface status change #CATEGORY:Monitoring #LOG:Aug 24 00:54:18 blah kernel: bonding: bond0: eth0 is up and now the active interface regex=bonding:\s(\w+):\s(\w+)\sis\s(\w+)\sand\snow\sthe\s(\w+)\sinterface; \ id=4803; \ revision=1; \ classification.text=bonded active interface link status change to $3; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=interface $2 is has changed to up as $4 interface on bonded interface $1; \ source(0).interface=$2; \ target(0).interface=$1; \ last #DESCRIPTION:ARP monitoring status #CATEGORY:Monitoring #LOG:Aug 24 00:54:18 blah kernel: bonding: ARP monitoring set to 1000 ms with 1 target(s): 192.168.100.1 regex=bonding:\sARP\smonitoring\sset\sto\s(\d+)\sms\swith\s(\d)\starget\(s\):\s(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}); \ id=4804; \ revision=1; \ classification.text=enabling ARP monitoring of bonding status; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=enabling monitoring of bonded link status using the ARP method; \ target(0).node.address(0).address=$3; \ additional_data(0).type=integer; \ additional_data(0).meaning=ARP interval in ms; \ additional_data(0).data=$1; \ last #DESCRIPTION:Bonded interface - New interface to bond #CATEGORY:Monitoring #LOG:Aug 24 00:54:18 blah kernel: bonding: bond0: enslaving eth0 as an active interface with an up link #LOG:Aug 24 00:54:18 blah kernel: bonding: bond0: enslaving eth4 as a backup interface with an up link regex=bonding:\s(\w+):\senslaving\s(\w+)\sas\san?\s(\w+)\sinterface\swith\san\s(\w+)\slink; \ id=4805; \ revision=1; \ classification.text=Joining new $3 interface to bond; \ assessment.impact.completion=succeeded; \ assessment.impact.severity=low; \ assessment.impact.type=other; \ assessment.impact.description=$2 was added as a new $3 member of bonded interface $1 with a link status of $4; \ source(0).interface=$2; \ target(0).interface=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=primary or backup interface; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=link state; \ additional_data(1).data=$4; \ last #DESCRIPTION:Bonded interface - Disabling #CATEGORY:Monitoring #LOG:Aug 24 00:54:18 blah kernel: bonding: bond0: released all slaves regex=bonding:\s(\w+):\sreleased\sall\sslaves; \ id=4806; \ revision=1; \ classification.text=disabling bonded interface; \ assessment.impact.completion=succeeded; \ assessment.impact.severity=high; \ assessment.impact.type=other; \ assessment.impact.description=binded interface $1 has been disabled and all of the member interfaces have been released; \ target(0).interface=$1; \ last #DESCRIPTION:Possibly miss configured bond member #CATEGORY:Monitoring #LOG:Aug 24 00:54:18 blah kernel: bonding: Warning: failed to get speed/duplex from eth4, speed forced to 100Mbps, duplex forced to Full regex=bonding:\sWarning:\sfailed\sto\sget\sspeed/duplex\sfrom\s(\w+)\,\sspeed\sforced\sto\s(\w+),\sduplex\sforced\sto\s(\w+); \ id=4807; \ revision=1; \ classification.text=possibly miss configured bond member; \ assessment.impact.completion=failed; \ assessment.impact.severity=high; \ assessment.impact.type=other; \ assessment.impact.description=bonded interface $1 failed to automatically detect the speed and duplex of the network and has been set it self to $2 at $3 duplex; \ source(0).interface=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=current link speed; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=duplex; \ additional_data(1).data=$3; \ last prelude-lml-rules-5.1.0/ruleset/checkpoint.rules0000664000175000017500000005012713537533463022142 0ustar tandrejatandreja#FULLNAME: Check Point #VERSION: 1.0 #DESCRIPTION: The Check Point Firewall Software builds on the technology first offered in Check Point’s FireWall-1 solution to provide strong gateway security and identity awareness. TODO: Audit (and probably re-write) all SmartDefense events ##### # # Copyright (C) 2003 Exaprobe # All Rights Reserved # # This ruleset is currently unmaintained. Contact the Prelude # development team if you would like to maintain it. # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Packet denied (Both ports are numbers) #CATEGORY:Packet Filtering regex=drop ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: (\d+). dst: ([\d\.]+). service: (\d+). proto: (\w+). rule: (\d+); \ classification.text=$8 packet denied; \ id=100; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=FireWall $1 dropped and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.port=$5; \ source(0).service.protocol=$8; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.port=$7; \ target(0).service.protocol=$8; \ additional_data(0).type=integer; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$9; \ last #DESCRIPTION:Packet denied (Source or Target port is a service name) #CATEGORY:Packet Filtering regex=drop ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: (\d+). dst: ([\d\.]+). service: ([\w-]+). proto: (\w+). rule: (\d+); \ classification.text=$8 packet denied; \ id=101; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=FireWall $1 dropped and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.port=$5; \ source(0).service.protocol=$8; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.name=$7; \ target(0).service.protocol=$8; \ additional_data(0).type=integer; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$9; \ last #DESCRIPTION:Packet denied #CATEGORY:Packet Filtering regex=drop ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: (\d+). proto: (\w+). rule: (\d+); \ classification.text=$8 packet denied; \ id=102; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=FireWall $1 dropped and logged a $8 sent by $4:$5 to $6:$7 (rule #$9); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.name=$5; \ source(0).service.protocol=$8; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.port=$7; \ target(0).service.protocol=$8; \ additional_data(0).type=integer; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$9; \ last #DESCRIPTION:Packet denied (Both ports are service names) #CATEGORY:Packet Filtering regex=drop ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: ([\w-]+). proto: (\w+). rule: (\d+); \ classification.text=$8 packet denied; \ id=103; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=FireWall $1 dropped and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.name=$5; \ source(0).service.protocol=$8; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.name=$7; \ target(0).service.protocol=$8; \ additional_data(0).type=integer; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$9; \ last #DESCRIPTION:Packet accepted (Both ports are numbers) #CATEGORY:Packet Filtering regex=accept ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: (\d+). dst: ([\d\.]+). service: (\d+). proto: (\w+). rule: (\d+); \ classification.text=$8 packet accepted; \ id=104; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=FireWall $1 accepted and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.port=$5; \ source(0).service.protocol=$8; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.port=$7; \ target(0).service.protocol=$8; \ additional_data(0).type=integer; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$9; \ last #DESCRIPTION:Packet accepted (One port is a service name) #CATEGORY:Packet Filtering #LOG:14Aug2006 16:38:54 accept 12.34.56.78 >eth1c0 product: VPN-1 & FireWall-1; src: 90.12.34.56; s_port: 41307; dst: 78.90.12.34; service: domain-udp; proto: udp; rule: 8; regex=accept ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: (\d+). dst: ([\d\.]+). service: ([\w-]+). proto: (\w+). rule: (\d+); \ classification.text=$8 packet accepted; \ id=105; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=FireWall $1 accepted and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.port=$5; \ source(0).service.protocol=$8; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.name=$7; \ target(0).service.protocol=$8; \ additional_data(0).type=integer; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$9; \ last #DESCRIPTION:Packet accepted #CATEGORY:Packet Filtering regex=accept ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: (\d+). proto: (\w+). rule: (\d+); \ classification.text=$8 packet accepted; \ id=106; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=FireWall $1 accepted and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.name=$5; \ source(0).service.protocol=$8; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.port=$7; \ target(0).service.protocol=$8; \ additional_data(0).type=integer; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$9; \ last #DESCRIPTION:Packet accepted (Only service names) #CATEGORY:Packet Filtering regex=accept ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: ([\w-]+). proto: (\w+). rule: (\d+); \ classification.text=$8 packet accepted; \ id=107; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=FireWall $1 accepted and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.name=$5; \ source(0).service.protocol=$8; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.name=$7; \ target(0).service.protocol=$8; \ additional_data(0).type=integer; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$9; \ last #DESCRIPTION:Packet denied (ICMP) #CATEGORY:Packet Filtering regex=drop ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). dst: ([\d\.]+). proto: icmp. icmp-type: (\d+). icmp-code: (\d+). rule: (\d+); \ classification.text=ICMP packet denied; \ id=108; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=FireWall $1 dropped and logged an icmp packet sent by $4 to $5, with type $6 and code $7 (rule #$8); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.protocol=icmp; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.protocol=icmp; \ additional_data(0).type=integer; \ additional_data(0).meaning=ICMP type; \ additional_data(0).data=$6; \ additional_data(1).type=integer; \ additional_data(1).meaning=ICMP code; \ additional_data(1).data=$7; \ additional_data(2).type=integer; \ additional_data(2).meaning=ACL; \ additional_data(2).data=$8; \ last #DESCRIPTION:Packet accepted (ICMP) #CATEGORY:Packet Filtering regex=accept ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). dst: ([\d\.]+). proto: icmp. icmp-type: (\d+). icmp-code: (\d+). rule: (\d+); \ classification.text=ICMP packet accepted; \ id=109; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=FireWall $1 dropped and logged an icmp packet sent by $4 to $5, with type $6 and code $7 (rule #$8); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.protocol=icmp; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.protocol=icmp; \ additional_data(0).type=integer; \ additional_data(0).meaning=ICMP type; \ additional_data(0).data=$6; \ additional_data(1).type=integer; \ additional_data(1).meaning=ICMP code; \ additional_data(1).data=$7; \ additional_data(2).type=integer; \ additional_data(2).meaning=ACL; \ additional_data(2).data=$8; \ last #DESCRIPTION:Packet logged #CATEGORY:Packet Filtering regex=product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: ([\w-]+). proto: (\w+). rule: (\d+); \ classification.text=Packet logged; \ id=110; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.completion = failed; \ assessment.impact.type = other; \ assessment.impact.severity = low; \ assessment.impact.description=FireWall-1 has logged a $5 packet sent by $1:$2 to $3:$4 (rule #$6); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.protocol=$5; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$3; \ target(0).service.protocol=$5; \ additional_data(0).type=integer; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$6; \ last #DESCRIPTION:Generic VPN-1 / FW-1 alert #CATEGORY:Packet Filtering #LOG:14Aug2006 16:38:54 accept 12.34.56.78 >eth1c0 product: VPN-1 & FireWall-1; src: 90.12.34.56; s_port: 41307; dst: 78.90.12.34; service: domain-udp; proto: udp; rule: 8; regex=product: VPN-1 & FireWall-1; \ classification.text=Generic alert; \ id=111; \ revision=1; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=VPN-1 & FireWall-1 generic alert; \ last #DESCRIPTION:SmartDefense - Attack #CATEGORY:Network Security #LOG:14Aug2006 16:39:44 12.34.56.78 > alert product: SmartDefense; cpmad: CPMAD; attack: Port Scanning; dst: 90.12.34.56; src: 78.90.12.34; regex=product: SmartDefense\;.+attack: (.+)\; dst: ([\d\.]+)\; src: ([\d\.]+); \ classification.text=$1; \ id=112; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=low; \ assessment.impact.type=recon; \ assessment.impact.description=Checkpoint SmartDefense has detected a $1 from $3 to $2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:SmartDefense - Successive multiple connections #CATEGORY:Network Security regex=product: SmartDefense. service: ([\w-]+|\d+). attack: Successive Multiple Connections. dst: ([\d\.]+). src: ([\d\.]+); \ classification.text=Successive multiple connections; \ id=114; \ revision=1; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=Checkpoint Smart Defense: multiple connections from $3 to $2:$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$2; \ target(0).service.name=$1; \ last #DESCRIPTION:SmartDefense - Attack (Port number to port number) #CATEGORY:Network Security regex=product: SmartDefense\;.+attack: (.+)\; src: ([\d\.]+)\; s_port: (\d+)\; dst: ([\d\.]+)\; service: (\d+)\; proto: ([\w\-]+|\d+); \ classification.text=$1; \ id=115; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=$1 sent by $2:$3 to $4:$5; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.port=$5; \ last #DESCRIPTION:SmartDefense - Attack (Port number to service name) #CATEGORY:Network Security regex=product: SmartDefense. Attack Info: (.+). attack: Bad packet. src: ([\d\.]+). s_port: (\d+). dst: ([\d\.]+). service: ([\w-]+). proto: ([\w-]+|\d+); \ classification.text=Bad $6 flags; \ id=116; \ revision=1; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description= $1 sent by $2:$3 to $4:$5; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.name=$5; \ last #DESCRIPTION:SmartDefense - Attack (Service name to service name) #CATEGORY:Network Security regex=product: SmartDefense. Attack Info: (.+). attack: Bad packet. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: ([\w-]+). proto: ([\w-]+|\d+); \ classification.text=Bad $6 flags; \ id=117; \ revision=1; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description= $1 sent by $2:$3 to $4:$5; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.name=$3; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.name=$5; \ last #DESCRIPTION:SmartDefense - Attack (Service name to port number) #CATEGORY:Network Security regex=product: SmartDefense. Attack Info: (.+). attack: Bad packet. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: (\d+). proto: ([\w-]+|\d+); \ classification.text=Bad $6 flags; \ id=118; \ revision=1; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description= $1 sent by $2:$3 to $4:$5; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.name=$3; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.port=$5; \ last #DESCRIPTION:SmartDefense - Attack (Large ping) #CATEGORY:Network Security regex=product: SmartDefense\;.+attack: (.+)\; src: ([\d\.]+)\; dst: ([\d\.]+); \ classification.text=$1; \ id=119; \ revision=1; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=$1 sent by $2 to $3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).node.address(0).category = ipv4-addr; \ target(0).node.address(0).address=$3; \ last #DESCRIPTION:SmartDefense - Attack #CATEGORY:Network Security #LOG:14Aug2006 16:39:44 12.34.56.78 > alert product: SmartDefense; cpmad: CPMAD; attack: Port Scanning; dst: 90.12.34.56; src: 78.90.12.34; regex=product: SmartDefense\;.+attack: (.+?)\;; \ classification.text=$1; \ id=125; \ revision=2; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=low; \ assessment.impact.type=other; \ assessment.impact.description=Checkpoint SmartDefense has detected a $1; \ last #DESCRIPTION:SmartDefense - Generic alert #CATEGORY:Network Security #LOG:14Aug2006 16:39:44 12.34.56.78 > alert product: SmartDefense; cpmad: CPMAD; attack: Port Scanning; dst: 90.12.34.56; src: 78.90.12.34; regex=product: SmartDefense; \ classification.text=Misc logs; \ id=126; \ revision=1; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=Checkpoint Smart Defense: generic alert; \ last #DESCRIPTION:System Alert message #CATEGORY:Monitoring regex=([\d+\.]+) (<|>)\s+(\w+) System Alert message: (.+). Object: (\w+). (.+). product: System Monitor; \ classification.text=Checkpoint System Monitor; \ id=127; \ revision=1; \ analyzer(0).name=FW-1; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=System alert reported a $4; \ last prelude-lml-rules-5.1.0/ruleset/cisco-asa.rules0000664000175000017500000030473013537533463021657 0ustar tandrejatandreja#FULLNAME: Cisco ASA #VERSION: 1.0 #DESCRIPTION: Cisco Adaptive Security Appliance (ASA) Software is a core operating system. It delivers enterprise-class firewall capabilities for ASA devices in an array of form factors for any distributed network environment. The rules included here were developed using a Cisco PIX and a Cisco ASA 8.2.x. ##### # # Copyright (C) 2003 G Ramon Gomez # Ragingwire Enterprise Solutions (www.ragingwire.com) # All Rights Reserved # # The new ASA rules where added by: # Copyright (C) 2012 email: twitter: www.twitter.com/seguridad_x # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Dropped UDP DNS packet type #CATEGORY:Packet Filtering #LOG:Sep 20 18:25:50 ASA_NAME %ASA-4-410001: Dropped UDP DNS packet_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port; error_length_type length length bytes exceeds max_length_type limit of maximum_length bytes regex=ASA-4-410001; \ classification.text=Dropped UDP DNS; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ASA-4-410001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp2266063; \ id=195; \ revision=0; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The domain-name length exceeds 255 bytes in a UDP DNS packet. (See RFC 1035 section 3.1.); \ last #DESCRIPTION:Cisco Intrusion Detection/Prevention System signature messages #CATEGORY:IDS Signature #LOG:May 10 09:25:28 asa %ASA-4-400000: IPS:1000 IP options-Bad Option List from 193.211.21.12 to 78.12.34.1 on interface dmz #LOG:Nov 2 18:03:14 pix %PIX-4-400024: IDS:2151 Large ICMP packet from 200.36.129.18 to 12.34.56.78 on interface outside regex=-(4000\d\d): I[DP]S:(\d+) (.+) from ([\d\.]+) to ([\d\.]+) on interface (\S+); \ classification.text=$3; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=$1; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp2266063; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=csids_id; \ classification.reference(1).name=$1; \ classification.reference(1).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp2266063; \ id=196; \ revision=6; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.description=Messages 400000 through 400051 - Cisco Intrusion Detection/Prevention System signature messages; \ source(0).interface=$6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ last #DESCRIPTION:Remote Login permitted #CATEGORY:Authentication #LOG:Nov 2 11:03:52 pix %PIX-6-605005: Login permitted from 12.34.56.78/43610 to inside:90.12.34.56/ssh for user "pix" regex=-605005: Login permitted from ([\d\.]+)\/(\S+) to (\S+):([\d\.]+)\/(\S+) for user "(\S+)"; \ classification.text=Remote Login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=605005; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1284894; \ id=197; \ revision=6; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=This message appears when a user is authenticated successfully and a management session starts.; \ source(0).interface=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.port=$2; \ target(0).interface=$3; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.port=$5; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$6; \ last #DESCRIPTION:User executed the 'enable' command #CATEGORY:Command Execution #LOG:Nov 2 11:03:55 pix %PIX-5-111008: User 'enable_1' executed the 'enable' command. regex=-111008: User '(\S+)' executed the 'enable' command; \ classification.text=Admin login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=111008; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1280203; \ id=198; \ revision=6; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=User $1 succesfully enabled; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=enable_15; \ last #DESCRIPTION:User executed a command #CATEGORY:Command Execution #LOG:Apr 3 15:00:08 ASA_NAME %ASA-7-111009: User 'user' executed cmd: show access-list regex=-111009: User '(\S+)' executed cmd: (\S+) (\S+); \ classification.text=User executed a command; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=111009; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1280203; \ id=199; \ revision=6; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=User $1 executed cmd: $2 $3; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=enable_15; \ last #DESCRIPTION:AAA credentials rejected #CATEGORY:Authentication #LOG:Apr 3 15:14:44 ASA_NAME %ASA-6-113016: AAA credentials rejected : reason = Unspecified : server = 1.1.1.3 : user = user regex=-113016: AAA credentials rejected : reason = (\S+) : server = ([\d\.]+) : user = (\S+); \ classification.text=AAA credentials rejected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=113016; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1280203; \ id=200; \ revision=6; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=reason $1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$3; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=enable_15; \ last #DESCRIPTION:AAA Marking RADIUS server as FAILED #CATEGORY:Monitoring #LOG:Jun 21 13:13:06 ASA_NAME %ASA-2-113022: AAA Marking RADIUS server 192.168.160.30 in aaa-server group RADIUS as FAILED regex=-113022: AAA Marking RADIUS server ([\d\.]+) in aaa-server group RADIUS as FAILED; \ classification.text=AAA Marking RADIUS server as FAILED; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=113022; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1280203; \ id=201; \ revision=6; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ additional_data(0).type=string; \ additional_data(0).meaning=RADIUS Server; \ additional_data(0).data=$1; \ last #DESCRIPTION:Attempting AAA Fallback method LOCAL for Authentication request #CATEGORY:Authentication #LOG:Jun 21 13:09:27 ASA_NAME %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user e4045102 : Auth-server group RADIUS unreachable regex=-409023: Attempting AAA Fallback method LOCAL for Authentication request for user (\S+); \ classification.text=AAA Fallback method LOCAL; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=409023; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1280203; \ id=202; \ revision=6; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ additional_data(0).type=string; \ additional_data(0).meaning=Attempting AAA Fallback method LOCAL for Authentication request for user; \ additional_data(0).data=$1; \ last #DESCRIPTION:Configuration written #CATEGORY:Monitoring #LOG:Nov 2 11:17:21 pix %PIX-5-111001: Begin configuration: console writing to memory regex=-111001: Begin configuration: (\S+) writing to (\S+); \ classification.text=Configuration written to $2; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=111001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wpxref46365/1/; \ id=203; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Configuration was stored on $2, and the command was executed from $1.; \ additional_data(0).type=string; \ additional_data(0).meaning=Source device; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Destination device; \ additional_data(1).data=$2; \ last #DESCRIPTION:User logged out #CATEGORY:Authentication #LOG:Nov 2 11:17:26 pix %PIX-5-611103: User logged out: Uname: enable_1 #LOG:Jul 10 21:29:38 somehost.smf.ragingwire.net 12.34.56.78/90.12.34.56 :Jul 10 14:24:56 PDT: %ASA-vpnc-5-611103: User logged out: Uname: neteng regex=-611103: User logged out: Uname: (\S+); \ classification.text=User logout; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=611103; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=204; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=User $1 logged out; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ last #DESCRIPTION:Login denied for user #CATEGORY:Authentication #LOG:Nov 2 19:13:43 pix %PIX-6-605004: Login denied from 12.34.56.78/44660 to inside:90.12.34.56/ssh for user "frag" regex=-605004: Login denied from ([\d\.]+)\/(\d+) to (\S+):([\d\.]+)\/(\S+) for user "(\S+)"; \ classification.text=Remote Login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=605004; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1284886; \ id=205; \ revision=6; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=failed; \ assessment.impact.description=User $6 failed login; \ source(0).interface=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.port=$2; \ target(0).interface=$3; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.name=$5; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$6; \ last #DESCRIPTION:Console enable password incorrect #CATEGORY:Authentication #LOG:Nov 2 19:14:23 pix %PIX-6-308001: console enable password incorrect for 3 tries (from ssh (remote 12.34.56.78)) regex=-308001: (PIX |ASA )?(\S+) enable password incorrect for (\d+) tries \(from (.+)\); \ classification.text=Admin login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=308001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html#wp5630084; \ id=206; \ revision=6; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=failed; \ assessment.impact.description=ASA enable password attempt on the $2 failed from $4; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=enable_15; \ additional_data(0).type=string; \ additional_data(0).meaning=Destination device; \ additional_data(0).data=$2; \ additional_data(1).type=integer; \ additional_data(1).meaning=Attempts; \ additional_data(1).data=$3; \ additional_data(2).type=string; \ additional_data(2).meaning=Source device; \ additional_data(2).data=$4; \ last #DESCRIPTION:SSH session disconnected by SSH server #CATEGORY:Authentication #LOG:Nov 17 11:29:27 pix %PIX-6-315011: SSH session from 12.34.56.78 on interface dmz for user "" disconnected by SSH server, reason: "Invalid format in version string" (0x05) regex=-315011: SSH session from ([\d\.]+) on interface (\S+) for user "" disconnected by SSH server, reason: "Invalid format in version string"; \ classification.text=SSH server recognition; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=315001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1281091; \ id=207; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = medium; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=$1 probably attempting to determine SSH version; \ source(0).interface=$2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).interface=$2; \ target(0).service.port=22; \ target(0).service.name=ssh; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ last #DESCRIPTION:Embryonic limit for through connections exceeded #CATEGORY:Network Security #LOG:Dec 22 15:55:33 pix %PIX-4-407002: Embryonic limit for through connections exceeded 243/100. 208.252.69.162/55452 to 12.34.56.78(90.12.34.56)/80 on interface outside regex=-407002: Embryonic limit for through connections exceeded (\d+)\/(\d+)\. ([\d\.]+)\/(\d+) to ([\d\.]+)\(([\d\.]+)\)\/(\d+) on interface (\S+); \ classification.text=Embryonic connection limit exceeded; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=407002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1282383; \ id=208; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = medium; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=The number of connections from $3 over $5 to $6 has exceeded the maximum embryonic limit for that static.; \ source(0).interface=$8; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).node.address(1).category=ipv4-addr; \ target(0).node.address(1).address=$6; \ target(0).service.port=$7; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ additional_data(0).type=integer; \ additional_data(0).meaning=Connections; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Connection limit; \ additional_data(1).data=$2; \ last #DESCRIPTION:Deny IP #CATEGORY:Packet Filtering #LOG:Feb 1 00:48:50 pix %PIX-6-106012: Deny IP from 12.34.56.78 to 90.12.34.56, IP options: "Loose Src Routing" regex=-106012: Deny IP from ([\d\.]+) to ([\d\.]+), IP options: "(.+)"; \ classification.text=IP options: $3; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=106012; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279793; \ id=209; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ additional_data(0).type=string; \ additional_data(0).meaning=IP options; \ additional_data(0).data=$3; \ last #DESCRIPTION:Reverse path check failure #CATEGORY:Monitoring #LOG:Jan 27 14:51:43 pix %PIX-1-106021: Deny udp reverse path check from 12.34.56.78 to 90.12.34.56 on interface staging regex=-106021: Deny (\w+) reverse path check from ([\d\.]+) to ([\d\.]+) on interface (\S+); \ classification.text=Reverse path check failure; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=106021; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279871; \ id=210; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=Reverse route lookup detected a packet that does not have a source address represented by a route and assumed that it is part of an attack.; \ source(0).interface=$4; \ source(0).spoofed=yes; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$3; \ target(0).service.iana_protocol_name=$1; \ last #DESCRIPTION:Fragment database limit exceeded #CATEGORY:Network Security #LOG:Feb 1 01:01:28 pix %PIX-4-209003: Fragment database limit of 200 exceeded: src = 12.34.56.78, dest = 90.12.34.56, proto = icmp, id = 48130 regex=-209003: Fragment database limit of (\d+) exceeded: src = ([\d\.]+), dest = ([\d\.]+), proto = (\w+); \ classification.text=Fragment database limit exceeded; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=209003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1280434; \ id=211; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=The IP fragement database limit has been exceeded. A DoS attack may be in progress.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$3; \ target(0).service.iana_protocol_name=$4; \ additional_data(0).type=integer; \ additional_data(0).meaning=Connections; \ additional_data(0).data=$1; \ last #DESCRIPTION:Invalid transport field for protocol #CATEGORY:Monitoring #LOG:Feb 1 18:16:27 pix %PIX-4-500004: Invalid transport field for protocol=6, from 12.34.56.78/13798 to 90.12.34.56/0 regex=-500004: Invalid transport field for protocol=(\d+), from ([\d\.]+)\/(\d+) to ([\d\.]+)\/(\d+); \ classification.text=Source or destination port 0; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=500004; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1282628; \ id=212; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=There is an invalid transport number, in which the source or destination port number for a protocol is zero.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ source(0).service.iana_protocol_number=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.port=$5; \ target(0).service.iana_protocol_number=$1; \ last #DESCRIPTION:Received ARP (request|response) collision #CATEGORY:Monitoring #LOG:Feb 3 01:47:37 pix %PIX-4-405001: Received ARP response collision from 12.34.56.78/000b.bf5b.9408 on interface outside regex=-405001: Received ARP (request|response) collision from ([\d\.]+)\/([A-Fa-f\d\.]+) on interface (\S+); \ classification.text=ARP $1 mismatch; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=405001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1282234; \ id=213; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=The firewall received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.; \ source(0).spoofed=yes; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).node.address(1).category=mac; \ source(0).node.address(1).address=$3; \ source(0).interface=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:Access denied by ACL #CATEGORY:Authentication #LOG:Jan 25 14:59:33 pix %PIX-3-710003: TCP access denied by ACL from 148.208.247.3/2984 to outside:12.40.199.252/ssh #LOG:Jul 12 17:30:17 smf-custlog-02 12.34.56.78/90.12.34.56 :Jul 12 10:25:06 PDT: %ASA-session-3-710003: TCP access denied by ACL from 78.90.12.34/3354 to OUTSIDE-01:56.78.90.12/80 regex=-710003: (TCP|UDP) access denied by ACL from ([\d\.]+)\/(\d+) to (\S+):([\d\.]+)\/(\S+); \ classification.text=Unauthorized admin session attempt; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=710003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp2503389; \ id=214; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=admin; \ assessment.impact.description=This message appears when the firewall denies an attempt to connect to the interface service from an unauthorized management station.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ source(0).service.iana_protocol_name=$1; \ source(0).interface=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=$1; \ target(0).interface=$4; \ last #DESCRIPTION:Broadcast address translation request failed #CATEGORY:Network Security #LOG:Mar 15 20:55:18 gtsprodpix %PIX-3-305006: Dst IP is network/broadcast IP, translation creation failed for tcp src prod:10.100.17.27/1586 dst inside:10.100.16.255/445 regex=-305006: Dst IP is network/broadcast IP, translation creation failed for (tcp|udp) src (\S+):([\d\.]+)/(\S+) dst (\S+):([\d\.]+)/(\S+); \ classification.text=Broadcast address translation request; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=305006; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1280915; \ id=215; \ revision=4; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=The firewall has received a request to assign a static NAT translation for a broadcast address, which is illegal. This is commonly an indicator of a network mapping attempt.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=$1; \ source(0).interface=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.port=$7; \ target(0).service.iana_protocol_name=$1; \ target(0).interface=$5; \ last #DESCRIPTION:ICMP destination/source mismatch #CATEGORY:Monitoring #LOG:Mar 24 09:19:42 gtsprodpix %PIX-4-313003: Invalid destination for ICMP error message: ICMP source 12.34.56.78 destination 90.12.34.56 (type 3, code 1) on outside interface. Original IP payload: ICMP source 1.1.1.1 destination 1.1.1.1 (type 1, code 1). regex=-313003: Invalid destination for ICMP error message: ICMP source ([\d\.]+) destination ([\d\.]+) \(type (\d+), code (\d+)\) on (\S+) interface.; \ classification.text=ICMP destination/source mismatch; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=313003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1281049; \ id=216; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=The destination for the ICMP error message is different than the source of the IP packet that induced the ICMP error message. This could be an active network probe, an attempt to use the ICMP error message as a covert channel, or a misbehaving IP host.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=icmp; \ source(0).service.iana_protocol_number=1; \ source(0).interface=$5; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ target(0).service.iana_protocol_name=icmp; \ target(0).service.iana_protocol_number=1; \ additional_data(0).type=integer; \ additional_data(0).meaning=ICMP type; \ additional_data(0).data=$3; \ additional_data(1).type=integer; \ additional_data(1).meaning=ICMP code; \ additional_data(1).data=$4; \ last #DESCRIPTION:Packet denied by access-group #CATEGORY:Packet Filtering #LOG:Dec 30 03:10:48 12.34.56.78 Dec 30 2003 02:13:28: %PIX-4-106023: Deny icmp src outside:64.89.17.26 dst inside:90.12.34.56 (type 3, code 3) by access-group "outside" #LOG:Jun 2 17:46:30 bombadil253 %PIX-4-106023: Deny udp src inside:12.34.56.78/18378 dst outside:90.12.34.56/12685 by access-group "acl_in" #regex=-106023: Deny (\w+) src (\S+):([\d\.]+)(/(\d+))? dst (\S+):([\d\.]+)(/(\d+))?.*by access-group "(\S+)"; \ # classification.text=Packet denied; \ # classification.reference(0).origin=vendor-specific; \ # classification.reference(0).meaning=asa_id; \ # classification.reference(0).name=106023; \ # classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279897; \ # id=217; \ # revision=5; \ # analyzer(0).name=ASA; \ # analyzer(0).manufacturer=Cisco; \ # analyzer(0).class=Firewall; \ # assessment.impact.severity=medium; \ # assessment.impact.description=A packet was dropped by PIX access-group "$8".; \ # source(0).interface=$2; \ # source(0).service.iana_protocol_name=$1; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=$3; \ # source(0).service.port=$4; \ # target(0).interface=$5; \ # target(0).service.iana_protocol_name=$1; \ # target(0).node.address(0).category=ipv4-addr; \ # target(0).node.address(0).address=$6; \ # target(0).service.port=$7; \ # additional_data(0).type=string; \ # additional_data(0).meaning=access-group; \ # additional_data(0).data=$8; \ # last #DESCRIPTION:Packet denied on interface #CATEGORY:Packet Filtering #LOG:Nov 2 18:03:14 pix %PIX-2-106006: Deny inbound UDP from 9.0.1.2/10001 to 3.4.5.6/1026 on interface outside #regex=-106006: Deny inbound UDP from ([\d\.]+)/(\d+) to ([\d\.]+)/(\d+) on interface (\S+); \ # classification.text=Packet denied; \ # classification.reference(0).origin=vendor-specific; \ # classification.reference(0).meaning=asa_id; \ # classification.reference(0).name=106006; \ # classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ # id=218; \ # revision=5; \ # analyzer(0).name=ASA; \ # analyzer(0).manufacturer=Cisco; \ # analyzer(0).class=Firewall; \ # assessment.impact.severity=medium; \ # assessment.impact.description=This is a connection-related message. This message is logged if an inbound UDP packet is denied by your security policy.; \ # source(0).interface=$5; \ # source(0).service.iana_protocol_name=UDP; \ # source(0).service.iana_protocol_number=17; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=$1; \ # source(0).service.port=$2; \ # target(0).service.iana_protocol_name=UDP; \ # target(0).service.iana_protocol_number=17; \ # target(0).node.address(0).category=ipv4-addr; \ # target(0).node.address(0).address=$3; \ # target(0).service.port=$4; \ # last #DESCRIPTION:Packet denied due to DNS #CATEGORY:Packet Filtering #LOG:Nov 2 18:03:14 pix %PIX-2-106007: Deny inbound UDP from 7.8.9.0/53 to 1.2.3.4/33524 due to DNS Response #LOG:Jul 12 19:34:42 smf-custlog-02 78.90.12.34/56.78.90.12 :Jul 12 12:31:46 PDT: %ASA-session-2-106007: Deny inbound UDP from 12.34.56.78/1048 to 90.12.34.56/53 due to DNS Query regex=-106007: Deny inbound UDP from ([\d\.]+)/(\d+) to ([\d\.]+)/(\d+) due to DNS (Response|Query); \ classification.text=Packet denied; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=106007; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279764; \ id=219; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=This is a connection-related message. This message is logged if a UDP packet containing a DNS $5 is denied.; \ source(0).service.iana_protocol_name=UDP; \ source(0).service.iana_protocol_number=17; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.port=$2; \ target(0).service.iana_protocol_name=UDP; \ target(0).service.iana_protocol_number=17; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$3; \ target(0).service.port=$4; \ last #DESCRIPTION:Packet denied (TCP) on interface #CATEGORY:Packet Filtering #LOG:Nov 2 18:03:14 pix %PIX-2-106001: Inbound TCP connection denied from 1.2.3.4/1007 to 5.6.7.8/139 flags SYN on interface outside #regex=-106001: Inbound TCP connection denied from ([\d\.]+)/(\d+) to ([\d\.]+)/(\d+) flags (.+) on interface (\S+); \ # classification.text=Packet denied; \ # classification.reference(0).origin=vendor-specific; \ # classification.reference(0).meaning=asa_id; \ # classification.reference(0).name=106001; \ # classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279735; \ # id=220; \ # revision=5; \ # analyzer(0).name=ASA; \ # analyzer(0).manufacturer=Cisco; \ # analyzer(0).class=Firewall; \ # assessment.impact.severity=medium; \ # assessment.impact.description=This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. The flags on this packet were $5.; \ # source(0).interface=$6; \ # source(0).service.iana_protocol_name=TCP; \ # source(0).service.iana_protocol_number=6; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=$1; \ # source(0).service.port=$2; \ # target(0).service.iana_protocol_name=TCP; \ # target(0).service.iana_protocol_number=6; \ # target(0).node.address(0).category=ipv4-addr; \ # target(0).node.address(0).address=$3; \ # target(0).service.port=$4; \ # additional_data(0).type=string; \ # additional_data(0).meaning=TCP flags; \ # additional_data(0).data=$5; \ # last #DESCRIPTION:Deny IP due to Land Attack #CATEGORY:Network Security #LOG:Jul 10 22:18:51 somehost.ragingwire.net 12.34.56.78/90.12.34.56 :Jul 10 15:14:04 PDT: %ASA-session-2-106017: Deny IP due to Land Attack from 0.0.0.0 to 0.0.0.0 regex=-106017: Deny IP due to Land Attack from ([\d\.]+) to ([\d\.]+); \ classification.text=Land Attack; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=106017; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279850; \ id=221; \ revision=3; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.description=The Cisco ASA received a packet with the IP source address equal to the IP destination, and the destination port equal to the source port. This message indicates a spoofed packet that is designed to attack systems. This attack is referred to as a Land Attack.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:Broadcast address translation request failure #CATEGORY:Network Security #LOG:Jul 12 17:01:40 172.16.1.26.smf.ragingwire.net 69.80.209.4/69.80.209.4 :Jul 12 09:57:12 PDT: %ASA-session-3-305006: regular translation creation failed for icmp src PROD-01:10.10.1.180 dst OUTSIDE-01:ftp-prod01_nat (type 3, code 10) regex=-305006: regular translation creation failed for icmp src (\S+):(\S+) dst (\S+):(\S+) \(type (\d+), code (\d+)\); \ classification.text=Broadcast address translation request; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=305006; \ classification.reference(0).url=http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a008051a0cd.html; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=asa_severity; \ classification.reference(1).name=3; \ classification.reference(1).url=http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_system_message_guide_chapter09186a008051a0ca.html; \ id=222; \ revision=3; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=The firewall has received a request to assign a static NAT translation for a broadcast address, which is illegal. This is commonly an indicator of a network mapping attempt.; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=icmp; \ source(0).service.iana_protocol_number=1; \ source(0).interface=$1; \ target(0).node.address(0).address=$4; \ target(0).service.iana_protocol_name=icmp; \ target(0).service.iana_protocol_number=1; \ target(0).interface=$3; \ additional_data(0).type=integer; \ additional_data(0).meaning=ICMP type; \ additional_data(0).data=$5; \ additional_data(1).type=integer; \ additional_data(1).meaning=ICMP code; \ additional_data(1).data=$6; \ last #DESCRIPTION:ICMP destination/source mismatch #CATEGORY:Monitoring #LOG:Jul 12 22:14:10 smf-custlog-02 somehost/somehost :Jul 12 15:09:13 PDT: %PIX-ip-4-313003: Invalid destination for ICMP error message: icmp src outside:12.34.56.78 dst inside:12.34.56.78 (type 3, code 3) on outside interface. Original IP payload: udp src 12.34.56.78/31260 dst 12.34.56.78/1026. regex=-313003: Invalid destination for ICMP error message: icmp src (\S+):([\d\.]+) dst (\S+):([\d\.]+) \(type (\d+), code (\d+)\); \ classification.text=ICMP destination/source mismatch; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=313003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1281049; \ id=223; \ revision=3; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=The destination for the ICMP error message is different than the source of the IP packet that induced the ICMP error message. This could be an active network probe, an attempt to use the ICMP error message as a covert channel, or a misbehaving IP host.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=icmp; \ source(0).service.iana_protocol_number=1; \ source(0).interface=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.iana_protocol_name=icmp; \ target(0).service.iana_protocol_number=1; \ target(0).interface=$3; \ additional_data(0).type=integer; \ additional_data(0).meaning=ICMP type; \ additional_data(0).data=$5; \ additional_data(1).type=integer; \ additional_data(1).meaning=ICMP code; \ additional_data(1).data=$6; \ last #DESCRIPTION:(TCP|UDP) request discarded #CATEGORY:Monitoring #LOG:Jun 30 2009 07:08:20: %ASA-7-710005: TCP request discarded from 172.19.1.6/1303 to inside:172.19.1.1/2601 regex=-710005: (TCP|UDP) request discarded from ([\d\.]+)/(\d+) to (\S+):([\d\.]+)/(\d+); \ classification.text=$1 request discarded; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=710005; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285746; \ id=224; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=info; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=The appliance does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the security appliance. In addition, this message appears (with the snmp service) when the security appliance receives an SNMP request with an empty payload, even if it is from an authorized host. With the snmp service, this message occurs a maximum of 1 time every 10 seconds so that the log receiver is not overwhelmed.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=$1; \ source(0).service.port=$3; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.iana_protocol_name=$1; \ target(0).service.port=$6; \ target(0).interface=$4; \ last #DESCRIPTION:Events taken from the Cisco System Log Messages List that will need rules #DESCRIPTION:(include 'attack' || 'intrusion' || 'probe' || 'covert' in description; no log samples): #LOG:Nov 2 18:03:14 pix %PIX-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name #LOG:Nov 2 18:03:14 pix %PIX-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name #LOG:Nov 2 18:03:14 pix %PIX-1-106101 The number of ACL log deny-flows has reached limit (number). #LOG:Nov 2 18:03:14 pix %PIX-1-107001: RIP auth failed from IP_address: version=number, type=string, mode=string, sequence=number on interface interface_name #LOG:Nov 2 18:03:14 pix %PIX-1-107002: RIP pkt failed from IP_address: version=number on interface interface_name #LOG:Nov 2 18:03:14 pix %PIX-4-109017: User at IP_address exceeded auth proxy connection limit (max) #LOG:Nov 2 18:03:14 pix %PIX-3-320001: The subject name of the peer cert is not allowed for connection #LOG:Nov 2 18:03:14 pix %PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=dest_address, prot=protocol, spi=number #LOG:Nov 2 18:03:14 pix %PIX-4-402102: decapsulate: packet missing {AH|ESP}, destadr=dest_address, actual prot=protocol #LOG:Nov 2 18:03:14 pix %PIX-4-405002: Received mac mismatch collision from IP_address/mac_address for authenticated host #LOG:Nov 2 18:03:14 pix %PIX-7-710006: protocol request discarded from source_address to interface_name:dest_address #LOG:Nov 2 18:03:14 pix %PIX-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address #LOG:Nov 2 18:03:14 pix %PIX-4-209004: Invalid IP fragment, size = bytes exceeds maximum size = bytes: src = IP_address, dest = IP_address, proto = protocol, id = number #LOG:Nov 2 18:03:14 pix %PIX-4-209005: Discard IP fragment set with more than number elements: src = IP_address, dest = IP_address, proto = protocol, id = number #LOG:Nov 2 18:03:14 pix %PIX-2-201003: Embryonic limit exceeded nconns/elimit for outside_address/outside_port (global_address) inside_address/inside_port on interface interface_name #DESCRIPTION:Drop rate exceeded #CATEGORY:Network Security #LOG:Dec 7 14:08:17 ASA_NAME %ASA-4-733100: [ Scanning] drop rate-1 exceeded. Current burst rate is 160 per second, max configured rate is 350; Current average rate is 313 per second, max configured rate is 262; Cumulative total count is 188250 regex=-733100: \[+.+\] drop rate-[1|2] exceeded\.; \ classification.text=Drop rate $1 exceeded; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=733100; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1281091; \ id=500; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = medium; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=The specified object in the syslog message has exceeded the specified burst threshold rate or average threshold rate. The object can be drop activity of a host, TCP/UDP port, IP protocol, or various drops caused by potential attacks. The message indicates that the system is under potential attack.; \ last #DESCRIPTION:Deny TCP reverse path check #CATEGORY:Network Security #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-106021: Deny TCP reverse path check from 10.10.10.101 to 65.58.240.105 on interface inside #regex=-106021: Deny TCP reverse path check from ([\d\.]+) to ([\d\.]+) on interface (\S+); \ # classification.text=Deny $1 reverse path check; \ # classification.reference(0).origin=Cisco; \ # classification.reference(0).meaning=asa_id; \ # classification.reference(0).name=106021; \ # classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1279871; \ # id=501; \ # revision=5; \ # analyzer(0).name=ASA; \ # analyzer(0).manufacturer=Cisco; \ # analyzer(0).class=Firewall; \ # assessment.impact.severity = medium; \ # assessment.impact.completion=failed; \ # assessment.impact.type=recon; \ # assessment.impact.description=An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection.; \ # source(0).interface=$3; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=$1; \ # target(0).node.address(0).address=$2; \ # last #DESCRIPTION:Deny protocol connection spoof #CATEGORY:Network Security #LOG:Nov 2 18:03:14 pix %PIX-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name regex=-106022: Deny protocol connection spoof from ([\d\.]+) to ([\d\.]+) on interface (S+); \ classification.text=Deny $1 reverse path check; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=106022; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1279871; \ id=502; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = medium; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection.; \ source(0).interface=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:The number of ACL log deny-flows has reached limit #CATEGORY:Network Security #LOG:Nov 2 18:03:14 pix %PIX-1-106101 The number of ACL log deny-flows has reached limit (number). regex=-106101: The number of ACL log deny-flows has reached limit (\d+); \ classification.text=deny-flows has reached limit $1; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=106101; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1279871; \ id=503; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = medium; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=An attack is in progress. Someone is attempting to spoof an IP address on an inbound connection.; \ additional_data(0).type=integer; \ additional_data(0).meaning=limit reached; \ additional_data(0).data=$1; \ last #DESCRIPTION:User executed the 'configure terminal' command #CATEGORY:Command Execution #LOG:Dec 7 14:08:17 ASA_NAME %ASA-5-111008: User 'USER' executed the 'configure terminal' command. regex=-111008: User '(\S+)' executed the 'configure terminal' command; \ classification.text=The user $1 entered executed the 'configure terminal' command; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=111008; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280203; \ id=504; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = low; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=The user entered any command, with the exception of a show command; \ additional_data(0).type=string; \ additional_data(0).meaning=User; \ additional_data(0).data=$1; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$1; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=enable_15; \ last #DESCRIPTION:RIP auth failed #CATEGORY:Monitoring #LOG:Nov 2 18:03:14 pix %PIX-1-107001: RIP auth failed from IP_address: version=number, type=string, mode=string, sequence=number on interface interface_name regex=-107001: RIP auth failed from ([\d\.]+): version=(\d+), type=(\S+), mode=(\S+), sequence=(\d+), on interface (\S+); \ classification.text=RIP auth failed from IP_address: version=number, type=string, mode=string, sequence=number on interface interface_name; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=107001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280203; \ id=505; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = low; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=RIP auth failed from IP_address: version=number, type=string, mode=string, sequence=number on interface interface_name; \ source(0).interface=$6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=version; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=type; \ additional_data(1).data=$3; \ additional_data(2).type=string; \ additional_data(2).meaning=mode; \ additional_data(2).data=$4; \ additional_data(3).type=string; \ additional_data(3).meaning=sequence; \ additional_data(3).data=$5; \ last #DESCRIPTION:RIP pkt failed #CATEGORY:Monitoring #LOG:Nov 2 18:03:14 pix %PIX-1-107002: RIP pkt failed from IP_address: version=number on interface interface_name regex=-107002: RIP pkt failed from ([\d\.]+): version=(\d+) on interface (\S+); \ classification.text=IP pkt failed from IP_address: version=number on interface interface_name; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=107002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280203; \ id=506; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = low; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=RIP pkt failed from IP_address: version=number on interface interface_name; \ source(0).interface=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=version; \ additional_data(0).data=$2; \ last #DESCRIPTION:User exceeded auth proxy connection limit #CATEGORY:Authentication #LOG:Nov 2 18:03:14 pix %PIX-4-109017: User at IP_address exceeded auth proxy connection limit (max) regex=-109017: User at ([\d\.]+) exceeded auth proxy connection limit; \ classification.text=User at IP_address exceeded auth proxy connection limit (max); \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=109017; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280203; \ id=507; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = low; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=User at IP_address exceeded auth proxy connection limit (max); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:The subject name of the peer cert is not allowed for connection #CATEGORY:Network Security #LOG:Nov 2 18:03:14 pix %PIX-3-320001: The subject name of the peer cert is not allowed for connection regex=-320001: The subject name of the peer cert is not allowed for connection; \ classification.text=The subject name of the peer cert is not allowed for connection; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=320001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280203; \ id=508; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = low; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=The subject name of the peer cert is not allowed for connection; \ last #DESCRIPTION:rec'd IPSEC packet has invalid spi #CATEGORY:Network Security #LOG:Nov 2 18:03:14 pix %PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=dest_address, prot=protocol, spi=number regex=-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=([\d\.]+); \ classification.text=decaps: rec'd IPSEC packet has invalid spi for destaddr=dest_address, prot=protocol, spi=number; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=402101; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280203; \ id=509; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity = low; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.description=The subject name of the peer cert is not allowed for connection; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ last #DESCRIPTION:Dropping TCP packet #CATEGORY:Packet Filtering #LOG:Dec 7 14:08:17 ASA_NAME %ASA-4-419001: Dropping TCP packet from src_ifc:src_IP/src_port to dest_ifc:dest_IP/dest_port, reason: MSS exceeded, MSS size, data size regex=-419001: Dropping TCP packet from (\S+):([\d\.]+)/(\d+) to (\S+):([\d\.]+)/(\d+); \ classification.text=Dropping TCP packet; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=419001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=510; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Reason: MSS exceeded, MSS size, data size.; \ source(0).interface=$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ target(0).interface=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ last #DESCRIPTION:Duplicate TCP SYN #CATEGORY:Monitoring #LOG:Apr 10 15:40:15 x.x.x.x xxx %ASA-4-419002: Duplicate TCP SYN from outside:xx.xx.xx.xx/xxx to inside:xx.xx.xx.xx/xxxx with different initial sequence number regex=-419002: Duplicate TCP SYN from (\S+):([\d\.]+)/(\d+) to (\S+):([\d\.]+)/(\d+); \ classification.text=Duplicate TCP SYN; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=419002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=511; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Duplicate TCP SYN with different initial sequence number.; \ source(0).interface=$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ target(0).interface=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ last #DESCRIPTION:Cleared TCP urgent flag #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-4-419003: Cleared TCP urgent flag from in_ifc:src_ip/src_port to out_ifc:dest_ip/dest_port. regex=-419003: Cleared TCP urgent flag from (\S+):([\d\.]+)/(\d+) to (\S+):([\d\.]+)/(\d+); \ classification.text=Cleared TCP urgent flag; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=419003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=512; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Cleared TCP urgent flag from $1:$2/$3 to $4:$5/$6; \ source(0).interface=$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ target(0).interface=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ last #DESCRIPTION:Failover cable - OK #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-101001: (Primary) Failover cable OK. regex=-101001: \((\S+)\); \ classification.text=Failover cable OK; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=101001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=513; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Failover cable OK.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Failover cable - NOK #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-101002: (Primary) Bad failover cable. regex=-101002: \((\S+)\); \ classification.text=Bad failover cable; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=101002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=514; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Bad failover cable.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Failover cable - Not connected (this unit) #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-101003: (Primary) Failover cable not connected (this unit). regex=-101003: \((\S+)\) Failover cable not connected \((\S+)\); \ classification.text=Failover cable not connected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=101003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=515; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Failover cable not connected.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:Failover cable - Not connected (other unit) #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-101004: (Primary) Failover cable not connected (other unit). regex=-101004: \((\S+)\) Failover cable not connected \((\S+)\); \ classification.text=Failover cable not connected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=101004; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=516; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Failover cable not connected.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:Failover cable status, error reading #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-101005: (Primary) Error reading failover cable status. regex=-101005: \((\S+)\); \ classification.text=Error reading failover cable status; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=101005; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=517; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Error reading failover cable status.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Power failure/System reload other side #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-102001: (Primary) Power failure/System reload other side. regex=-102001: \((\S+)\); \ classification.text=Power failure/System reload other side; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=102001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=518; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Power failure/System reload other side.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:No response from other firewall #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-103001: (Primary) No response from other firewall (reason code = code). regex=-103001: \((\S+)\); \ classification.text=No response from other firewall; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=103001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=519; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=No response from other firewall.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Other firewall network interface OK #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-103002: (Primary) Other firewall network interface interface_number OK. regex=-103002: \((\S+)\); \ classification.text=Other firewall network interface OK; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=103002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=520; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Other firewall network interface OK.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Other firewall network interface failed #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-103003: (Primary) Other firewall network interface interface_number failed. regex=-103003: \((\S+)\); \ classification.text=Other firewall network interface failed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=103003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=521; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Other firewall network interface failed.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Other firewall reports this firewall failed #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-103004: (Primary) Other firewall reports this firewall failed. regex=-103004: \((\S+)\); \ classification.text=Other firewall reports this firewall failed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=103004; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=522; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Other firewall reports this firewall failed.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Other firewall reporting failure #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-103005: (Primary) Other firewall reporting failure. regex=-103005: \((\S+)\); \ classification.text=Other firewall reporting failure; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=103005; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=523; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Other firewall reporting failure.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Disabling failover #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105001: (Primary) Disabling failover. regex=-105001: \((\S+)\); \ classification.text=Disabling failover; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=524; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Disabling failover.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Enabling failover #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105002: (Primary) Enabling failover. regex=-105002: \((\S+)\); \ classification.text=Enabling failover; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=525; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Enabling failover.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Monitoring on interface waiting #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105003: (Primary) Monitoring on interface interface_name waiting regex=-105003: \((\S+)\); \ classification.text=Monitoring on interface waiting; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=526; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Monitoring on interface waiting.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Monitoring on interface normal #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105004: (Primary) Monitoring on interface interface_name normal regex=-105004: \((\S+)\); \ classification.text=Monitoring on interface normal; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105004; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=527; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Monitoring on interface normal.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Lost Failover communications with mate on interface #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105005: (Primary) Lost Failover communications with mate on interface interface_name. regex=-105005: \((\S+)\); \ classification.text=Lost Failover communications with mate on interface; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105005; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=528; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Lost Failover communications with mate on interface.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Link status Up on interface #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105006: (Primary) Link status `Up' on interface interface_name. regex=-105006: \((\S+)\); \ classification.text=Link status Up on interface; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105006; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=529; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Link status Up on interface.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Link status Down on interface #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105007: (Primary) Link status `Down' on interface interface_name. regex=-105007: \((\S+)\); \ classification.text=Link status Down on interface; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105007; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=530; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Link status Down on interface.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Testing interface #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105008: (Primary) Testing interface interface_name. regex=-105008: \((\S+)\); \ classification.text=Testing interface; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105008; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=531; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Testing interface.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Testing interface result #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105009: (Primary) Testing on interface interface_name {Passed|Failed}. regex=-105009: \((\S+)\); \ classification.text=Testing on interface Passed|Failed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105009; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=532; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Testing interface Passed|Failed.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Failover cable - Communication failure #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105011: (Primary) Failover cable communication failure regex=-105011: \((\S+)\); \ classification.text=Failover cable - Communication failure; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105011; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=533; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Failover cable communication failure.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Incomplete/slow config replication #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105020: (Primary) Incomplete/slow config replication regex=-105020: \((\S+)\); \ classification.text=Incomplete/slow config replication; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105020; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=534; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Incomplete/slow config replication.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Standby unit failed to sync due to a locked config #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-105021: (failover_unit) Standby unit failed to sync due to a locked context_name config. Lock held by lock_owner_name regex=-105021: \((\S+)\); \ classification.text=Standby unit failed to sync due to a locked config; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=105021; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=535; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Standby unit failed to sync due to a locked config.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Failover - Switching to OK #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-104004: (Primary) Switching to OK regex=-104004:; \ classification.text=Failover - Switching to OK; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=104004; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=536; \ revision=6; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Posible Failover en Firewall Cisco ASA. Ver Log.; \ last #DESCRIPTION:Failover - Switching to ACTIVE #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-104001: (Primary) Switching to ACTIVE (cause: string) regex=-104001:; \ classification.text=Failover - Switching to ACTIVE; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=104001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=537; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Posible Failover en Firewall Cisco ASA (Switching to ACTIVE). Ver Log.; \ last #DESCRIPTION:Failover - Switching to STNDBY #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-104002: (Primary) Switching to STNDBY (cause: string) regex=-104002:; \ classification.text=Failover - Switching to STNDBY; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=104002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=538; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Posible Failover en Firewall Cisco ASA (Switching to STNDBY). Ver Log.; \ last #DESCRIPTION:Failover - Switching to FAILED #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-104003: (Primary) Switching to FAILED regex=-104003:; \ classification.text=Failover - Switching to FAILED; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=104003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1285015; \ id=539; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Posible Failover en Firewall Cisco ASA (Switching to FAILED). Ver Log.; \ last #DESCRIPTION:Local CA Server certificate is due to expire #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-717049: Local CA Server certificate is due to expire in number days and a replacement certificate is available for export. regex=-717049:; \ classification.text=Local CA Server certificate is due to expire; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=717049; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=540; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Local CA Server certificate is due to expire in number days and a replacement certificate is available for export.; \ last #DESCRIPTION:Cooling Fan var1: OK #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-735001 Cooling Fan var1: OK regex=-735001:; \ classification.text=Cooling Fan var1 - OK; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=735001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=541; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Cooling Fan var1: OK.; \ last #DESCRIPTION:Cooling Fan var1: Failure Detected #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-735002 Cooling Fan var1: Failure Detected regex=-735002:; \ classification.text=Cooling Fan var1 - Failure Detected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=735002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=542; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Cooling Fan var1: OK.; \ last #DESCRIPTION:Power Supply var1 - OK #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-735003 Power Supply var1: OK regex=-735003:; \ classification.text=Power Supply var1 - OK; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=735003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=543; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Power Supply var1: OK.; \ last #DESCRIPTION:Power Supply var1 - Failure Detected #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-735004 Power Supply var1: Failure Detected regex=-735004:; \ classification.text=Power Supply var1 - Failure Detected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=735004; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=544; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Power Supply var1: Failure Detected.; \ last #DESCRIPTION:Power Supply Unit Redundancy - OK #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-735005 Power Supply Unit Redundancy OK regex=-735005:; \ classification.text=Power Supply Unit Redundancy - OK; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=735005; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=545; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Power Supply Unit Redundancy OK.; \ last #DESCRIPTION:Power Supply Unit Redundancy - Lost #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-735006 Power Supply Unit Redundancy Lost regex=-735006:; \ classification.text=Power Supply Unit Redundancy - Lost; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=735006; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=546; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Power Supply Unit Redundancy Lost.; \ last #DESCRIPTION:CPU: Temp: Critical #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-735007 CPU var1: Temp: var2 var3, Critical regex=-735007:; \ classification.text=CPU: Temp: Critical; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=735007; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=547; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=CPU var1: Temp: var2 var3, Critical.; \ last #DESCRIPTION:CPU is running beyond the max thermal operating temperature #CATEGORY:Monitoring #LOG:Dec 7 14:08:17 ASA_NAME %ASA-1-735022: CPU# is running beyond the max thermal operating temperature and the device will be shutting down immediately to prevent permanent damage to the CPU. regex=-735022:; \ classification.text=CPU is running beyond the max thermal operating temperature; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=735022; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279756; \ id=548; \ revision=1; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=CPU# is running beyond the max thermal operating temperature and the device will be shutting down immediately to prevent permanent damage to the CPU.; \ last #DESCRIPTION:TCP flow terminated by inspection engine #CATEGORY:Monitoring #LOG:Apr 27 14:50:30 xx.xx.xx.xx Name %ASA-4-507003: tcp flow from outside:xx.xx.xx.xx/xxxxx to inside:xx.xx.xx.xx/xxx terminated by inspection engine, reason - proxy inspector drop reset regex=-507003: tcp flow from (\S+):([\d\.]+)/(\d+) to (\S+):([\d\.]+)/(\d+) (\S+ ); \ classification.text=TCP flow terminated by inspection engine; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=507003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279735; \ id=549; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=TCP flow terminated by inspection engine, reason - proxy inspector drop reset.; \ source(0).interface=$1; \ source(0).service.iana_protocol_name=TCP; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ target(0).interface=$4; \ target(0).service.iana_protocol_name=TCP; \ target(0).service.iana_protocol_number=6; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ additional_data(0).type=string; \ additional_data(0).meaning=Reason; \ additional_data(0).data=$7; \ last #DESCRIPTION:No translation group found #CATEGORY:Monitoring #LOG:May 3 15:30:52 xx.xx.xx.xx Name %ASA-3-305005: No translation group found for icmp src inside:zz.zz.zz.zz dst outside:zz.zz.zz.zz (type 8, code 0) regex=-305005: No translation group found for (\S+) src (\S+):([\d\.]+) dst (\S+):([\d\.]+); \ classification.text=No translation group found; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=305005; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279735; \ id=550; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=TCP flow terminated by inspection engine, reason - proxy inspector drop reset.; \ source(0).interface=$2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ target(0).interface=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ additional_data(0).type=string; \ additional_data(0).meaning=Proto; \ additional_data(0).data=$1; \ last #DESCRIPTION:Regular translation creation failed #CATEGORY:Monitoring #LOG:May 31 18:53:59 192.168.161.4 Antonio %ASA-3-305006: regular translation creation failed for protocol 50 src inside:172.19.102.61 dst outside:200.40.236.15 regex=-305006: regular translation creation failed for protocol (\d+) src (\S+):([\d\.]+) dst (\S+):([\d\.]+); \ classification.text=Regular translation creation failed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=305006; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279735; \ id=551; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=regular translation creation failed for protocol $1.; \ source(0).interface=$2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ target(0).interface=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ additional_data(0).type=string; \ additional_data(0).meaning=Proto; \ additional_data(0).data=$1; \ last #DESCRIPTION:Asymmetric NAT rules failed #CATEGORY:Monitoring #LOG:Jun 2 16:12:09 ASA_NAME %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:x.x.x.x dst inside:x.x.x.x (type 8, code 0) denied due to NAT reverse path failure regex=-305013: Asymmetric NAT rules matched for forward and reverse flows; \ classification.text=Asymmetric NAT rules failed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=305013; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279735; \ id=552; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=Asymmetric NAT rules matched for forward and reverse flows.; \ last #DESCRIPTION:LU allocate connection failed #CATEGORY:Monitoring #LOG:Jun 4 12:32:47 ASA_NAME %ASA-3-210005: LU allocate connection failed regex=-210005: LU allocate connection failed; \ classification.text=LU allocate connection failed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=210005; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279735; \ id=553; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.description=LU allocate connection failed.; \ last #DESCRIPTION:Connection limit exceeded #CATEGORY:Network Security #LOG:Dec 11 18:41:14 x.x.x.x abc %ASA-3-201011: Connection limit exceeded 10000/10000 for inbound packet from x.x.x.x/xx to x.x.x.x/xx on interface outside regex=-201011: Connection limit exceeded (\d+)/(\d+) for (\S+) packet from ([\d\.]+)/(\d+) to ([\d\.]+)/(\d+) on interface (\S+); \ classification.text=Connection limit exceeded; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=201011; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279735; \ id=554; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.description=Connection limit exceeded $1/$2 for $3 packet from $4.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.port=$5; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.port=$7; \ last #DESCRIPTION:Per-client connection limit exceeded #CATEGORY:Network Security #LOG:Dec 11 18:41:14 x.x.x.x abc %ASA-3-201013: Per-client connection limit exceeded 10000/10000 for inbound packet from x.x.x.x/xx to x.x.x.x/xx on interface outside regex=-201013: Per-client connection limit exceeded (\d+)/(\d+) for (\S+) packet from ([\d\.]+)/(\d+) to ([\d\.]+)/(\d+) on interface (\S+); \ classification.text=Per-client connection limit exceeded; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=201011; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/security/asa/asa70/system/message/logmsgs.html#wp1279735; \ id=555; \ revision=5; \ analyzer(0).name=ASA; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.description=Per-client connection limit exceeded $1/$2 for $3 packet from $4.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.port=$5; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.port=$7; \ last prelude-lml-rules-5.1.0/ruleset/cisco-css.rules0000664000175000017500000001746313537533463021707 0ustar tandrejatandreja#FULLNAME: Cisco CSS #VERSION: 1.0 #DESCRIPTION: The Cisco CSS (Content Services Switch) is a high-performance, high-availability modular architecture for Web infrastructures. The rules included here were developed using BIG-IP Kernel 4.5PTF-06 Build25. ##### # # Copyright (C) 2006 G Ramon Gomez # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Generic LINK DOWN #CATEGORY:Monitoring #LOG:AUG 14 08:31:13 smf-custlog-02 1/1 88 NETMAN-2: Generic:LINK DOWN for e3 regex=NETMAN-\d: Generic:LINK DOWN for (\S+); \ classification.text=Interface down; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=NETMAN; \ id=4700; \ revision=2; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.completion=succeeded; \ assessment.impact.type=dos; \ assessment.impact.severity=medium; \ assessment.impact.description=Interface $1 status changed to down; \ target(0).interface=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=New state; \ additional_data(0).data=down; \ last #DESCRIPTION:Cisco command - Write memory #CATEGORY:Monitoring #LOG:AUG 16 06:45:00 smf-custlog-02 1/1 1022 NETMAN-6: CLMcmd: wr mem,neteng@12.34.56.78 #LOG:AUG 16 00:12:35 smf-custlog-02 1/1 49169 NETMAN-6: CLMcmd: wr memory ,neteng@90.12.34.56 regex=NETMAN-\d: CLMcmd: wr (\S+)\s*,(\S+)@([\d\.]+); \ classification.text=Configuration written to $1; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=NETMAN; \ id=4701; \ revision=2; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Configuration was stored on $1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Destination device; \ additional_data(0).data=$1; \ last #DESCRIPTION:Cisco command - Exit #CATEGORY:Command Execution #LOG:AUG 16 07:31:45 smf-custlog-02 1/1 1065 NETMAN-6: CLMcmd: exit,neteng@12.34.56.78 regex=NETMAN-\d: CLMcmd: (.+)\s*,(\S+)@([\d\.]+); \ classification.text=Command audit; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=NETMAN; \ id=4702; \ revision=2; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The command $1 was executed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Command; \ additional_data(0).data=$1; \ last #DESCRIPTION:Access attempt #CATEGORY:Network Security #LOG:AUG 16 00:13:46 smf-custlog-02 1/1 49172 SSHD-4: Access attempted by from 12.34.56.78 port 1106 #LOG:AUG 16 07:31:52 smf-custlog-02 1/1 1067 SSHD-4: Access attempted by neteng from 12.34.56.78 port 1121 regex=SSHD-\d: Access attempted by (.*) from ([\d\.]+) port (\d+); \ classification.text=User login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=SSHD; \ id=4703; \ revision=3; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=failed; \ assessment.impact.description=User $1 failed login; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ target(0).service.port=22; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ last #DESCRIPTION:Cisco - Login #CATEGORY:Authentication #LOG:AUG 16 07:31:57 smf-custlog-02 1/1 1069 NETMAN-6: CLM: Login neteng@12.34.56.78 regex=NETMAN-\d: CLM: Login (\S+)@([\d\.]+); \ classification.text=User login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=NETMAN; \ id=4704; \ revision=3; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=This message appears when a user is authenticated successfully and a management session starts.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ last #DESCRIPTION:Duplicate IP address detection #CATEGORY:Monitoring #LOG:AUG 18 05:44:35 smf-custlog-02 1/1 3201 IPV4-4: Duplicate IP address detected: 12.34.56.78 00-0a-b8-68-2d-8c regex=IPV4-\d: Duplicate IP address detected: ([\d\.]+) ([a-f\d\-]+); \ classification.text=Duplicate IP; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=IPV4; \ id=4705; \ revision=2; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=An IP currently in use by the CSS has been detected as in use by another device on the network.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).node.address(1).category=mac; \ source(0).node.address(1).address=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ last #DESCRIPTION:Enterprise Service Transition #CATEGORY:Service Management #LOG:AUG 16 06:46:56 smf-custlog-02 1/1 49124 NETMAN-2: Enterprise:Service Transition:web1-rw -> suspended regex=NETMAN-\d: Enterprise:Service Transition:(\S+) -> (\S+); \ classification.text=Service $2; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=NETMAN; \ id=4706; \ revision=2; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=medium; \ assessment.impact.type=dos; \ assessment.impact.description=Service $1 is $2; \ additional_data(0).type=string; \ additional_data(0).meaning=Service name; \ additional_data(0).data=$1; \ last prelude-lml-rules-5.1.0/ruleset/ipfw.rules0000664000175000017500000002045113537533463020755 0ustar tandrejatandreja#FULLNAME: IPFirewall #VERSION: 1.0 #DESCRIPTION: ipfirewall (ipfw) is a FreeBSD IP packet filter and traffic accounting facility. ##### # # Copyright (C) 2016-2019 CS-SI # Author : Krzysztof Zaraska # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:(TCP|UDP) incoming packet denied #CATEGORY:Packet Filtering #LOG:Feb 3 16:02:18 lhotse /kernel: ipfw: 65000 Deny UDP 200.65.7.49:1033 12.34.56.78:137 in via tun0 #LOG:Feb 3 16:02:58 lhotse /kernel: ipfw: 2700 Deny TCP 213.76.70.104:1103 12.34.56.78:135 in via tun0 regex=(\d+) Deny (TCP|UDP) ([\d\.]+):(\d+) ([\d\.]+):([\d]+) in via (\w+); \ classification.text=Incoming $2 packet dropped; \ id=800; \ revision=1; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Denied incoming packet (rule #$1) $2 $3:$4 -> $5:$6 on interface $7; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=$2; \ source(0).interface=$7; \ last #DESCRIPTION:(TCP|UDP) outgoing packet denied #CATEGORY:Packet Filtering #LOG:Aug 4 10:57:26 r40e kernel: ipfw: 299 Deny TCP 1.2.3.4:49312 5.6.7.8:80 out via bge0 regex=(\d+) Deny (TCP|UDP) ([\d\.]+):(\d+) ([\d\.]+):([\d]+) out via (\w+); \ classification.text=Outgoing $2 packet dropped; \ id=801; \ revision=1; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Denied outgoing packet (rule #$1) $2 $3:$4 -> $5:$6 on interface $7; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=$2; \ target(0).interface=$7; \ last #DESCRIPTION:ICMP incoming packet denied #CATEGORY:Packet Filtering #LOG:Jan 6 22:31:29 lhotse /kernel: ipfw: 140 Deny ICMP:11.0 1.2.3.4 5.6.7.8 in via vx3 regex=(\d+) Deny ICMP:(\d+).(\d+) ([\d\.]+) ([\d\.]+) in via (\w+); \ classification.text=Incoming ICMP packet dropped; \ id=802; \ revision=1; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Denied incoming packet (rule #$1) ICMP type $2.$3 $4 -> $5 on interface $6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.iana_protocol_name=ICMP; \ source(0).service.iana_protocol_number=1; \ source(0).interface=$6; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.iana_protocol_name=ICMP; \ target(0).service.iana_protocol_number=1; \ last #DESCRIPTION:ICMP outgoing packet denied #CATEGORY:Packet Filtering #LOG:Feb 3 16:33:00 lhotse /kernel: ipfw: 65000 Deny ICMP:0.0 12.34.56.78 206.99.235.10 out via tun0 regex=(\d+) Deny ICMP:(\d+).(\d+) ([\d\.]+) ([\d\.]+) out via (\w+); \ classification.text=Outgoing ICMP packet dropped; \ id=803; \ revision=1; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Denied outgoing packet (rule #$1) ICMP type $2.$3 $4 -> $5 on interface $6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.iana_protocol_name=ICMP; \ source(0).service.iana_protocol_number=1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.iana_protocol_name=ICMP; \ target(0).service.iana_protocol_number=1; \ target(0).interface=$6; \ last #DESCRIPTION:(TCP|UDP) incoming packet accepted #CATEGORY:Packet Filtering #LOG:Dec 13 18:08:58 kaskadimpex /kernel: ipfw: 20205 Accept TCP 1.2.3.4:1408 5.6.7.8:139 in via fxp1 regex=(\d+) Accept (TCP|UDP) ([\d\.]+):(\d+) ([\d\.]+):([\d]+) in via (\w+); \ classification.text=Incoming $2 packet accepted; \ id=804; \ revision=1; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Accepted incoming packet (rule #$1) $2 $3:$4 -> $5:$6 on interface $7; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=$2; \ source(0).interface=$7; \ last #DESCRIPTION:(TCP|UDP) outgoing packet accepted #CATEGORY:Packet Filtering #LOG:Dec 13 18:08:58 kaskadimpex /kernel: ipfw: 20206 Accept TCP 1.2.3.4:139 5.6.7.8:1408 out via fxp1 regex=(\d+) Accept (TCP|UDP) ([\d\.]+):(\d+) ([\d\.]+):([\d]+) out via (\w+); \ classification.text=Outgoing $2 packet accepted; \ id=805; \ revision=1; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Accepted outgoing packet (rule #$1) $2 $3:$4 -> $5:$6 on interface $7; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=$2; \ target(0).interface=$7; \ last #DESCRIPTION:ICMP incoming packet accepted #CATEGORY:Packet Filtering #LOG:May 5 16:57:38 myhost /kernel: ipfw: 40100 Accept ICMP:8.0 1.2.3.4 5.6.7.8 in via ed1 regex=(\d+) Accept ICMP:(\d+).(\d+) ([\d\.]+) ([\d\.]+) in via (\w+); \ classification.text=Incoming ICMP Packet accepted; \ id=806; \ revision=1; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Accepted incoming packet (rule #$1) ICMP type $2.$3 $4 -> $5 on interface $6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.iana_protocol_name=ICMP; \ source(0).service.iana_protocol_number=1; \ source(0).interface=$6; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.iana_protocol_name=ICMP; \ target(0).service.iana_protocol_number=1; \ last #DESCRIPTION:ICMP outgoing packet accepted #CATEGORY:Packet Filtering #LOG:May 5 16:57:38 myhost /kernel: ipfw: 40100 Accept ICMP:8.0 1.2.3.4 5.6.7.8 out via ed1 regex=(\d+) Accept ICMP:(\d+).(\d+) ([\d\.]+) ([\d\.]+) out via (\w+); \ classification.text=Packet accepted by firewall; \ id=807; \ revision=1; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=Accepted outgoing packet (rule #$1) ICMP type $2.$3 $4 -> $5 on interface $6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ source(0).service.iana_protocol_name=ICMP; \ source(0).service.iana_protocol_number=1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.iana_protocol_name=ICMP; \ target(0).service.iana_protocol_number=1; \ target(0).interface=$6; \ last prelude-lml-rules-5.1.0/ruleset/kojoney.rules0000664000175000017500000001306013537533463021464 0ustar tandrejatandreja#FULLNAME: Kojoney #VERSION: 1.0 #DESCRIPTION: Kojoney is a low level interaction honeypot that emulates an SSH server. ##### # # Copyright (C) 2007 Bjoern Weiland # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:SSH Brute Force Login Attempt #CATEGORY:Honeypot #LOG:2007/04/12 21:57 CEST [SSHService ssh-userauth on SSHServerTransport,3,88.64.180.35] root trying auth password regex=\[SSHService ssh-userauth on SSHServerTransport,\d+,(\S+)\] (\S+) trying auth password; \ classification.text=SSH Brute Force Login Attempt; \ id=20000; \ revision=1; \ analyzer(0).name=Kojoney SSH Honeypot; \ analyzer(0).manufacturer=http://kojoney.sourceforge.net; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$1; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to log into the SSH Honeypot with guessed username/password combinations; \ last #DESCRIPTION:Brute Force Login on the SSH Honeypot succeeded #CATEGORY:Honeypot #LOG:2007/04/12 21:57 CEST [SSHService ssh-userauth on SSHServerTransport,3,88.64.180.35] root authenticated with password regex=\[SSHService ssh-userauth on SSHServerTransport,\d+,(\S+)\] (\S+) authenticated with password; \ classification.text=SSH Login; \ id=20001; \ revision=2; \ analyzer(0).name=Kojoney SSH Honeypot; \ analyzer(0).manufacturer=http://kojoney.sourceforge.net; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$1; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=high; \ assessment.impact.description=A Brute Force Login on the SSH Honeypot was successful; \ last #DESCRIPTION:SSH commands given on Honeypot command line #CATEGORY:Honeypot #LOG:2007/04/12 21:57 CEST [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,3,88.64.180.35] COMMAND IS : wget http://www.test.de/bla.zip // executing command "id" regex=\[SSHChannel session \(\d+\) on SSHService ssh-connection on SSHServerTransport,\d+,(\S+)\] (executing .*|COMMAND .*); \ classification.text=SSH commands given on Honeypot command line; \ id=20002; \ revision=1; \ analyzer(0).name=Kojoney SSH Honeypot; \ analyzer(0).manufacturer=http://kojoney.sourceforge.net; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$1; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=high; \ assessment.impact.description=An attacker gave commands on the virtual shell; \ additional_data(0).type=string; \ additional_data(0).meaning=Command; \ additional_data(0).data=$2; \ last #DESCRIPTION:Malware download attempt. File saved. #CATEGORY:Honeypot #LOG:2007/04/12 21:57 CEST [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,3,88.64.180.35] Saved the file /var/log/kojoney/http___attacker_100free_com_all_tar212 requested by the attacker. regex=\[SSHChannel session \(\d+\) on SSHService ssh-connection on SSHServerTransport,\d+,(\S+)\] Saved the file (.*) requested by the attacker; \ classification.text=Malware download attempt; \ id=20003; \ revision=1; \ analyzer(0).name=Kojoney SSH Honeypot; \ analyzer(0).manufacturer=http://kojoney.sourceforge.net; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$1; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ assessment.impact.severity=high; \ assessment.impact.description=An attacker tried to download something. The file has been saved.; \ additional_data(0).type=string; \ additional_data(0).meaning=Filename; \ additional_data(0).data=$2; \ last #DESCRIPTION:Malware download attempt. File could not be saved. #CATEGORY:Honeypot #LOG:2007/04/12 21:57 CEST [SSHChannel session (0) on SSHService ssh-connection on SSHServerTransport,3,88.64.180.35] Error downloading file http://attacker_100free_com_all_tar212 request by attacker. regex=\[SSHChannel session \(\d+\) on SSHService ssh-connection on SSHServerTransport,\d+,(\S+)\] Error downloading file (.*) request by attacker; \ classification.text=Malware download attempt; \ id=20004; \ revision=1; \ analyzer(0).name=Kojoney SSH Honeypot; \ analyzer(0).manufacturer=http://kojoney.sourceforge.net; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$1; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.severity=medium; \ assessment.impact.description=An attacker tried to download something, but the file could not be saved.; \ additional_data(0).type=string; \ additional_data(0).meaning=Filename; \ additional_data(0).data=$2; \ last prelude-lml-rules-5.1.0/ruleset/modsecurity.rules0000664000175000017500000007225613537533463022371 0ustar tandrejatandreja#FULLNAME: ModSecurity #VERSION: 1.0 #DESCRIPTION: ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. The rules developed using mod_security-2.5.6 (tested with 2.1.7 and 2.5.6). ##### # # Copyright (C) 2008 Daniel Kopecek # Peter Vrabec # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:HTTP Protocol violation #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 1). Pattern match "," at REQUEST_HEADERS:Transfer-Encoding. [id "950012"] [msg "HTTP Request Smuggling Attack."] [severity "ALERT"] [uri "/"] [unique_id "CqsKfwoiIjEAAGO7d7cAAAAE"] regex=\[id "(960911|950012|960912|960016|960011|960012|960013|950107|950801|950116|960014|960018|960901)"\]; \ id=3167; \ classification.text=HTTP Protocol violation; \ assessment.impact.severity=medium; \ classification.reference(0).name=$1; \ chained; silent #DESCRIPTION:HTTP Protocol anomaly #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "S2NY@woiIjEAAF4eLX8AAAAG"] regex=\[id "(960019|960008|960015|960009|960904|960913)"\]; \ id=3168; \ classification.text=HTTP Protocol anomaly; \ assessment.impact.severity=low; \ classification.reference(0).name=$1; \ chained; silent #DESCRIPTION:Request limits exceeded #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase2). Operator GT matched 0 at ARGS. [file "/etc/apache2/modsecurity/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "31"] [id "960335"] [rev "2.2.5"] [msg "Too many arguments in request"] [severity "WARNING"] [hostname "alphard.stars.example"] [uri "/index.html"] [unique_id "VI4p6X8AAAIAABgVFe8AAAAA"] regex=\[id "(960335)"\]; \ id=3169; \ classification.text=HTTP Request limit exceeded; \ assessment.impact.severity=high; \ classification.reference(0).name=$1; \ chained; silent #DESCRIPTION:HTTP policy violation #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Match of "rx ^%{tx.allowed_request_content_type}$" against "TX:" required. [file "/etc/apache2/modsecurity/activated_rules/modsecurity_crs_30_http_policy.conf"] [line "64"] [id "960010"] [msg "Request content type is not allowed by policy"] [data "application/x-www-form-urlencoded"] [severity "WARNING"] [tag "POLICY/ENCODING_NOT_ALLOWED"] [tag "WASCTC/WASC-20"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/EE2"] [tag "PCI/12.1"] [hostname "saiph.stars.example"] [uri "/phpMyAdmin/index.php"] [unique_id "VTHCZAoAAkIAAFkcFJ0AAAAD"] regex=\[id "(960032|960010|960034|960035|960038|960902|960903)"\]; \ id=3170; \ classification.text=HTTP policy violation; \ assessment.impact.severity=high; \ classification.reference(0).name=$1; \ chained; silent #DESCRIPTION:Bad HTTP robots #CATEGORY:Web Service #LOG:[Fri Nov 19 17:18:37 2010] [error] [client 204.124.182.203] ModSecurity: Access denied with code 406 (phase 2). Match of "rx ^apache.*perl" against "REQUEST_HEADERS:User-Agent" required. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "58"] [id "990011"] [msg "Request Indicates an automated program explored the site"] [severity "NOTICE"] [hostname "www.unlockuriphonenow.com"] [uri "/cron.php"] [unique_id "TOZkLcx8tssAAHkegJ4AAABV"] regex=\[id "(990002|990901|990902|990012|990011)"\]; \ id=3171; \ classification.text=Bad HTTP robot; \ assessment.impact.severity=info; \ classification.reference(0).name=$1; \ chained; silent #DESCRIPTION:Generic HTTP attacks #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Warning. Pattern match "(?i:([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?([\\\\d\\\\w]+)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x99\\xe2\\x80\\x98\\\\(\\\\)]*)?(?:=|<=>|r?like|sounds\\\\s+like|regexp)([\\\\s'\\"`\\xc2\\xb4\\xe2\\x80\\x98\\ ..." at ARGS:text. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "77"] [id "950901"] [rev "2.2.5"] [msg "SQL Injection Attack"] [data "p>This"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "bellatrix.stars.example"] [uri "/joomla/administrator/index.php"] [unique_id "cfesVwoAAikAADZlCD8AAA"] regex=\[id "(959009|950007|959007|950904|959904|950001|959001|950901|959901|950906|959906|950908|959908|950004|959004|959005|950002|950006|959006|950907|959907|950008|959008|950010|959010|950011|959011|950013|959013|950018|959018|950019|959019|950910|950911)"\]; \ id=3172; \ classification.text=Generic HTTP attack; \ assessment.impact.severity=high; \ classification.reference(0).name=$1; \ chained; silent #DESCRIPTION:HTTP trojan #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 404 (phase 4). Pattern match "(?:[^<]*?(?:\\b(?:(?:c(?:ehennemden|gi-telnet)|gamma web shell)\\b|imhabirligi phpftp)|(?:r(?:emote explorer|57shell)|aventis klasvayv|zehir)\\b|\\.::(?:news remote php shell injection::\\.| rhtools\\b)|ph(?:p(?:(?: commander|-terminal)\\b|remoteview)| ..." at RESPONSE_BODY. [file "/dh/apache2/template/etc/mod_sec2/modsecurity_crs_45_trojans.conf"] [line "34"] [id "950922"] [msg "Backdoor access"] [severity "CRITICAL"] [tag "MALICIOUS_SOFTWARE/TROJAN"] [hostname "www.example.com"] [uri "/egroupware/setup/check_install.php"] [unique_id "SRgxB0PNBIMAAGqtIdcAAAAC"] regex=\[id "(950921|950922)"\]; \ id=3173; \ classification.text=HTTP trojan; \ assessment.impact.severity=high; \ classification.reference(0).name=$1; \ chained; silent #DESCRIPTION:HTTP outbound policy violation #CATEGORY:Web Service #LOG:[Mon Nov 24 11:30:49.314543 2014] [security2:error] [pid 6110:tid 4130134896] [client 10.15.1.2] ModSecurity: Rule 9a05c50 [id "970003"][file "/usr/apache/conf/waf/modsecurity_crs_outbound.conf"][line "123"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "labtest.lab.local"] [uri "/public/login.htm"] [unique_id "VHMI2cJMnBQAABfeeCIAAABA"] regex=\[id "(970003|970004|970904|970007|970008|970009|970010|970012|970013|970014|970903|970015|970902|970016|970018|970901|970118|970021|970011)"\]; \ id=3174; \ classification.text=HTTP outbound policy violation; \ assessment.impact.severity=high; \ classification.reference(0).name=$1; \ chained; silent #DESCRIPTION:Generic #CATEGORY:Web Service regex=Pattern match ".+" at \S+:(.*?/?([^/]+?))\.; \ id=3178; \ assessment.impact.type=file; \ target(0).file(0).name=$2; \ target(0).file(0).path=$1; \ chained; silent #DESCRIPTION:Generic HTTP attack #CATEGORY:Web Service #LOG:[Mon Sep 09 17:38:38 2013] [error] [client 1.1.1.1] ModSecurity: Warning. Pattern match "(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)" at ARGS:f. [file "/etc/apache2/conf.d/mod_security2/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "193"] [id "950005"] [rev "2"] [msg "Remote File Access Attempt"] [data "Matched Data: /etc/ found within ARGS:f: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "www.example.com"] [uri "/index.php"] [unique_id "Ui3rftX@FAIAAEXTJuEAAAAE"] regex=\[id "950005"\]; \ optgoto=3178; \ min-optgoto-match=1; \ id=3175; \ classification.text=Generic HTTP attack; \ assessment.impact.severity=high; \ classification.reference(0).name=950005; \ chained; silent #DESCRIPTION:HTTP Protocol anomaly #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=\[id "960017"\]; \ id=3176; \ classification.text=HTTP Protocol anomaly; \ assessment.impact.severity=low; \ classification.reference(0).name=960017; \ assessment.impact.type=recon; \ chained; silent #LOG: [Wed Jun 21 17:41:57 2017] [error] [client 192.168.95.108] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\\\W{4,}" at ARGS:mousepos. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "154"] [id "960024"] [rev "2"] [msg "SQL Character Anomaly Detection Alert - Repetative Non-Word Characters"] [data "Matched Data: },{\\x22 found within ARGS:mousepos: [{\\x22x\\x22:992,\\x22y\\x22:170,\\x22i\\x22:1,\\x22c\\x22:0,\\x22sy\\x22:0,\\x22sx\\x22:0},{\\x22x\\x22:883,\\x22y\\x22:174,\\x22i\\x22:129,\\x22c\\x22:0,\\x22sy\\x22:0,\\x22sx\\x22:0},{\\x22x\\x22:72,\\x22y\\x22:390,\\x22i\\x22:1,\\x22c\\x22:0,\\x22sy\\x22:0,\\x22sx\\x22:0},{\\x22x\\x22:1168,\\x22y\\x22:906,\\x22i\\x22:1,\\x22c\\x22:0,\\x22sy\\x22:0,\\x22sx\\x22:0},{\\x22x\\x22:1592,\\x22y\\x22:899,\\x22i\\x22:1,\\x22c\\x22:0,\\x22sy\\x22:0,\\x22sx\\x22:0},{\\x22x\\x22:1785,\\x22y\\x22:943,\\x22i\\x22:240,\\x22c\\x22:0..."] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] [hostname "test.domain.com"] [uri "/index.php"] [unique_id "WUqTxawelgUAAAE8C@sAAAAD"] #CATEGORY: Web Service #DESCRIPTION: SQL Injection regex=\[id "(960024)"\]; \ id=3177; \ revision=1; \ classification.text=SQL injection attempt; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ classification.reference(0).name=$1; \ chained; silent; #DESCRIPTION:ModSec Ruleset ID #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=\[id "(\S+)"\]; \ id=3159; \ additional_data(>>).type=string; \ additional_data(-1).meaning=ModSec Rule ID; \ additional_data(-1).data=$1; \ chained; silent #DESCRIPTION:ModSec Ruleset File #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=\[file "([^"]+)"\]; \ id=3160; \ additional_data(>>).type=string; \ additional_data(-1).meaning=ModSec Ruleset File; \ additional_data(-1).data=$1; \ chained; silent #DESCRIPTION:ModSec Ruleset Line #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=\[line "(\d+)"\]; \ id=3161; \ additional_data(>>).type=integer; \ additional_data(-1).meaning=ModSec Ruleset Line; \ additional_data(-1).data=$1; \ chained; silent #DESCRIPTION:ModSec Rule Tag #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=\[tag "(\S+)"\]; \ id=3162; \ additional_data(>>).type=string; \ additional_data(-1).meaning=ModSec Rule Tag; \ additional_data(-1).data=$1; \ chained; silent #DESCRIPTION:ModSec Severity #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=\[severity "(\S+)"\]; \ id=3163; \ additional_data(>>).type=string; \ additional_data(-1).meaning=ModSec Severity; \ additional_data(-1).data=$1; \ chained; silent #DESCRIPTION:Generic message #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=\[msg "([^"]+)"\]; \ optgoto=3167-3177; \ min-optgoto-match=1; \ id=3164; \ classification.reference(0).meaning=$1; \ classification.reference(0).origin=vendor-specific; \ chained; silent #DESCRIPTION:Generic hostname #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=\[hostname "(\S+)"\]; \ id=3165; \ target(0).node.address(0).address=$1; \ chained; silent #DESCRIPTION:Unique ID #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=\[unique_id "(\S+)"\]; \ id=3166; \ additional_data(>>).type=string; \ additional_data(-1).meaning=Unique ID; \ additional_data(-1).data=$1; \ chained; silent #DESCRIPTION:ModSecurity found pattern #CATEGORY:Web Service #DESCRIPTION:3120-3125 #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 1). Match of "rx ^(?:(?:[a-z]{3,10}\\\\s+(?:\\\\w{3,7}?://[\\\\w\\\\-\\\\./]*(?::\\\\d+))??/[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?|connect (?:\\\\d{1,3}\\\\.){3}\\\\d{1,3}\\\\.?(?::\\\\d+)?|options \\\\*)\\\\s+[\\\\w\\\\./]+|get /[^?#]*(?:\\\\?[^#\\\\s]*)?(?:#[\\\\S]*)?)$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP Request Line"] [severity "CRITICAL"] [uri "Jul"] [unique_id "A30u2woiIjEAAGO7d7YAAAAE"] regex=Match of "(.+)" against "(\S+)" required\.; \ optgoto=3159-3166; \ id=3120; \ assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \ chained; silent #DESCRIPTION:ModSecurity found operator #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with connection close (phase 2). Operator EQ match: 0. [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "4B63aQoiIjEAAGO5dL8AAAAC"] regex=Operator ([A-Z]{2}) match: (\d+)\.; \ optgoto=3159-3166; \ id=3121; \ assessment.impact.description=ModSecurity found operator "$1" match "$2".; \ chained; silent #DESCRIPTION:ModSecurity found pattern #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 400 (phase 1). Pattern match "," at REQUEST_HEADERS:Transfer-Encoding. [id "950012"] [msg "HTTP Request Smuggling Attack."] [severity "ALERT"] [uri "/"] [unique_id "CqsKfwoiIjEAAGO7d7cAAAAE"] regex=Pattern match "(.+)" at (.+?)\.; \ optgoto=3159-3166; \ id=3122; \ assessment.impact.description=ModSecurity found pattern match "$1" in HTTP object $2.; \ chained; silent #DESCRIPTION:ModSecurity found #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with code 403 (phase2). Operator GT matched 0 at ARGS. [file "/etc/apache2/modsecurity/activated_rules/modsecurity_crs_23_request_limits.conf"] [line "31"] [id "960335"] [rev "2.2.5"] [msg "Too many arguments in request"] [severity "WARNING"] [hostname "alphard.stars.example"] [uri "/index.html"] [unique_id "VI4p6X8AAAIAABgVFe8AAAAA"] regex=Operator ([A-Z]{2}) matched (\d+) at (\S+)\.; \ optgoto=3159-3166; \ id=3123; \ assessment.impact.description=ModSecurity found operator "$1" match "$2".; \ chained; silent #DESCRIPTION:ModSecurity found outside range #CATEGORY:Web Service #LOG:[Fri Apr 17 23:07:33 2015] [error] [client 10.0.2.222] ModSecurity: Warning. Found 1 byte(s) in ARGS:from_prefix outside range: 1-255. [file "/etc/apache2/modsecurity/activated_rules/modsecurity_crs_20_protocol_violations.conf"] [line "353"] [id "960901"] [rev "2.2.5"] [msg "Invalid character in request"] [severity "WARNING"] [tag "PROTOCOL_VIOLATION/EVASION"] [tag "WASCTC/WASC-28"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/RE8"] [tag "PCI/6.5.2"] [tag "http://i-technica.com/whitestuff/asciichart.html"] [hostname "saiph.stars.example"] [uri "/phpMyAdmin/db_structure.php"] [unique_id "VTHKdQoAAkIAAF0CFbEAAAAE"] regex=Found (\d+) byte\(s\) in (\S+) outside range: (\S+)\.; \ optgoto=3159-3166; \ id=3124; \ assessment.impact.description=ModSecurity found $1 byte(s) in "$2" outside range $3.; \ chained; silent #DESCRIPTION:ModSecurity found outside range #CATEGORY:Web Service #LOG:[Mon Sep 24 21:41:29 2007] [error] [client 192.168.1.50] ModSecurity: Access denied with code 400 (phase 2). Found 1 byte(s) outside range: 1-255. [id "960901"] [msg "Invalid character in request"] [severity "WARNING"] [hostname "www.example.com"] [uri "/forum/posting.php?mode=3Dedit&f=3D33&sid=3D1bbae563df5ac108526808f52b7b24d1&t=3D13&p=3D19"] [unique_id "zo1qB8CoAW4AASoSC7UAAAAF"] regex=Found (\d+) byte\(s\) outside range: (\S+)\.; \ optgoto=3159-3166; \ id=3125; \ assessment.impact.description=ModSecurity found $1 byte(s) outside range $3.; \ chained; silent #DESCRIPTION:Access blocked #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=with code (\d+) \(phase \d\)\.; \ optgoto=3120-3125; \ id=3130; \ assessment.action(0).category=block-installed; \ assessment.action(0).description=Access was blocked with HTTP response code $1.; \ chained; silent #DESCRIPTION:Access denied using proxy #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Access denied using proxy to (phase 2) http://foo.bar/. Operator EQ match: 0. [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [uri "/2\\xc5\\xa1\\xc4\\x9b\\xc4\\x8d\\xc4\\x9b\\xc5\\xa1\\xc5\\x99\\xc5\\xa1\\xc4\\x8d\\xc5\\x99\\xc5\\xa1\\xc4\\x8d\\xc5\\xbe"] [unique_id "YVFqFwoiIjEAAAiuLsMAAAAA"] regex=using proxy to \(phase (\d+)\) (\S+)\.; \ optgoto=3120-3125; \ id=3131; \ assessment.action(0).category=block-installed; \ assessment.action(0).description=Access was denied using proxy to $2.; \ chained; silent #DESCRIPTION:Access was redirection #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with redirection to http://foo.bar/ using status 302 (phase 2). Operator EQ match: 0. [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [uri "/\\xc5\\xa1\\xc4\\x9b\\xc4\\x9b\\xc5\\xa1\\xc5\\x99\\xc5\\xbe\\xc4\\x8d\\xc5\\x99\\xc5\\xbe"] [unique_id "aTOstwoiIjEAAAlUMRsAAAAA"] regex=with redirection to (\S+) using status (\d+) \(phase (\d+)\)\.; \ optgoto=3120-3125; \ id=3132; \ assessment.action(0).category=block-installed; \ assessment.action(0).description=Access was redirected to $1.; \ chained; silent #DESCRIPTION:Connection close #CATEGORY:Web Service #LOG:[Mon Jul 21 16:55:56 2008] [error] [client 127.0.0.1] ModSecurity: Access denied with connection close (phase 2). Operator EQ match: 0. [id "960008"] [msg "Request Missing a Host Header"] [severity "WARNING"] [uri "/\\xc4\\x9b+\\xc5\\xa1\\xc4\\x8d\\xc5\\xa1\\xc5\\x99\\xc5\\x99\\xc4\\x8d\\xc3\\xbd\\xc3\\xbd\\xc3\\xa1"] [unique_id "4B63aQoiIjEAAGO5dL8AAAAC"] regex=with connection close \(phase (\d+)\).; \ optgoto=3120-3125; \ id=3133; \ assessment.action(0).category=block-installed; \ assessment.action(0).description=Connection was closed.; \ chained; silent #DESCRIPTION:Response body too large #CATEGORY:Web Service #LOG:[Mon Oct 26 10:31:13 2009] [error] [client 172.16.167.48] ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified). [hostname "example.com"] [uri "/wp-admin/wpmu-edit.php"] [unique_id "adpkLkPA-0QAABypFGAAAAAR"] regex=Response body too large \(over limit of (\d+)(.+?)\)\.; \ optgoto=3159-3166; \ id=3150; \ assessment.impact.description=Response body too large (over limit of $1$2); \ chained; silent #DESCRIPTION:Warning #CATEGORY:Web Service #LOG:[Mon Sep 09 17:38:38 2013] [error] [client 1.1.1.1] ModSecurity: Warning. Pattern match "(?:\\\\b(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)" at ARGS:f. [file "/etc/apache2/conf.d/mod_security2/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "193"] [id "950005"] [rev "2"] [msg "Remote File Access Attempt"] [data "Matched Data: /etc/ found within ARGS:f: /etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"] [tag "WASCTC/WASC-33"] [tag "OWASP_TOP_10/A4"] [tag "PCI/6.5.4"] [hostname "www.example.com"] [uri "/index.php"] [unique_id "Ui3rftX@FAIAAEXTJuEAAAAE"] regex=Warning\.; \ optgoto=3120-3125; \ id=3101; \ classification.text=HTTP Warning.; \ assessment.impact.completion=succeeded; \ chained; silent #DESCRIPTION:Access denied #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=Access denied; \ optgoto=3130-3133; \ id=3102; \ classification.text=HTTP Access denied.; \ assessment.impact.completion=failed; \ chained; silent #DESCRIPTION:Output filter #CATEGORY:Web Service #LOG:[Mon Oct 26 10:31:13 2009] [error] [client 172.16.167.48] ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified). [hostname "example.com"] [uri "/wp-admin/wpmu-edit.php"] [unique_id "adpkLkPA-0QAABypFGAAAAAR"] regex=Output filter:; \ optgoto=3150; \ id=3103; \ classification.text=HTTP Output filer error; \ assessment.impact.completion=failed; \ assessment.impact.severity=high; \ chained; silent #DESCRIPTION:ModSecurity #CATEGORY:Web Service #LOG:[Tue May 27 06:52:51 2014] [error] [client 192.168.5.26] ModSecurity: Access denied with code 403 (phase 2). Pattern match "^[\\d.:]+$" at REQUEST_HEADERS:Host. [file "/etc/httpd/modsecurity.d/base_rules/modsecurity_crs_21_protocol_anomalies.conf"] [line "98"] [id "960017"] [rev "2"] [msg "Host header is a numeric IP address"] [data "192.168.5.40"] [severity "WARNING"] [ver "OWASP_CRS/2.2.8"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST"] [tag "WASCTC/WASC-21"] [tag "OWASP_TOP_10/A7"] [tag "PCI/6.5.10"] [tag "http://test.domain.com/en-us/magazine/2005.01.hackerbasher.aspx"] [hostname "192.168.5.40"] [uri "/dvwa/login.php"] [unique_id "U4QaI8CoBSgAAB0cA@QAAAAB"] regex=\[client ([\d\.]+)\] ModSecurity:.*\[uri "([^"]+)"\]; \ optgoto=3101-3103; \ id=3100; \ analyzer(0).name=ModSecurity; \ analyzer(0).manufacturer=www.modsecurity.org; \ analyzer(0).class=HIDS; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ target(0).service.web_service.url = $2; \ classification.reference(0).url=http://www.modsecurity.org/projects/rules/index.html; \ last ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/nagios.rules��������������������������������������������������������0000664�0001750�0001750�00000005416�13537533463�021274� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Nagios #VERSION: 1.0 #DESCRIPTION: Nagios monitors systems, networks and infrastructure. The rules included here were developed using Nagios 1.0. ##### # # Copyright (C) 2003 G Ramon Gomez <gene at gomezbrothers dot com> # Tyco Fire and Security GTS (www.tycofireandsecurity.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Service status change #CATEGORY:Monitoring #LOG:Oct 27 23:22:53 shadowcat nagios: SERVICE ALERT: adtcadb;SQL Server;CRITICAL;HARD;3;Socket timeout after 10 seconds #LOG:Aug 25 15:00:47 hosho nagios: SERVICE ALERT: mickjagger;NETBIOS;CRITICAL;HARD;1;Socket timeout after 10 seconds #LOG:Oct 27 23:22:53 host nagios: SERVICE ALERT: app2.test.domain.com;TCPPORT_8009_ajp13;CRITICAL;HARD;5;Connection refused #LOG:Oct 27 23:22:53 host nagios: SERVICE ALERT: app4.test.domain.com;SNMP_sun_mem;OK;HARD;5;61.05% free RAM, 62.29% free SWAP regex=SERVICE ALERT: ([^\;]+)\;([^\;]+)\;(CRITICAL|WARNING|OK)\;HARD\;\d\;(.+); \ classification.text=Service $3; \ id=1100; \ revision=3; \ analyzer(0).name=Nagios; \ analyzer(0).manufacturer=www.nagios.org; \ analyzer(0).class=State Monitoring; \ assessment.impact.severity=medium; \ assessment.impact.type=dos; \ assessment.impact.description=Service $2 on $1 reported status $3 with $4; \ target(0).node.name=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=Service name; \ additional_data(0).data=$2; \ last #DESCRIPTION:Host status change #CATEGORY:Monitoring #LOG:Oct 28 11:42:33 shadowcat nagios: HOST ALERT: rcts2;UP;HARD;2;PING OK - Packet loss = 0%, RTA = 0.26 ms #LOG:Aug 25 06:31:57 hosho nagios: HOST ALERT: starazolta;DOWN;HARD;3;CRITICAL - Plugin timed out after 10 seconds regex=HOST ALERT: ([^\;]+)\;(DOWN|UP)\;HARD\;\d\;(.+); \ classification.text=Host $2; \ id=1101; \ revision=2; \ analyzer(0).name=Nagios; \ analyzer(0).manufacturer=www.nagios.org; \ analyzer(0).class=State Monitoring; \ assessment.impact.severity=medium; \ assessment.impact.type=dos; \ assessment.impact.description=Host $1 reported status $2 with $3; \ target(0).node.name=$1; \ last ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/netfilter.rules�����������������������������������������������������0000664�0001750�0001750�00000024314�13537533463�022006� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Netfilter #VERSION: 1.0 #DESCRIPTION: Netfilter offers various functions and operations for packet filtering, network address translation, and port translation. #Packet Matching with improved pattern research # #Owing to a specific way of writing iptables rules, you can improve #the pattern matching of prelude-lml in your logs by specifying few things #like : was the packet dropped or accepted ? # #In order to benefit from this improvement, you have to pay attention #for netfilter rules that you will create. #If you want to log packet using the LOG target with iptables, #just respect this proposition #(that you can change if you master all of that) : # #If you use a LOG target for a packet that you Accept #then add a prefix containing the word "Accept" to your rules: # -j LOG --log-prefix "Accept " # #If you use a LOG target for a packet that you Drop #then add a prefix containing the word "Drop" to your rules: # -j LOG --log-prefix "Drop " ##### # # Copyright (C) 2005-2019 CS-SI <support.prelude@c-s.fr> # Author: Yoann Vandoorselaere <yoann.v@prelude-siem.com> # All Rights Reserved. # # Based on original implementation from Laurent Oudot, John Green <j.green@ukerna.ac.uk> # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Netfilter dropped a packet #CATEGORY:Packet Filtering #LOG:Oct 16 11:16:51 blah kernel: Drop IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=12776 DF PROTO=TCP SPT=3979 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 regex=[Dd][Rr][Oo][Pp].*PROTO=(UDP|TCP|ICMP|AH|ESP); \ id=1310; \ classification.text = $1 packet dropped; \ assessment.impact.completion = failed; \ assessment.impact.type = other; \ assessment.impact.severity = medium; \ chained; silent #DESCRIPTION:Netfilter accepted a packet #CATEGORY:Packet Filtering #LOG:Oct 16 11:16:51 blah kernel: Drop IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=12776 DF PROTO=TCP SPT=3979 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 regex=[Aa][Cc][Cc][Ee][Pp][Tt].*PROTO=(UDP|TCP|ICMP|AH|ESP); \ id=1311; \ classification.text = $1 packet accepted; \ assessment.impact.completion = succeeded; \ assessment.impact.type = other; \ assessment.impact.severity = low; \ chained; silent #DESCRIPTION:Netfilter matched a TCP packet #CATEGORY:Packet Filtering #LOG:Oct 16 11:16:51 blah kernel: Drop IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=12776 DF PROTO=TCP SPT=3979 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 #LOG:Oct 16 11:16:51 blah kernel: Drop IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=12776 DF PROTO=TCP SPT=3979 DPT=139 WINDOW=65535 SYN URGP=0 #LOG:Oct 16 11:16:51 blah kernel: IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=12776 DF PROTO=TCP SPT=3979 DPT=139 WINDOW=65535 RES=0x00 SYN URGP=0 optgoto=1310-1311; \ regex=IN=(\w*) OUT=(\w*)( MAC=)?([\w:]+)?\s+SRC=([\d\.]+) DST=([\d\.]+) LEN=(\d+) TOS=(\w+) PREC=(\w+) TTL=(\d+) ID=(\d+) (CE )?(DF )?(MF )?(FRAG:\d+ )?(OPT \(\w+\) )?PROTO=TCP (INCOMPLETE \[\d+ bytes\] )?SPT=(\d+) DPT=(\d+) (SEQ=\d+ ACK=\d+ )?WINDOW=(\d+) (RES=(\w+) )?(CWR )?(ECE )?(URG )?(ACK )?(PSH )?(RST )?(SYN )?(FIN )?URGP=(\d+); \ classification.text=TCP packet matched; \ id=1300; \ revision=1; \ analyzer(0).name=netfilter; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.description=Netfilter matched a TCP packet $5:$18 -> $6:$19 [$26 $27 $28 $29 $30 $31] on interface $1$2 [ TTL=$10 ]; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$5; \ source(0).service.port=$18; \ source(0).service.iana_protocol_name=TCP; \ source(0).service.iana_protocol_number=6; \ target(0).interface=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.port=$19; \ target(0).service.iana_protocol_name=TCP; \ target(0).service.iana_protocol_number=6; \ last #DESCRIPTION:Netfilter matched an UDP packet #CATEGORY:Packet Filtering #LOG:Oct 16 07:53:44 blah kernel: Drop IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=59110 PROTO=UDP SPT=137 DPT=137 LEN=58 #LOG:Oct 16 07:53:44 blah kernel: IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=59110 PROTO=UDP SPT=137 DPT=137 LEN=58 optgoto=1310-1311; \ regex=IN=(\w*) OUT=(\w*)( MAC=)?([\w:]+)?\s+SRC=([\d\.]+) DST=([\d\.]+) LEN=(\d+) TOS=(\w+) PREC=(\w+) TTL=(\d+) ID=(\d+) (CE )?(DF )?(MF )?(FRAG:\d+ )?(OPT \(\w+\) )?PROTO=UDP (INCOMPLETE \[\d+ bytes\] )?SPT=(\d+) DPT=(\d+) LEN=(\d+); \ classification.text=UDP packet matched; \ id=1301; \ revision=1; \ analyzer(0).name=netfilter; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.description=Netfilter matched an UDP packet $5:$18 -> $6:$19 on interface $1$2 [TTL=$10]; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$5; \ source(0).service.port=$18; \ source(0).service.iana_protocol_name=UDP; \ source(0).service.iana_protocol_number=17; \ target(0).interface=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.port=$19; \ target(0).service.iana_protocol_name=UDP; \ target(0).service.iana_protocol_number=17; \ last #DESCRIPTION:Netfilter matched an ICMP packet #CATEGORY:Packet Filtering #LOG:Oct 20 23:59:41 blah kernel: Drop IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=84 TOS=0x00 PREC=0x00 TTL=58 ID=9 DF PROTO=ICMP TYPE=8 CODE=0 ID=51318 SEQ=10 #LOG:Oct 20 23:59:41 blah kernel: IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=1.1.1.1 DST=2.2.2.2 LEN=84 TOS=0x00 PREC=0x00 TTL=58 ID=9 DF PROTO=ICMP TYPE=8 CODE=0 ID=51318 SEQ=10 optgoto=1310-1311; \ regex=IN=(\w*) OUT=(\w*)( MAC=)?([\w:]+)?\s+SRC=([\d\.]+) DST=([\d\.]+) LEN=(\d+) TOS=(\w+) PREC=(\w+) TTL=(\d+) ID=(\d+) (CE )?(DF )?(MF )?(FRAG:\d+ )?(OPT \(\w+\) )?PROTO=ICMP (INCOMPLETE \[\d+ bytes\] )?TYPE=(\d+) CODE=(\d+) (INCOMPLETE \[\d+ bytes\] )?(ID=\d+ SEQ=\d+ )?(PARAMETER=\d+ )?(GATEWAY=[\d\.]+ )?(\[\w+\])?(MTU=\d+ )?; \ classification.text=ICMP packet matched; \ id=1302; \ revision=1; \ analyzer(0).name=netfilter; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.type=other; \ assessment.impact.description=Netfilter matched an ICMP packet $5 -> $6 type=$18 code=$19 on interface $1$2 [TTL=$10]; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$5; \ source(0).service.iana_protocol_name=ICMP; \ source(0).service.iana_protocol_number=1; \ target(0).interface=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.iana_protocol_name=ICMP; \ target(0).service.iana_protocol_number=1; \ last #DESCRIPTION:Netfilter matched a packet #CATEGORY:Packet Filtering #LOG:Oct 20 17:13:25 blah kernel: Drop IN=ppp0 OUT= MAC= SRC=1.1.1.1 DST=2.2.2.2 LEN=128 TOS=0x00 PREC=0x00 TTL=234 ID=15586 PROTO=ESP SPI=0xa7d839 #LOG:Oct 20 17:13:25 blah kernel: IN=ppp0 OUT= MAC= SRC=1.1.1.1 DST=2.2.2.2 LEN=128 TOS=0x00 PREC=0x00 TTL=234 ID=15586 PROTO=ESP SPI=0xa7d839 optgoto=1310-1311; \ regex=IN=(\w*) OUT=(\w*)( MAC=)?([\w:]+)?\s+SRC=([\d\.]+) DST=([\d\.]+) LEN=(\d+) TOS=(\w+) PREC=(\w+) TTL=(\d+) ID=(\d+) (CE )?(DF )?(MF )?(FRAG:\d+ )?(OPT \(\w+\) )?PROTO=(AH|ESP) (INCOMPLETE \[\d+ bytes\] )?SPI=(\w+); \ classification.text=$17 packet matched; \ id=1303; \ revision=1; \ analyzer(0).name=netfilter; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=Netfilter matched $17 packet $5 -> $6 SPI=$19 on interface $1$2 [TTL=$10]; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$5; \ source(0).service.iana_protocol_name=$17; \ target(0).interface=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.iana_protocol_name=$17; \ last #DESCRIPTION:Netfilter matched a packet #CATEGORY:Packet Filtering #LOG:Oct 29 13:10:04 localhost kernel: [71575.889092] dropped by firewall (OUTPUT)IN= OUT=eth0 SRC=1.1.1.1 DST=2.2.2.2 LEN=116 TOS=0x00 PREC=0x00 TTL=255 ID=7628 DF PROTO=41 optgoto=1310-1311; \ regex=IN=(\w*) OUT=(\w*)( MAC=)?([\w:]+)?\s+SRC=([\d\.]+) DST=([\d\.]+) LEN=(\d+) TOS=(\w+) PREC=(\w+) TTL=(\d+) ID=(\d+) (CE )?(DF )?(MF )?(FRAG:\d+ )?(OPT \(\w+\) )?PROTO=(\d+); \ classification.text=$17 packet matched; \ id=1304; \ revision=1; \ analyzer(0).name=netfilter; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Netfilter matched packet with protocol $17 : $5 -> $6 on interface $1$2 [TTL=$10]; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$5; \ source(0).service.iana_protocol_name=$17; \ target(0).interface=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ target(0).service.iana_protocol_name=$17; \ last ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/unsupported/��������������������������������������������������������0000775�0001750�0001750�00000000000�13537533463�021322� 5����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/unsupported/exim.rules����������������������������������������������0000664�0001750�0001750�00000001253�13537533463�023341� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������# Copyright (C) 2003 Laurent Oudot <oudot.laurent@wanadoo.fr> # All Rights Reserved #LOG:00:15:55 H=fmmailgate04.web.de [217.72.192.242] F=<xxx@xxxxxx> rejected RCPT andreas@xxxxxxxxxxx # This regex needs to be corrected; it still uses a reference to syslog headers. # More log samples are needed. regex=^\d\d\d\d-\d\d-\d\d \d\d:\d\d:\d\d (.*) rejected; \ classification.text=Mail server request rejected; \ id=401; \ revision=1; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=Exim refused a request : $1 rejected; \ target(0).service.name=smtp; \ last �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/unsupported/ipso.rules����������������������������������������������0000664�0001750�0001750�00000017105�13537533463�023354� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������##### # # Copyright (C) 2003 Vincent Glaume # All Rights Reserved # This ruleset is currently unmaintained. Contact the Prelude # development team if you would like to maintain it. # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### ############################################################################# # # This ruleset aims at analyzing the system logs of a Nokia appliance, as # what can be found in simple.rules doesn't really fit this system. # ############################################################################# ### # I. Priority: alert ### # 1. PAM alerts: often an authentification issue; high severity to comply with simple.rules #LOG:Jan 10 22:24:39 deacon [LOG_ALERT] PAM_unix[3116]: check pass; user unknown regex= (\w+) \[LOG_ALERT\] PAM_unix\[(\d+)\]: (.*); \ classification.text=Firewall: PAM alert; \ id=900; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.type=user; \ assessment.impact.description=PAM: $3; \ target(0).node.name=$1; \ target(0).process.pid=$2; \ last # 2. Misc ALERT logs #LOG:Jan 10 22:24:39 deacon [LOG_ALERT] PAM_unix[3116]: check pass; user unknown regex=regex= (\w+) \[LOG_ALERT\]; \ classification.text=Firewall: Misc. ALERT logs; \ id=901; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.type=other; \ assessment.impact.description=ALERT log from $1; \ target(0).node.name=$1; \ last ### # II. Priority: crit ### # 1. Rebooting or halting the system: severity should depend on the machine ? # LOG:Jan 16 14:12:42 spcssl [LOG_CRIT] reboot: rebooted by admin regex= (\w+) \[LOG_CRIT\] reboot: rebooted by (\w+); \ classification.text=Firewall: Reboot; \ id=902; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=dos; \ assessment.impact.description=$1 was rebooted; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ last #LOG:Nov 19 16:51:14 myfirewall [LOG_CRIT] reboot: Attempt to reboot by root regex= (\w+) \[LOG_CRIT\] reboot: Attempt to reboot by (\w+); \ classification.text=Firewall: Reboot attempt; \ id=903; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=dos; \ assessment.impact.description=$2 attempted to reboot $1; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ last #LOG:Dec 23 19:20:29 sb6 [LOG_CRIT] halt: halted by admin regex= (\w+) \[LOG_CRIT\] halt: halted by (\w+); \ classification.text=Firewall: Stopping system; \ id=904; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=dos; \ assessment.impact.description=$2 halted $1; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ last # No log sample; please submit regex= (\w+) \[LOG_CRIT\] halt: System reboots approximately in (.*); \ classification.text=Firewall: Reboot announce; \ id=905; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=dos; \ assessment.impact.description=$1 is about to reboot, in $2; \ last # 2. Installation failure # No log sample; please submit regex= (\w+) \[LOG_CRIT\] PKG_INSTALL: \**INSTALL/UPGRADE PROCESS FAILED\**; \ classification.text=Firewall: Install/upgrade failure; \ id=906; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$1 installation failure; \ last # 3. Misc CRIT logs #LOG:Dec 23 19:20:29 sb6 [LOG_CRIT] halt: halted by admin regex=regex= (\w+) \[LOG_CRIT\]; \ classification.text=Firewall: Misc. CRIT logs; \ id=907; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.type=other; \ assessment.impact.description=CRIT log from $1; \ target(0).node.name=$1; \ last ### # III. Priority: err ### # 1. SMTP: mail rejection # No log sample; please submit regex= (\w+) \[LOG_ERR\] sSMTP mail\[(\d+)\]: smtp server didn't accept MAIL; \ classification.text=Firewall: Unauthorized SMTP use; \ id=908; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=A mail was refused by the SMTP server of $1; \ target(0).node.name=$1; \ target(0).process.pid=$2; \ target(0).process.name=mail; \ last # 2. SMTP: can't open port 25 # No log sample; please submit regex= (\w+) \[LOG_ERR\] sSMTP mail\[(\d+)\]: can't open the smtp port \((\d+)\) on ([\d\.]+); \ classification.text=Firewall: SMTP port failure; \ id=909; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=dos; \ assessment.impact.severity=low; \ assessment.impact.description=SMTP port #$3 could not be opened on $1; \ target(0).node.name=$1; \ target(0).process.pid=$2; \ target(0).process.name=mail; \ last # 3. SMTP: can't connect service SMTP # no log sample; please submit regex= (\w+) \[LOG_ERR\] sSMTP mail\[(\d+)\]: unable to connect to "([\d\.]+)" port (\d+); \ classification.text=Firewall: SMTP unreachable; \ id=910; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.type=dos; \ assessment.impact.severity=low; \ assessment.impact.description=$1 could not connect to the SMTP server $3:$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$3; \ target(0).service.port=$4; \ last # 4. Misc ERR logs #LOG:Jan 31 12:17:19 IP650 [LOG_ERR] snmpd: Cannot find module (CheckPoint-MIB) : At line 1 in (none) regex=regex= (\w+) \[LOG_ERR\]; \ classification.text=Firewall: Misc. ERR logs; \ id=911; \ revision=1; \ analyzer(0).name=IPSO; \ analyzer(0).manufacturer=Checkpoint; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.type=other; \ assessment.impact.description=ERR log from $1; \ target(0).node.name=$1; \ last �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/unsupported/zywall.rules��������������������������������������������0000664�0001750�0001750�00000006727�13537533463�023734� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������##### # # Copyright (C) 2002 Laurent Oudot <oudot.laurent@wanadoo.fr> # This ruleset is currently unmaintained. Contact the Prelude # development team if you would like to maintain it. # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### # ZyWall Firewall Support # Thanks to Ernst Lopes Cardozo <e.lopes.cardozo@aranea.nl> # for providing me an access to many lines of syslog from a ZyWall # Enable logging to the syslog server with the menu 24.3.2. # Specify a syslog server IP and log facility level # Put "Set firewall log" field to "YES" # No log sample; please submit regex=FW (\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\-\>(\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\|(UDP|TCP|ICMP|IGMP|GRE|ESP)(.*)\|(.*)\|B; \ classification.text=$5 packet blocked; \ id=2400; \ revision=1; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address = $1; \ source(0).service.port = $2; \ source(0).service.protocol = $5; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address = $3; \ target(0).service.port = $4; \ target(0).service.protocol = $5; \ assessment.impact.description=$5$6 packet blocked from $1 port $2 to $3 port $4 [$7]; \ last # No log sample; please submit regex=FW (\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\-\>(\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\|(UDP|TCP|ICMP|IGMP|GRE|ESP)(.*)\|(.*)\|F; \ classification.text=$5 packet forwarded; \ id=2401; \ revision=1; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address = $1; \ source(0).service.port = $2; \ source(0).service.protocol = $5; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address = $3; \ target(0).service.port = $4; \ target(0).service.protocol = $5; \ assessment.impact.description=$5$6 packet forwarded from $1 port $2 to $3 port $4 [$7]; \ last # No log sample; please submit regex=FW (\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\-\>(\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\|(UDP|TCP|ICMP|IGMP|GRE|ESP)(.*)\|(.*)\|N; \ classification.text=$5 packet matched; \ id=2402; \ revision=1; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address = $1; \ source(0).service.port = $2; \ source(0).service.protocol = $5; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address = $3; \ target(0).service.port = $4; \ target(0).service.protocol = $5; \ assessment.impact.description=$5$6 packet matched from $1 port $2 to $3 port $4 [$7]; \ last �����������������������������������������prelude-lml-rules-5.1.0/ruleset/unsupported/zyxel.rules���������������������������������������������0000664�0001750�0001750�00000010106�13537533463�023547� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������##### # # Copyright (C) 2003 Laurent Oudot <oudot.laurent@wanadoo.fr> # All Rights Reserved # This ruleset is currently unmaintained. Contact the Prelude # development team if you would like to maintain it. # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### # See this page for references : http://www.zyxel.com/support/supportnote/p650/app/syslog.htm # ZyXEL router support for Prelude-LML # (should work with most ZynOS network devices) # 1) CDR log : (call messages) #LOG:Feb 14 16:57:17 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0 channel 0, call 18, C01 Incoming Call OK #LOG:Feb 14 17:07:18 192.168.1.1 ZyXEL Communications Corp.: board 0 line 0 channel 0, call 18, C02 Call Terminated # 2) Packet triggered log : (just for info) #LOG:Jul 19 11:28:39 192.168.102.2 ZyXEL Communications Corp.: Packet Trigger: Protocol=1, Data=4500003c100100001f010004c0a86614ca849a7b08004a5c020001006162636465666768696a6b6c6d6e6f7071727374 #LOG:Jul 19 11:28:56 192.168.102.2 ZyXEL Communications Corp.: Packet Trigger: Protocol=1, Data=4500002c1b0140001f06b50ec0a86614ca849a7b0427001700195b3e00000000600220008cd40000020405b4 # 3) Filter log : #LOG:Jul 19 14:44:09 192.168.1.1 ZyXEL Communications Corp.: IP[Src=202.132.154.1 Dst=192.168.1.33 UDP spo=0035 dpo=05d4]}S03>R01mF regex=ZyXEL Communications Corp.: IP\[Src=([0-9\.]+) Dst=([0-9\.]+) ([A-Z]+) spo=([0-9A-Fa-f]+) dpo=([0-9A-Fa-f]+).*S(\d{2})>R(\d{2})(.)(.); \ classification.text=ZyXEL ip access; \ id=37000; \ revision=1; \ assessment.impact.completion = failed; \ assessment.impact.type = other; \ assessment.impact.severity = medium; \ assessment.impact.description= Someone probably tried to bypass filtering : $1 ($3 $4) -> $2 ($3 $5) ruleset $6 rule $7; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address = $1; \ source(0).service.port = 0x$4; \ source(0).service.protocol = $3; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address = $2; \ target(0).service.port = 0x$5; \ target(0).service.protocol = $3; \ last #LOG:Jul 19 14:44:13 192.168.1.1 ZyXEL Communications Corp.: IP[Src=192.168.1.33 Dst=202.132.154.1 ICMP]}S03>R01mF regex=ZyXEL Communications Corp.: IP\[Src=([0-9\.]+) Dst=([0-9\.]+) ([A-Z]+)\].*S(\d{2})>R(\d{2})(.)(.); \ classification.text=ZyXEL ip access; \ id=37001; \ revision=1; \ assessment.impact.completion = failed; \ assessment.impact.type = other; \ assessment.impact.severity = medium; \ assessment.impact.description= Someone probably tried to bypass filtering : $1 ($3) -> $2 ($3) ruleset $4 rule $5; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address = $1; \ source(0).service.protocol = $3; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address = $2; \ target(0).service.protocol = $3; \ last # 4) PPP Log : #LOG:Jul 19 11:43:25 192.168.1.1 ZyXEL Communications Corp.: ppp:LCP Starting #LOG:Jul 19 11:43:43 192.168.1.1 ZyXEL Communications Corp.: ppp:IPCP Opening #LOG:Jul 19 11:43:51 192.168.1.1 ZyXEL Communications Corp.: ppp:CCP Opening #LOG:Jul 19 11:44:14 192.168.1.1 ZyXEL Communications Corp.: ppp:BACP Closing regex=ZyXEL Communications Corp.: ppp:(LCP|IPCP|CCP|BACP) (Starting|Opening|Closing); \ classification.text=ZyXEL PPP $2; \ id=37002; \ revision=1; \ assessment.impact.type = other; \ assessment.impact.severity = low; \ assessment.impact.description=$2 $1 connection; \ last ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/cisco-ips-2.rules���������������������������������������������������0000664�0001750�0001750�00000034005�13537533463�022040� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Cisco IPS 2 #VERSION: 1.0 #DESCRIPTION: Cisco Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that effectively mitigates a wide range of network attacks. These rules monitors Cisco IPS ver. 7.1.x #The rules included here were developed using a Cisco IPS module running on an ASA. #Special configuration is needed for this support: #* In your IDM interface, "SNMP" -> "Traps Configuration", "Enable SNMP Traps" # box must be on. "Enable detailed traps for alerts" can be on or off. #* In your IDM interface, "Signature Definition" -> "Signature Configuration", # all of the ENABLED rules must be modified using the "Enabled" button, and # select all de enabled signatures followed by the "Actions" button, and # click the "Request SNMP Trap" box on. #* On your Prelude system, run snmptrapd using this command: # "snmptrapd -Ls 20 -Osq" ##### # # Copyright (C) 2012 Seguridadx <operador@seguridadx.com> # twitter: www.twitter.com/seguridad_x # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Cisco IPS event #CATEGORY:Generic IDS/IPS #LOG:Apr 17 13:42:01 localhost snmptrapd[1209]: 2012-04-17 13:42:01 ids.xx.xx [UDP: [xx.xx.xx.xx]:xx->[xx.xx.xx.xx]]:#012iso.3.6.1.2.1.1.3.0 0:0:00:02.30#011iso.3.6.1.6.3.1.1.4.1.0 iso.3.6.1.4.1.9.9.383.0.2#011iso.3.6.1.4.1.9.9.383.1.1.1 1334191109271607011#011iso.3.6.1.4.1.9.9.383.1.1.2 "07 DC 04 11 0D 2A 01 00 "#011iso.3.6.1.4.1.9.9.383.1.1.3 "07 DC 04 11 10 2A 01 00 "#011iso.3.6.1.4.1.9.9.383.1.1.4.0 "xxx"#011iso.3.6.1.4.1.9.9.383.1.3.1.0 "xxx"#011iso.3.6.1.4.1.9.9.383.1.3.2.0 14#011iso.3.6.1.4.1.9.9.383.1.3.3 "Unknown control transaction name#012Messages, like this one, in the category - ct to sensorApp timed out - were logged 1 times in the last 0 seconds." regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4.0 "(\S+)"+.+9.9.383.1.3.1.0 "(\S+)"+.+.9.9.383.1.3.2.0 "(\d+)"; \ classification.text=$3; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ id=5006; \ revision=0; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=high; \ assessment.impact.description=This event was generated by the Cisco IPS; \ additional_data(0).type=string; \ additional_data(0).meaning=$3:; \ additional_data(0).data=$4; \ last #DESCRIPTION:Cisco IPS event - Enable detailed traps for alerts #CATEGORY:Generic IDS/IPS #LOG:Apr 16 17:26:02 localhost snmptrapd[1209]: 2012-04-16 17:26:02 ids.xxx.xxx.com [UDP: [xx.xx.xx.xx]:xxxx->[xx.xx.xx.xx]:#012iso.3.6.1.2.1.1.3.0 4:23:47:30.17#011iso.3.6.1.6.3.1.1.4.1.0 iso.3.6.1.4.1.9.9.383.0.1#011iso.3.6.1.4.1.9.9.383.1.1.1 1334176696938219122#011iso.3.6.1.4.1.9.9.383.1.1.2 "07 DC 04 10 11 1A 02 00 "#011iso.3.6.1.4.1.9.9.383.1.1.3 "07 DC 04 10 14 1A 02 00 "#011iso.3.6.1.4.1.9.9.383.1.1.4.0 "ids-xxx"#011iso.3.6.1.4.1.9.9.383.1.2.1 "informational"#011iso.3.6.1.4.1.9.9.383.1.2.2 2147483648#011iso.3.6.1.4.1.9.9.383.1.2.3 "This Signature Is A Metacomponent"#011iso.3.6.1.4.1.9.9.383.1.2.4 "Windows Image Color Management System RCE"#011iso.3.6.1.4.1.9.9.383.1.2.5 6984#011iso.3.6.1.4.1.9.9.383.1.2.6 2#011iso.3.6.1.4.1.9.9.383.1.2.7 "S351"#011iso.3.6.1.4.1.9.9.383.1.2.12 0#011iso.3.6.1.4.1.9.9.383.1.2.13 80#011iso.3.6.1.4.1.9.9.383.1.2.14 "d3cucmFkaW9zaW50ZXJuZXQuY29tDQpWaWE6IDEuMSBzMTk2Y2I2NC5iYW5j#012by5icm91LmNvbS51eTo4MDgwIChJV1NTKSwgMS4xIHByb3h5LmRuc2ludC5i#012cm91LmNvbS51eSAoc3F1aWQpLCAxLjAgczE5NmNhNjE6ODAwOCAoSVdTUykN#012ClN1cnJvZ2F0ZS1DYXBhYmlsaXR5OiB1bnNldC1pZD0iU3Vycm9nYXRlLzEu#012MCBFU0kvMS4wIg0KWC1Gb3J3YXJkZWQtRm9yOiAxNzIuMjAuNDAuMjMNCkNh#012Y2hlLUNvbnRyb2w6IG1heC1hZ2U9MjU5MjAwDQoNCg=="#011iso.3.6.1.4.1.9.9.383.1.2.15 "EAASAAAAAAAAAGUAAAAAAACQRwAAQBIAAAAAAACI//8AAAAAAFD7/wBw/v8A#012AAAAALQAAAAAAAAAYOv/ADD7/wC4AAAAAAEA/y0AAAAAAQAAAAAAAAAAAAAM#012AAAAAAAAgAMAAAAHAAD6WV4AI5T+/yHj+/8AAAEAfZIAAKXkAADFxwEAAAAB#012AL6XAQCgrQEAAAABAOCbAQApAAAA/wAAAH0AAAD/AAAA/wAAAP8AAAD/AAAA#012/wAAAP8AAAD/AAAAkQAAABoAAAAZAAAAtQAAAN0AAACpAAAAEgAAACkAAAD/#012AAAAPQAAAAIAAAAQAAAAEgAAAAAAAAAAAGUAAAAAAA=="#011iso.3.6.1.4.1.9.9.383.1.2.16 "xx.xx.xx.xx:xx"#011iso.3.6.1.4.1.9.9.383.1.2.17 "osIdSource=\"unknown\" osRelevance=\"unknown\" osType=\"unknown\" xx.xx.xx.xx:xxx"#011iso.3.6.1.4.1.9.9.383.1.2.25 0#011iso.3.6.1.4.1.9.9.383.1.2.26 0#011iso.3.6.1.4.1.9.9.383.1.2.27 6#011iso.3.6.1.4.1.9.9.383.1.2.42 0 regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4.0 "(\S+)"+.+.9.9.383.1.2.4.0 "([\S ]+)"+.+.9.9.383.1.2.5.0 (\d+)+.+9.9.383.1.2.6.0 (\d+)+.+9.9.383.1.2.16.0 "([\d\.]+):(\d+)"+.+9.9.383.1.2.17.0 "osIdSource=\\"([\S ]+)\\" osRelevance=\\"([\S ]+)\\" osType=\\"([\S ]+)\\" ([\d\.]+)"+.+9.9.383.1.3.1.0 "informational"; \ classification.text=$3; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$4.$5; \ classification.reference(0).url=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$4&signatureSubId=$5; \ id=5001; \ revision=2; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=info; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$6; \ source(0).service.port=$7; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$11; \ # target(0).service.port=$12; \ additional_data(0).type=string; \ additional_data(0).meaning=osIdSource:; \ additional_data(0).data=$8; \ additional_data(1).type=string; \ additional_data(1).meaning=osRelevance:; \ additional_data(1).data=$9; \ additional_data(2).type=string; \ additional_data(2).meaning=osType:; \ additional_data(2).data=$10; \ additional_data(3).type=string; \ additional_data(3).meaning=Cisco Signature Template:; \ additional_data(3).data=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$4&signatureSubId=$5; \ last #DESCRIPTION:Cisco IPS event #CATEGORY:Generic IDS/IPS regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4.0 "(\S+)"+.+.9.9.383.1.2.4.0 "([\S ]+)"+.+.9.9.383.1.2.5.0 (\d+)+.+9.9.383.1.2.6.0 (\d+)+.+9.9.383.1.2.16.0 "([\d\.]+):(\d+)"+.+9.9.383.1.2.17.0 "osIdSource=\\"([\S ]+)\\" osRelevance=\\"([\S ]+)\\" osType=\\"([\S ]+)\\" ([\d\.]+):(\d+)"+.+9.9.383.1.3.1.0 "informational"; \ classification.text=$3; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$4.$5; \ classification.reference(0).url=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$4&signatureSubId=$5; \ id=5002; \ revision=2; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=info; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$6; \ source(0).service.port=$7; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$11; \ target(0).service.port=$12; \ additional_data(0).type=string; \ additional_data(0).meaning=osIdSource:; \ additional_data(0).data=$8; \ additional_data(1).type=string; \ additional_data(1).meaning=osRelevance:; \ additional_data(1).data=$9; \ additional_data(2).type=string; \ additional_data(2).meaning=osType:; \ additional_data(2).data=$10; \ additional_data(3).type=string; \ additional_data(3).meaning=Cisco Signature Template:; \ additional_data(3).data=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$4&signatureSubId=$5; \ last #DESCRIPTION:Cisco IPS event #CATEGORY:Generic IDS/IPS #LOG:Jan 25 12:41:14 localhost snmptrapd[15882]: 2012-01-25 12:41:14 ids.xxx.xxx.xxx [UDP: [xx.xx.xx.xx]:xxx->[xx.xx.xx.xx]]:#012iso.3.6.1.2.1.1.3.0 13:3:16:47.87#011iso.3.6.1.6.3.1.1.4.1.0 iso.3.6.1.4.1.9.9.383.0.1#011iso.3.6.1.4.1.9.9.383.1.1.1 1269399301253822810#011iso.3.6.1.4.1.9.9.383.1.1.2 "07 DC 01 19 0C 2A 27 00 "#011iso.3.6.1.4.1.9.9.383.1.1.3 "07 DC 01 19 0E 2A 27 00 "#011iso.3.6.1.4.1.9.9.383.1.1.4.0 "ids-xx"#011iso.3.6.1.4.1.9.9.383.1.2.1 "low"#011iso.3.6.1.4.1.9.9.383.1.2.2 2147483648#011iso.3.6.1.4.1.9.9.383.1.2.4 "TCP Option Other"#011iso.3.6.1.4.1.9.9.383.1.2.5 1306#011iso.3.6.1.4.1.9.9.383.1.2.6 0#011iso.3.6.1.4.1.9.9.383.1.2.16 "xx.xx.xx.xx:xxx"#011iso.3.6.1.4.1.9.9.383.1.2.17 "xx.xx.xx.xx:xx" regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4.0 "(\S+)"+.+.9.9.383.1.2.4.0 "([\S ]+)"+.+.9.9.383.1.2.5.0 (\d+)+.+9.9.383.1.2.6.0 (\d+)+.+9.9.383.1.2.16.0 "([\d\.]+):(\d+)"+.+9.9.383.1.2.17.0 "+.+([\d\.]+)"+.+9.9.383.1.3.1.0 "informational"; \ classification.text=$3; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$4.$5; \ classification.reference(0).url=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$4&signatureSubId=$5; \ id=5003; \ revision=2; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=info; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$6; \ source(0).service.port=$7; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$8; \ target(0).service.port=$9; \ additional_data(0).type=string; \ additional_data(0).meaning=Cisco Signature Template:; \ additional_data(0).data=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$4&signatureSubId=$5; \ last #DESCRIPTION:Cisco IPS event #CATEGORY:Generic IDS/IPS regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4.0 "(\S+)"+.+.9.9.383.1.2.4.0 "([\S ]+)"+.+.9.9.383.1.2.5.0 (\d+)+.+9.9.383.1.2.6.0 (\d+)+.+9.9.383.1.2.16.0 "([\d\.]+):(\d+)"+.+9.9.383.1.2.17.0 "+.+([\d\.]+):(\d+)"+.+9.9.383.1.3.1.0 "informational"; \ classification.text=$3; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$4.$5; \ classification.reference(0).url=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$4&signatureSubId=$5; \ id=5004; \ revision=2; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=info; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$6; \ source(0).service.port=$7; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$8; \ target(0).service.port=$9; \ additional_data(0).type=string; \ additional_data(0).meaning=Cisco Signature Template:; \ additional_data(0).data=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$4&signatureSubId=$5; \ last #DESCRIPTION:Cisco IPS event #CATEGORY:Generic IDS/IPS #LOG:Sep 7 18:41:43 prelude-siem snmptrapd[1595]: 2012-09-07 18:41:43 ids-Bunker [UDP: [192.168.161.57]:45187->[192.168.160.37]]:#012sysUpTimeInstance 0:1:03:53.53#011snmpTrapOID.0 enterprises.9.9.383.0.1#011enterprises.9.9.383.1.1.1.0 6823118324776#011enterprises.9.9.383.1.1.2.0 "07 DC 09 07 13 25 3A 00 "#011enterprises.9.9.383.1.1.3.0 "07 DC 09 07 15 25 3A 00 "#011enterprises.9.9.383.1.1.4.0 "ids-Bunker"#011enterprises.9.9.383.1.2.2.0 2147483648#011enterprises.9.9.383.1.2.3.0 "SELECT...FROM"#011enterprises.9.9.383.1.2.4.0 "SQL Query in HTTP Request"#011enterprises.9.9.383.1.2.5.0 5474#011enterprises.9.9.383.1.2.6.0 0#011enterprises.9.9.383.1.2.7.0 "S585"#011enterprises.9.9.383.1.2.13.0 0#011enterprises.9.9.383.1.2.15.0 "R0VUIGh0dHA6Ly91Y3MucXVlcnkueWFob28uY29tL3YxL2NvbnNvbGUveXFs#012P3E9c2VsZWN0JTIwaW1hZ2VVcmwlMjBmcm9tJTIwc29jaWFsLnByb2ZpbA=="#011enterprises.9.9.383.1.2.16.0 "10.199.43.146:2422"#011enterprises.9.9.383.1.2.17.0 "osIdSource=\"learned\" osRelevance=\"relevant\" osType=\"linux\" 172.20.40.22:8080"#011enterprises.9.9.383.1.2.25.0 47#011enterprises.9.9.383.1.2.26.0 0#011enterprises.9.9.383.1.2.27.0 6#011enterprises.9.9.383.1.2.42.0 47#011enterprises.9.9.383.1.2.49.0 "vs0"#011enterprises.9.9.383.1.3.1.0 "low" regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4.0 "(\S+)"+.+9.9.383.1.2.4.0 "([\S ]+)"+.+9.9.383.1.2.5.0 (\d+)+.+9.9.383.1.2.6.0 (\d+)+.+9.9.383.1.2.16.0 "([\d\.]+):(\d+)"+.+9.9.383.1.2.17.0 "+.+([\d\.]+):(\d+)"+.+9.9.383.1.3.1.0 "(\S+)"; \ classification.text=$4; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$4.$5; \ classification.reference(0).url=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$4&signatureSubId=$5; \ id=5005; \ revision=1; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=$10; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$6; \ source(0).service.port=$7; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$8; \ target(0).service.port=$9; \ additional_data(0).type=string; \ additional_data(0).meaning=Cisco Signature Template:; \ additional_data(0).data=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$4&signatureSubId=$5; \ last ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/cisco-ips-4200.rules������������������������������������������������0000664�0001750�0001750�00000026641�13537533463�022273� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Cisco IPS 4200 #VERSION: 1.0 #DESCRIPTION: Cisco IPS 4200 series is a network security appliance that monitor network and/or system activities for malicious activity. #The rules included here were developed using a Cisco IPS module running on an ASA. #Special configuration is needed for this support: #* In your IDM interface, "SNMP" -> "Traps Configuration", "Enable SNMP Traps" # box must be on. "Enable detailed traps for alerts" can be on or off. #* In your IDM interface, "Signature Definition" -> "Signature Configuration", # all of the ENABLED rules must be modified using the "Enabled" button, and # select all de enabled signatures followed by the "Actions" button, and # click the "Request SNMP Trap" box on. #* On your Prelude system, run snmptrapd using this command: # "snmptrapd -Ls 16 -Osq" ##### # # Copyright (C) 2006 G Ramon Gomez <gene at gomezbrothers dot com> # Ragingwire Enterprise Solutions (www.ragingwire.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Cisco IPS 4200 event #CATEGORY:Generic IDS/IPS #LOG:Apr 17 13:42:01 localhost snmptrapd[1209]: 2012-04-17 13:42:01 ids.xx.xx [UDP: [xx.xx.xx.xx]:xx->[xx.xx.xx.xx]]:#012iso.3.6.1.2.1.1.3.0 0:0:00:02.30#011iso.3.6.1.6.3.1.1.4.1.0 iso.3.6.1.4.1.9.9.383.0.2#011iso.3.6.1.4.1.9.9.383.1.1.1 1334191109271607011#011iso.3.6.1.4.1.9.9.383.1.1.2 "07 DC 04 11 0D 2A 01 00 "#011iso.3.6.1.4.1.9.9.383.1.1.3 "07 DC 04 11 10 2A 01 00 "#011iso.3.6.1.4.1.9.9.383.1.1.4 "xxx"#011iso.3.6.1.4.1.9.9.383.1.3.1 "xxx"#011iso.3.6.1.4.1.9.9.383.1.3.2 14#011iso.3.6.1.4.1.9.9.383.1.3.3 "Unknown control transaction name#012Messages, like this one, in the category - ct to sensorApp timed out - were logged 1 times in the last 0 seconds." regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4 "(\S+)"+.+9.9.383.1.3.1 "(\S+)"+.+.9.9.383.1.3.2 "(\d+)"; \ classification.text=$3; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ id=5400; \ revision=0; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=high; \ assessment.impact.description=This event was generated by the Cisco IPS; \ additional_data(0).type=string; \ additional_data(0).meaning=$3:; \ additional_data(0).data=$4; \ last #DESCRIPTION:Cisco IPS 4200 event - Enable detailed traps for alerts #CATEGORY:Generic IDS/IPS #LOG:Apr 16 17:26:02 localhost snmptrapd[1209]: 2012-04-16 17:26:02 ids.xxx.xxx.com [UDP: [xx.xx.xx.xx]:xxxx->[xx.xx.xx.xx]:#012iso.3.6.1.2.1.1.3.0 4:23:47:30.17#011iso.3.6.1.6.3.1.1.4.1.0 iso.3.6.1.4.1.9.9.383.0.1#011iso.3.6.1.4.1.9.9.383.1.1.1 1334176696938219122#011iso.3.6.1.4.1.9.9.383.1.1.2 "07 DC 04 10 11 1A 02 00 "#011iso.3.6.1.4.1.9.9.383.1.1.3 "07 DC 04 10 14 1A 02 00 "#011iso.3.6.1.4.1.9.9.383.1.1.4 "ids-xxx"#011iso.3.6.1.4.1.9.9.383.1.2.1 "informational"#011iso.3.6.1.4.1.9.9.383.1.2.2 2147483648#011iso.3.6.1.4.1.9.9.383.1.2.3 "This Signature Is A Metacomponent"#011iso.3.6.1.4.1.9.9.383.1.2.4 "Windows Image Color Management System RCE"#011iso.3.6.1.4.1.9.9.383.1.2.5 6984#011iso.3.6.1.4.1.9.9.383.1.2.6 2#011iso.3.6.1.4.1.9.9.383.1.2.7 "S351"#011iso.3.6.1.4.1.9.9.383.1.2.12 0#011iso.3.6.1.4.1.9.9.383.1.2.13 80#011iso.3.6.1.4.1.9.9.383.1.2.14 "d3cucmFkaW9zaW50ZXJuZXQuY29tDQpWaWE6IDEuMSBzMTk2Y2I2NC5iYW5j#012by5icm91LmNvbS51eTo4MDgwIChJV1NTKSwgMS4xIHByb3h5LmRuc2ludC5i#012cm91LmNvbS51eSAoc3F1aWQpLCAxLjAgczE5NmNhNjE6ODAwOCAoSVdTUykN#012ClN1cnJvZ2F0ZS1DYXBhYmlsaXR5OiB1bnNldC1pZD0iU3Vycm9nYXRlLzEu#012MCBFU0kvMS4wIg0KWC1Gb3J3YXJkZWQtRm9yOiAxNzIuMjAuNDAuMjMNCkNh#012Y2hlLUNvbnRyb2w6IG1heC1hZ2U9MjU5MjAwDQoNCg=="#011iso.3.6.1.4.1.9.9.383.1.2.15 "EAASAAAAAAAAAGUAAAAAAACQRwAAQBIAAAAAAACI//8AAAAAAFD7/wBw/v8A#012AAAAALQAAAAAAAAAYOv/ADD7/wC4AAAAAAEA/y0AAAAAAQAAAAAAAAAAAAAM#012AAAAAAAAgAMAAAAHAAD6WV4AI5T+/yHj+/8AAAEAfZIAAKXkAADFxwEAAAAB#012AL6XAQCgrQEAAAABAOCbAQApAAAA/wAAAH0AAAD/AAAA/wAAAP8AAAD/AAAA#012/wAAAP8AAAD/AAAAkQAAABoAAAAZAAAAtQAAAN0AAACpAAAAEgAAACkAAAD/#012AAAAPQAAAAIAAAAQAAAAEgAAAAAAAAAAAGUAAAAAAA=="#011iso.3.6.1.4.1.9.9.383.1.2.16 "xx.xx.xx.xx:xx"#011iso.3.6.1.4.1.9.9.383.1.2.17 "osIdSource=\"unknown\" osRelevance=\"unknown\" osType=\"unknown\" xx.xx.xx.xx:xxx"#011iso.3.6.1.4.1.9.9.383.1.2.25 0#011iso.3.6.1.4.1.9.9.383.1.2.26 0#011iso.3.6.1.4.1.9.9.383.1.2.27 6#011iso.3.6.1.4.1.9.9.383.1.2.42 0 regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4 "(\S+)"+.+9.9.383.1.2.1 "(\S+)"+.+.9.9.383.1.2.4 "([\S ]+)"+.+.9.9.383.1.2.5 (\d+)+.+9.9.383.1.2.6 (\d+)+.+9.9.383.1.2.16 "([\d\.]+):(\d+)"+.+9.9.383.1.2.17 "osIdSource=\\"([\S ]+)\\" osRelevance=\\"([\S ]+)\\" osType=\\"([\S ]+)\\" ([\d\.]+)"; \ classification.text=$4; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$5.$6; \ classification.reference(0).url=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$5&signatureSubId=$6; \ id=5401; \ revision=1; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=$3; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$12; \ target(0).service.port=$13; \ additional_data(0).type=string; \ additional_data(0).meaning=osIdSource:; \ additional_data(0).data=$9; \ additional_data(1).type=string; \ additional_data(1).meaning=osRelevance:; \ additional_data(1).data=$10; \ additional_data(2).type=string; \ additional_data(2).meaning=osType:; \ additional_data(2).data=$11; \ additional_data(3).type=string; \ additional_data(3).meaning=Cisco Signature Template:; \ additional_data(3).data=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$5&signatureSubId=$6; \ last #DESCRIPTION:Cisco IPS 4200 event #CATEGORY:Generic IDS/IPS regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4 "(\S+)"+.+9.9.383.1.2.1 "(\S+)"+.+.9.9.383.1.2.4 "([\S ]+)"+.+.9.9.383.1.2.5 (\d+)+.+9.9.383.1.2.6 (\d+)+.+9.9.383.1.2.16 "([\d\.]+):(\d+)"+.+9.9.383.1.2.17 "osIdSource=\\"([\S ]+)\\" osRelevance=\\"([\S ]+)\\" osType=\\"([\S ]+)\\" ([\d\.]+):(\d+)"; \ classification.text=$4; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$5.$6; \ classification.reference(0).url=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$5&signatureSubId=$6; \ id=5402; \ revision=1; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=$3; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$12; \ target(0).service.port=$13; \ additional_data(0).type=string; \ additional_data(0).meaning=osIdSource:; \ additional_data(0).data=$9; \ additional_data(1).type=string; \ additional_data(1).meaning=osRelevance:; \ additional_data(1).data=$10; \ additional_data(2).type=string; \ additional_data(2).meaning=osType:; \ additional_data(2).data=$11; \ additional_data(3).type=string; \ additional_data(3).meaning=Cisco Signature Template:; \ additional_data(3).data=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$5&signatureSubId=$6; \ last #DESCRIPTION:Cisco IPS 4200 event #CATEGORY:Generic IDS/IPS #LOG:Jan 25 12:41:14 localhost snmptrapd[15882]: 2012-01-25 12:41:14 ids.xxx.xxx.xxx [UDP: [xx.xx.xx.xx]:xxx->[xx.xx.xx.xx]]:#012iso.3.6.1.2.1.1.3.0 13:3:16:47.87#011iso.3.6.1.6.3.1.1.4.1.0 iso.3.6.1.4.1.9.9.383.0.1#011iso.3.6.1.4.1.9.9.383.1.1.1 1269399301253822810#011iso.3.6.1.4.1.9.9.383.1.1.2 "07 DC 01 19 0C 2A 27 00 "#011iso.3.6.1.4.1.9.9.383.1.1.3 "07 DC 01 19 0E 2A 27 00 "#011iso.3.6.1.4.1.9.9.383.1.1.4 "ids-xx"#011iso.3.6.1.4.1.9.9.383.1.2.1 "low"#011iso.3.6.1.4.1.9.9.383.1.2.2 2147483648#011iso.3.6.1.4.1.9.9.383.1.2.4 "TCP Option Other"#011iso.3.6.1.4.1.9.9.383.1.2.5 1306#011iso.3.6.1.4.1.9.9.383.1.2.6 0#011iso.3.6.1.4.1.9.9.383.1.2.16 "xx.xx.xx.xx:xxx"#011iso.3.6.1.4.1.9.9.383.1.2.17 "xx.xx.xx.xx:xx" regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4 "(\S+)"+.+9.9.383.1.2.1 "(\S+)"+.+.9.9.383.1.2.4 "([\S ]+)"+.+.9.9.383.1.2.5 (\d+)+.+9.9.383.1.2.6 (\d+)+.+9.9.383.1.2.16 "([\d\.]+):(\d+)"+.+9.9.383.1.2.17 "+.+([\d\.]+)"; \ classification.text=$4; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$5.$6; \ classification.reference(0).url=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$5&signatureSubId=$6; \ id=5403; \ revision=1; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=$3; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$10; \ additional_data(0).type=string; \ additional_data(0).meaning=Cisco Signature Template:; \ additional_data(0).data=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$5&signatureSubId=$6; \ last #DESCRIPTION:Cisco IPS 4200 event #CATEGORY:Generic IDS/IPS regex=snmptrapd\[(\d+)]:+.+9.9.383.1.1.4 "(\S+)"+.+9.9.383.1.2.1 "(\S+)"+.+.9.9.383.1.2.4 "([\S ]+)"+.+.9.9.383.1.2.5 (\d+)+.+9.9.383.1.2.6 (\d+)+.+9.9.383.1.2.16 "([\d\.]+):(\d+)"+.+9.9.383.1.2.17 "+.+([\d\.]+):(\d+)"; \ classification.text=$4; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$5.$6; \ classification.reference(0).url=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$5&signatureSubId=$6; \ id=5404; \ revision=1; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$2; \ assessment.impact.severity=$3; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$10; \ additional_data(0).type=string; \ additional_data(0).meaning=Cisco Signature Template:; \ additional_data(0).data=http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=$5&signatureSubId=$6; \ last �����������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/cisco-ips.rules�����������������������������������������������������0000664�0001750�0001750�00000010123�13537533463�021674� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Cisco IPS #VERSION: 1.0 #DESCRIPTION: Cisco IPS is a network security appliance that monitor network and/or system activities for malicious activity. #The rules included here were developed using a Cisco IPS module running on an ASA. #Special configuration is needed for this support: #* In your IDM interface, "SNMP" -> "Traps Configuration", "Enable SNMP Traps" # box must be on. "Enable detailed traps for alerts" must be off. #* In your IDM interface, "Signature Definition" -> "Signature Configuration", # all of the rules must be modified using the "Select All" button, followed # by the "Actions" button, and click the "Request SNMP Trap" box on. #* On your Prelude system, run snmptrapd using this command: # "snmptrapd -Ls 16 -Osq" ##### # # Copyright (C) 2006 G Ramon Gomez <gene at gomezbrothers dot com> # Ragingwire Enterprise Solutions (www.ragingwire.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Cisco IPS event #CATEGORY:Generic IDS/IPS #LOG:Nov 22 10:04:09 SOMEHOST snmptrapd[28547]: 2006-11-22 10:04:09 somehost.somedomain.com [192.168.134.193]: sysUpTime.0 54:17:25:06.49 snmpTrapOID.0 enterprises.9.9.383.0.1 enterprises.9.9.383.1.1.1 1159501964404429847 enterprises.9.9.383.1.1.2 "07 D6 0B 16 0A 04 0F 00 " enterprises.9.9.383.1.1.3 "07 D6 0B 16 12 04 0F 00 " enterprises.9.9.383.1.1.4 "SOMEHOST" enterprises.9.9.383.1.2.1 "low" enterprises.9.9.383.1.2.2 2147483648 enterprises.9.9.383.1.2.4 "ICMP Network Sweep w/Echo"enterprises.9.9.383.1.2.5 2100 enterprises.9.9.383.1.2.6 0 enterprises.9.9.383.1.2.16 "192.168.134.30" enterprises.9.9.383.1.2.17 "192.168.129.28" #LOG:Nov 22 10:04:01 SOMEHOST snmptrapd[28547]: 2006-11-22 10:04:01 somehost.somedomain.com [192.168.134.193]: sysUpTime.0 54:17:24:58.20 snmpTrapOID.0 enterprises.9.9.383.0.1 enterprises.9.9.383.1.1.1 1159501964404429845 enterprises.9.9.383.1.1.2 "07 D6 0B 16 0A 04 07 00 " enterprises.9.9.383.1.1.3 "07 D6 0B 16 12 04 07 00 " enterprises.9.9.383.1.1.4 "SOMEHOST" enterprises.9.9.383.1.2.1 "medium" enterprises.9.9.383.1.2.2 2147483648 enterprises.9.9.383.1.2.4 "Web Client Remote Code Execution Vulnerability" enterprises.9.9.383.1.2.5 5732 enterprises.9.9.383.1.2.6 2 enterprises.9.9.383.1.2.16 "192.168.129.29:0" enterprises.9.9.383.1.2.17 "0.0.0.0:0" regex=(\S+) \[([\d\.]+)\]:.+enterprises.9.9.383.1.2.1 "(low|medium|high)".+enterprises.9.9.383.1.2.4 "(.+?)"\s*enterprises.9.9.383.1.2.5 (\d+)\s+enterprises.9.9.383.1.2.6 (\d+).+enterprises.9.9.383.1.2.16 "([\d\.]+):?(\d+)?"\s+enterprises.9.9.383.1.2.17 "([\d\.]+):?(\d+)?"; \ classification.text=$4; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$5.$6; \ classification.reference(0).url=http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=$5&signatureSubId=$6; \ id=5000; \ revision=1; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$1; \ analyzer(0).node.address(0).address=$2; \ assessment.impact.severity=$3; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$10; \ last ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/cisco-router.rules��������������������������������������������������0000664�0001750�0001750�00000017005�13537533463�022427� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Cisco Router #VERSION: 1.0 #DESCRIPTION: Cisco routers provide access to applications and services, and integrate technologies. ##### # # Copyright (C) 2002 Arnaud Guignard <dennis.hadderingh@is-company.nl> # This ruleset is currently maintained by Dennis Hadderingh # All Rights Reserved # # Rules ID: 5602 # Copyright (C) 2004 Dennis Hadderingh <dennis.hadderingh@is-company.nl> # All Rights Reserved # # Rules ID: 5604 # Copyright (C) 2006 G Ramon Gomez <gene at gomezbrothers dot com> # Ragingwire Enterprise Solutions (www.ragingwire.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Packet denied - Someone tried to bypass access-list #CATEGORY:Packet Filtering #LOG:Sep 23 07:30:41 gate 301270: 5d17h: %SEC-6-IPACCESSLOGP: list 101 denied tcp 1.2.3.4(1929) -> 5.6.7.8(80), 1 packet #LOG:Jun 5 16:15:59 router1 8919: Jun 5 16:15:58.190 EDT: %SEC-6-IPACCESSLOGP: list somelist2 denied udp 10.12.7.4(42) -> 10.0.3.24(42), 1 packet regex=SEC-6-IPACCESSLOGP: list (\w+) denied (udp|tcp) ([\d\.]+)\((\d+)\).*-> ([\d\.]+)\((\d+)\), (\d+); \ classification.text=Packet denied; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=cisco_id; \ classification.reference(0).name=%SEC-6-IPACCESSLOGP; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/ios/12_2/sem2/system/message/emfsdllc.html#wp971288; \ id=5600; \ revision=2; \ analyzer(0).name=Router; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Router; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to bypass access-list #$1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=ACL; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Events; \ additional_data(1).data=$6; \ last #DESCRIPTION:RSH attempt #CATEGORY:Authentication #LOG:Apr 11 20:13:49 wormhole.flash.net 2279: %RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from 1.2.3.4 regex=RCMD-4-RSHPORTATTEMPT:.* from ([\d\.]+); \ classification.text=RSH attempt; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=cisco_id; \ classification.reference(0).name=%RCMD-4-RSHPORTATTEMPT; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/ios/12_2/sem2/system/message/emfpquic.html#wp564542; \ id=5601; \ revision=2; \ analyzer(0).name=Router; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Router; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to connect to rshell; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).service.name=rsh; \ last #DESCRIPTION:Interface status changed #CATEGORY:Monitoring #LOG:Jun 1 13:59:17 rtr-dsl-01 3972256: 5w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to down regex=%LINEPROTO-5-UPDOWN: Line protocol on Interface (\S+), changed state to (down|up); \ classification.text=Interface $2; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=cisco_id; \ classification.reference(0).name=%LINEPROTO-5-UPDOWN; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/ios/11_0/system/message/etext.html#wp3717; \ id=5602; \ revision=2; \ analyzer(0).name=Router; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Router; \ assessment.impact.completion=succeeded; \ assessment.impact.type=dos; \ assessment.impact.severity=medium; \ assessment.impact.description=Interface $1 status changed to $2; \ target(0).interface=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=New state; \ additional_data(0).data=$2; \ last #DESCRIPTION:Match if a host has requested an unknown key exchange #CATEGORY:Network Security #LOG:Jun 1 15:20:39 rtr-dsl-01 3972364: 5w5d: %CRYPTO-6-IKMP_UNK_EXCHANGE: IKE peer at 1.1.1.1 sent a message with unknown exchange 1 regex=%CRYPTO-6-IKMP_UNK_EXCHANGE: IKE peer at (\S+) * sent a message with unknown; \ classification.text=Router unknown IKE key exchange request; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=cisco_id; \ classification.reference(0).name=%CRYPTO-6-IKMP_UNK_EXCHANGE; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/ios/12_3t/system/messages/smg2tmsd.html#wp823320; \ id=5603; \ revision=2; \ analyzer(0).name=Router; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Router; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An unknown Internet Key Exchange request has been received from host: $1 ; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).service.port=500; \ target(0).service.name=isakmp; \ last #DESCRIPTION:An IDS event was observed by the IOS IDS #CATEGORY:Generic IDS/IPS #LOG:Jul 10 17:56:13 somehost.ragingwire.net somehost/somehost 139826: .Jul 10 17:53:16 GMT: %IDS-4-TCP_SENDMAIL_VRFY_SIG: Sig:3103:Sendmail Reconnaissance - from 12.34.56.78 to 90.12.34.56 #LOG:Jul 10 18:28:42 somehost.ragingwire.net somehost/somehost 3246718: .Jul 10 18:25:45 GMT: %IDS-4-IP_UNKNOWN_PROTO_SIG: Sig:1101:Unknown IP Protocol - from 12.34.56.78 to 90.12.34.56 regex=%IDS-4-(\S+)_SIG: Sig:(\d+):(.+) - from ([\d\.]+) to ([\d\.]+); \ classification.text=$3; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=cisco_id; \ classification.reference(0).name=%IDS-4-$1_SIG; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/ios/12_2/sem1/system/message/emfgsrip.html#wp934986; \ id=5604; \ revision=1; \ analyzer(0).name=Router; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Router; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An IDS event of type "$3" was observed from $4 to $5 by the IOS IDS.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ additional_data(0).type=string; \ additional_data(0).meaning=Signature Name; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Signature Number; \ additional_data(1).data=$2; \ last ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/cisco-vpn.rules�����������������������������������������������������0000664�0001750�0001750�00000020063�13537533463�021710� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Cisco VPN #VERSION: 1.0 #DESCRIPTION: Cisco VPN Router is a device that combines high-performance network connectivity to multiple offices and remote employees with essential business-class features. The rules included here were developed using a Cisco VPN 3000 Concentrator. ##### # # Copyright (C) 2003 G Ramon Gomez <gene at gomezbrothers dot com> # Tyco Fire and Security GTS (www.tycofireandsecurity.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:VPN user disconnected #CATEGORY:Authentication #LOG:Oct 28 19:00:35 vpn 1453 10/28/2003 19:00:34.930 SEV=4 AUTH/28 RPT=22 12.34.56.78 User [gene.gomez], Group [Staff] disconnected: Duration: 0:10:12 Bytes xmt: 2745816 Bytes rcv: 172696 Reason: User Requested regex=([\d\.]+) User \[(\S+)\], Group \[(\S+)\] disconnected: Duration: (\S+) Bytes xmt: (\d+) Bytes rcv: (\d+) Reason: (.+); \ classification.text=VPN user disconnected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=AUTH/28; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=4; \ id=300; \ revision=2; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=low; \ assessment.impact.description=VPN user $2 disconnected; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).user.category=application; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$3; \ additional_data(0).type=string; \ additional_data(0).meaning=Connection duration; \ additional_data(0).data=$4; \ additional_data(1).type=integer; \ additional_data(1).meaning=Bytes transmitted; \ additional_data(1).data=$5; \ additional_data(2).type=integer; \ additional_data(2).meaning=Bytes received; \ additional_data(2).data=$6; \ additional_data(3).type=string; \ additional_data(3).meaning=Disconnect reason; \ additional_data(3).data=$7; \ last #DESCRIPTION:Authentication rejected #CATEGORY:Authentication #LOG:Oct 29 19:18:20 vpn 1793 10/29/2003 19:18:20.190 SEV=3 AUTH/5 RPT=6 12.34.56.78 Authentication rejected: Reason = Invalid password handle = 66, server = Internal, user = gene.gomez, domain = <not specified> regex=([\d\.]+) Authentication rejected: Reason = (.+) handle = \d+, server = (\S+), user = (\S+), domain = (.+); \ classification.text=VPN user authentication; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=AUTH/5; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=3; \ id=301; \ revision=4; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=medium; \ assessment.impact.type=user; \ assessment.impact.completion=failed; \ assessment.impact.description=VPN user $4 failed authentication because of $2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).user.category=application; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$4; \ additional_data(0).type=string; \ additional_data(0).meaning=Failure reason; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Authentication server; \ additional_data(1).data=$3; \ additional_data(2).type=string; \ additional_data(2).meaning=Authentication domain; \ additional_data(2).data=$5; \ last #DESCRIPTION:VPN user authentication #CATEGORY:Authentication #LOG:Oct 28 18:50:21 vpn 1414 10/28/2003 18:50:21.930 SEV=4 IKE/52 RPT=22 12.34.56.78 Group [Staff] User [gene.gomez] User (gene.gomez) authenticated. regex=([\d\.]+) Group \[(\S+)\] User \[(\S+)\] User \(\S+\) authenticated; \ classification.text=VPN user authentication; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=IKE/52; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=4; \ id=302; \ revision=4; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=low; \ assessment.impact.type=user; \ assessment.impact.completion=succeeded; \ assessment.impact.description=VPN user $3 authenticated; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).user.category=application; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$3; \ target(0).user.user_id(1).type=current-group; \ target(0).user.user_id(1).name=$2; \ last #DESCRIPTION:VPN administration authentication #CATEGORY:Authentication #LOG:Oct 29 19:53:18 vpn 1843 10/29/2003 19:53:18.680 SEV=5 AUTH/31 RPT=2 User [ admin ] Protocol [ HTTP ] attempted ADMIN logon.. Status: <REFUSED> authentication failure ! regex=User \[ (\S+) \] Protocol \[ (\S+) \] attempted ADMIN logon.. Status: <REFUSED>; \ classification.text=VPN administration authentication; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=AUTH/31; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=5; \ id=303; \ revision=3; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=failed; \ assessment.impact.description=VPN administration authentication failure: $1 using $2; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ target(0).service.name=$2; \ last #DESCRIPTION:VPN administration authentication #CATEGORY:Authentication #LOG:Oct 28 12:33:48 vpn 1359 10/28/2003 12:33:48.610 SEV=5 AUTH/36 RPT=1 12.34.56.78 User [ admin ] Protocol [ HTTP ] attempted ADMIN logon.. Status: <ACCESS GRANTED> ! regex=([\d\.]+) User \[ (\S+) \] Protocol \[ (\S+) \] attempted ADMIN logon.. Status: <ACCESS GRANTED>; \ classification.text=VPN administration authentication; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=AUTH/36; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=5; \ id=304; \ revision=3; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=VPN administration authentication success: $2 using $3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$2; \ target(0).service.name=$3; \ last �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/dell-om.rules�������������������������������������������������������0000664�0001750�0001750�00000015657�13537533463�021355� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Dell OpenManage #VERSION: 1.0 #DESCRIPTION: Dell OpenManage is a set of systems management applications built using industry standard protocols and specifications. The rules included here were developed using an unknown version of Dell Open Management Server Administrator. ##### # # Copyright (C) 2004 G Ramon Gomez <gene at gomezbrothers dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Redundancy failure #CATEGORY:Monitoring #LOG:Jun 8 18:12:44 12.34.56.78 server administrator[warning] 1306 Redundancy lost Redundancy unit: System Power Unit Chassis location: Main System Chassis Previous redundancy state was: FULL Number of devices required for full redundancy: 2 regex=1306 Redundancy lost Redundancy unit: (.+?) Chassis location: (.+?) Previous redundancy state was: (.+?) Number of devices required for full redundancy: (\d+); \ classification.text=Redundancy failure; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=om_id; \ classification.reference(0).name=1306; \ classification.reference(0).url=http://support.dell.com/support/edocs/software/svradmin/1.9/en/messages/msgch20.htm; \ id=3800; \ revision=2; \ analyzer(0).name=OpenManage; \ analyzer(0).manufacturer=Dell; \ analyzer(0).class=State Monitoring; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Dell OpenManage has detected a loss of device redundancy in $1; \ additional_data(0).type=string; \ additional_data(0).meaning=Source device; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Chassis location; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Previous state; \ additional_data(2).data=$3; \ additional_data(3).type=integer; \ additional_data(3).meaning=Required devices; \ additional_data(3).data=$4; \ last #DESCRIPTION:Power supply normal #CATEGORY:Monitoring #LOG:Jun 24 08:56:25 neo server administrator[info] 1352 Power supply returned to normal Sensor location: Power supply 2 Chassis location: Main System Chassis Previous state was: Critical (Failed) regex=1352 Power supply returned to normal Sensor location: (.+?) Chassis location: (.+?) Previous state was: (.+); \ classification.text=Power supply normal; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=om_id; \ classification.reference(0).name=1352; \ classification.reference(0).url=http://support.dell.com/support/edocs/software/svradmin/1.9/en/messages/msgch20.htm; \ id=3801; \ revision=2; \ analyzer(0).name=OpenManage; \ analyzer(0).manufacturer=Dell; \ analyzer(0).class=State Monitoring; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$1 status returned to normal; \ additional_data(0).type=string; \ additional_data(0).meaning=Source device; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Chassis location; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Previous state; \ additional_data(2).data=$3; \ last #DESCRIPTION:Power supply warning #CATEGORY:Monitoring #LOG:Jun 8 18:12:44 12.34.56.78 server administrator[warning] 1353 Power supply detected a warning Sensor location: Power supply 1 Chassis location: Main System Chassis Previous state was: OK (Normal) Power supply fan has failed regex=1353 Power supply detected a warning Sensor location: (.+?) Chassis location: (.+?) Previous state was: (\w+ \(\w+\)|Unknown) (.+); \ classification.text=Power supply warning; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=om_id; \ classification.reference(0).name=1353; \ classification.reference(0).url=http://support.dell.com/support/edocs/software/svradmin/1.9/en/messages/msgch20.htm; \ id=3802; \ revision=2; \ analyzer(0).name=OpenManage; \ analyzer(0).manufacturer=Dell; \ analyzer(0).class=State Monitoring; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$1 is in warning state, $4; \ additional_data(0).type=string; \ additional_data(0).meaning=Source device; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Chassis location; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Previous state; \ additional_data(2).data=$3; \ additional_data(3).type=string; \ additional_data(3).meaning=Event description; \ additional_data(3).data=$4; \ last #DESCRIPTION:Power supply failure #CATEGORY:Monitoring #LOG:Jun 24 08:46:30 neo server administrator[error] 1354 Power supply detected a failure Sensor location: Power supply 2 Chassis location: Main System Chassis Previous state was: OK (Normal) Power supply input AC is off Power supply POK signal is not normal Power supply is turned off regex=1354 Power supply detected a failure Sensor location: (.+?) Chassis location: (.+?) Previous state was: (\w+ \(\w+\)|Unknown) (.+); \ classification.text=Power supply failure; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=om_id; \ classification.reference(0).name=1354; \ classification.reference(0).url=http://support.dell.com/support/edocs/software/svradmin/1.9/en/messages/msgch20.htm; \ id=3803; \ revision=2; \ analyzer(0).name=OpenManage; \ analyzer(0).manufacturer=Dell; \ analyzer(0).class=State Monitoring; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=$1 is in failure state, $4; \ additional_data(0).type=string; \ additional_data(0).meaning=Source device; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Chassis location; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Previous state; \ additional_data(2).data=$3; \ additional_data(3).type=string; \ additional_data(3).meaning=Event description; \ additional_data(3).data=$4; \ last ���������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/f5-bigip.rules������������������������������������������������������0000664�0001750�0001750�00000006651�13537533463�021420� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: F5 BIG-IP #VERSION: 1.0 #DESCRIPTION: F5's BIG-IP product family comprises purpose-built hardware, modularized software, and virtualized solutions that run the F5 TMOS operating system. The rules included here were developed using BIG-IP Kernel 4.5PTF-06 Build25. ##### # # Copyright (C) 2004 G Ramon Gomez <gene at gomezbrothers dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Load balancer audit #CATEGORY:High Availability #LOG:Jun 10 14:03:08 12.4.18.135 bigconf.cgi: AUDIT -- Create MEMBER 10.5.253.52:0 (Parent: POOL SMDEMO) User: admin regex=AUDIT -- (\w+) (?!VIPPORT)(\w+) ([\d\.]+).+User: (\S+); \ classification.text=Load balancer $1 audit; \ id=3600; \ revision=1; \ analyzer(0).name=Big-IP; \ analyzer(0).manufacturer=F5; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=low; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Bigconf performed a $1 on $3, of object type $2.; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$4; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$3; \ last #DESCRIPTION:Load balancer audit #CATEGORY:High Availability #LOG:Jun 10 18:05:43 12.4.18.135 bigconf.cgi: AUDIT -- Delete POOL SMDEMO User: admin regex=AUDIT -- (\w+) (\w+) (\w+)\s+User: (\S+); \ classification.text=Load balancer $1 audit; \ id=3601; \ revision=1; \ analyzer(0).name=Big-IP; \ analyzer(0).manufacturer=F5; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=low; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Bigconf performed a $1 on $3, of object type $2.; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$4; \ last #DESCRIPTION:Packet denied #CATEGORY:Packet Filtering #LOG:Jun 14 07:06:05 12.34.56.78 kernel: security: UDP port denial 90.12.34.56:20031 -> 78.90.12.34:20031 #regex=security: (\S+) .*port denial ([\d\.]+):(\d+) -> ([\d\.]+):(\d+); \ # classification.text=Packet denied; \ # id=3602; \ # revision=1; \ # analyzer(0).name=Big-IP; \ # analyzer(0).manufacturer=F5; \ # analyzer(0).class=Load Balancer; \ # assessment.impact.severity=medium; \ # assessment.impact.description=A packet was dropped by the Big-IP.; \ # source(0).service.iana_protocol_name=$1; \ # source(0).node.address(0).category=ipv4-addr; \ # source(0).node.address(0).address=$2; \ # source(0).service.port=$3; \ # target(0).service.iana_protocol_name=$1; \ # target(0).node.address(0).category=ipv4-addr; \ # target(0).node.address(0).address=$4; \ # target(0).service.port=$5; \ # last ���������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/fortigate.rules�����������������������������������������������������0000664�0001750�0001750�00000075513�13537533463�022005� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: FortiGate #VERSION: 1.0 #DESCRIPTION: The FortiGate firewall is Fortinet's flagship integrated network security solution. ##### # # Copyright (C) 2012 Seguridadx <operador@seguridadx.com> # twitter: <www.twitter.com/seguridad_x> # All Rights Reserved # # Copyright (C) 2014-2019 CS-SI <support.prelude@c-s.fr> # All Rights Reserved. # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:System Activity Event (notice|information) #CATEGORY:Monitoring regex=devname=(\S+),devid=(\S+),logid=0100(\d+),+.+level=(notice|information); \ classification.text=System Activity Event; \ id=80000; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=info; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: System Activity Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0100$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:System Activity Event (warning|error) #CATEGORY:Monitoring regex=devname=(\S+),devid=(\S+),logid=0100(\d+),+.+level=(warning|error); \ classification.text=System Activity Event; \ id=80001; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: System Activity Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0100$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:System Activity Event (emergency|alert|critical) #CATEGORY:Monitoring regex=devname=(\S+),devid=(\S+),logid=0100(\d+),+.+level=(emergency|alert|critical); \ classification.text=System Activity Event; \ id=80002; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: System Activity Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0100$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:IPSec Negotiation Event (notice|information) #CATEGORY:Network Security regex=devname=(\S+),devid=(\S+),logid=0101(\d+),+.+level=(notice|information); \ classification.text=IPSec Negotiation Event; \ id=80003; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=info; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: IPSec Negotiation Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0101$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:IPSec Negotiation Event (warning|error) #CATEGORY:Network Security regex=devname=(\S+),devid=(\S+),logid=0101(\d+),+.+level=(warning|error); \ classification.text=IPSec Negotiation Event; \ id=80004; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: IPSec Negotiation Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0101$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:IPSec Negotiation Event (emergency|alert|critical) #CATEGORY:Network Security regex=devname=(\S+),devid=(\S+),logid=0101(\d+),+.+level=(emergency|alert|critical); \ classification.text=IPSec Negotiation Event; \ id=80005; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: IPSec Negotiation Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0101$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:DHCP Service Event (notice|information) #CATEGORY:Monitoring regex=devname=(\S+),devid=(\S+),logid=0102(\d+),+.+level=(notice|information); \ classification.text=DHCP Service Event; \ id=80006; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=info; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: DHCP Service Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0102$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:DHCP Service Event (warning|error) #CATEGORY:Monitoring regex=devname=(\S+),devid=(\S+),logid=0101(\d+),+.+level=(warning|error); \ classification.text=DHCP Service Event; \ id=80007; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: DHCP Service Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0102$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:DHCP Service Event (emergency|alert|critical) #CATEGORY:Monitoring regex=devname=(\S+),devid=(\S+),logid=0101(\d+),+.+level=(emergency|alert|critical); \ classification.text=DHCP Service Event; \ id=80008; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: DHCP Service Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0102$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Admin Event (notice|information) #CATEGORY:Monitoring regex=devname=(\S+),devid=(\S+),logid=0104(\d+),+.+level=(notice|information); \ classification.text=Admin Event; \ id=80009; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=info; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Admin Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0104$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Admin Event (warning|error) #CATEGORY:Monitoring regex=devname=(\S+),devid=(\S+),logid=0104(\d+),+.+level=(warning|error); \ classification.text=Admin Event; \ id=80010; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Admin Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0104$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Admin Event (emergency|alert|critical) #CATEGORY:Monitoring regex=devname=(\S+),devid=(\S+),logid=0104(\d+),+.+level=(emergency|alert|critical); \ classification.text=Admin Event; \ id=80011; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Admin Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0104$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ last #DESCRIPTION:HA Activity Event (notice|information) #CATEGORY:High Availability regex=devname=(\S+),devid=(\S+),logid=0105(\d+),+.+level=(notice|information); \ classification.text=HA Activity Event; \ id=80012; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=info; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: HA Activity Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0105$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:HA Activity Event (warning|error) #CATEGORY:High Availability regex=devname=(\S+),devid=(\S+),logid=0105(\d+),+.+level=(warning|error); \ classification.text=HA Activity Event; \ id=80013; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: HA Activity Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0105$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:HA Activity Event (emergency|alert|critical) #CATEGORY:High Availability regex=devname=(\S+),devid=(\S+),logid=0105(\d+),+.+level=(emergency|alert|critical); \ classification.text=HA Activity Event; \ id=80014; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: HA Activity Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0105$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ last #DESCRIPTION:Firewall Authentication Event (notice|information) #CATEGORY:Authentication regex=devname=(\S+),devid=(\S+),logid=0106(\d+),+.+level=(notice|information); \ classification.text=Firewall Authentication Event; \ id=80026; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=info; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Firewall Authentication Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0106$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Firewall Authentication Event (warning|error) #CATEGORY:Authentication regex=devname=(\S+),devid=(\S+),logid=0106(\d+),+.+level=(warning|error); \ classification.text=Firewall Authentication Event; \ id=80015; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Firewall Authentication Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0106$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Firewall Authentication Event (emergency|alert|critical) #CATEGORY:Authentication regex=devname=(\S+),devid=(\S+),logid=0106(\d+),+.+level=(emergency|alert|critical); \ classification.text=Firewall Authentication Event; \ id=80016; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Firewall Authentication Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0106$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ last #DESCRIPTION:Chassis Event (notice|information) #CATEGORY:Hardware regex=devname=(\S+),devid=(\S+),logid=0130(\d+),+.+level=(notice|information); \ classification.text=Chassis Event; \ id=80017; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=info; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Chassis Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0130$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Chassis Event (warning|error) #CATEGORY:Hardware regex=devname=(\S+),devid=(\S+),logid=0130(\d+),+.+level=(warning|error); \ classification.text=Chassis Event; \ id=80018; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Chassis Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0130$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Chassis Event (emergency|alert|critical) #CATEGORY:Hardware regex=devname=(\S+),devid=(\S+),logid=0130(\d+),+.+level=(emergency|alert|critical); \ classification.text=Chassis Event; \ id=80019; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Chassis Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0130$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$4; \ last #DESCRIPTION:Traffic Blocked by UTM (notice|information) #CATEGORY:Network Security regex=devname=(\S+),devid=(\S+),logid=0000(\d+),+.+level=(notice|information),vd=(\S+)(\,)srcip=([\d\.]+),srcport=(\d+),+.+dstip=([\d\.]+),dstport=(\d+),+.+service=(\S+)(\,)proto=(\d+)(\,)+.+utmaction=blocked,utmevent=(\S+)(\,)utmsubtype; \ classification.text= Traffic Blocked by UTM - $15; \ id=80020; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=info; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Traffic Event / UTM Blocked.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0000$3; \ additional_data(3).type=string; \ additional_data(3).meaning=VDOM; \ additional_data(3).data=$5; \ additional_data(4).type=string; \ additional_data(4).meaning=Service; \ additional_data(4).data=$11; \ additional_data(5).type=string; \ additional_data(5).meaning=Proto; \ additional_data(5).data=$13; \ additional_data(6).type=string; \ additional_data(6).meaning=UTM Event; \ additional_data(6).data=$15; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$10; \ last #DESCRIPTION:Traffic Blocked by UTM (warning|error) #CATEGORY:Network Security regex=devname=(\S+),devid=(\S+),logid=0000(\d+),+.+level=(warning|error),vd=(\S+)(\,)srcip=([\d\.]+),srcport=(\d+),+.+dstip=([\d\.]+),dstport=(\d+),+.+service=(\S+)(\,)proto=(\d+)(\,)+.+utmaction=blocked,utmevent=(\S+)(\,)utmsubtype; \ classification.text= Traffic Blocked by UTM - $15; \ id=80021; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Traffic Event / UTM Blocked.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0000$3; \ additional_data(3).type=string; \ additional_data(3).meaning=VDOM; \ additional_data(3).data=$5; \ additional_data(4).type=string; \ additional_data(4).meaning=Service; \ additional_data(4).data=$11; \ additional_data(5).type=string; \ additional_data(5).meaning=Proto; \ additional_data(5).data=$13; \ additional_data(6).type=string; \ additional_data(6).meaning=UTM Event; \ additional_data(6).data=$15; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$10; \ last #DESCRIPTION:Traffic Blocked by UTM (emergency|alert|critical) #CATEGORY:Network Security regex=devname=(\S+),devid=(\S+),logid=0000(\d+),+.+level=(emergency|alert|critical),vd=(\S+)(\,)srcip=([\d\.]+),srcport=(\d+),+.+dstip=([\d\.]+),dstport=(\d+),+.+service=(\S+)(\,)proto=(\d+)(\,)+.+utmaction=blocked,utmevent=(\S+)(\,)utmsubtype; \ classification.text= Traffic Blocked by UTM - $15; \ id=80022; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: Traffic Event / UTM Blocked.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0000$3; \ additional_data(3).type=string; \ additional_data(3).meaning=VDOM; \ additional_data(3).data=$5; \ additional_data(4).type=string; \ additional_data(4).meaning=Service; \ additional_data(4).data=$11; \ additional_data(5).type=string; \ additional_data(5).meaning=Proto; \ additional_data(5).data=$13; \ additional_data(6).type=string; \ additional_data(6).meaning=UTM Event; \ additional_data(6).data=$15; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$10; \ last #DESCRIPTION:IDS Signature / Attack Signature #CATEGORY:IDS Signature / Attack Signature regex=devname=(\S+),devid=(\S+),logid=0420(\d+),+.+vd=(\S+)(\,)severity=(\S+)(\,)srcip=([\d\.]+),dstip=([\d\.]+),+.+proto=(\d+)(\,)service=(\S+)(\,)attackname=(\S+)(\,)srcport=(\d+),dstport=(\d+),attackid=(\d+),sensor=(\S+)(\,)ref=(\S+)(\,)incidentserialno; \ classification.text= $14; \ id=80023; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=$6; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: IDS Signature / Attack Signature.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0420$3; \ additional_data(3).type=string; \ additional_data(3).meaning=VDOM; \ additional_data(3).data=$4; \ additional_data(4).type=string; \ additional_data(4).meaning=Service; \ additional_data(4).data=$12; \ additional_data(5).type=string; \ additional_data(5).meaning=Proto; \ additional_data(5).data=$10; \ additional_data(6).type=string; \ additional_data(6).meaning=Attack ID; \ additional_data(6).data=$18; \ additional_data(7).type=string; \ additional_data(7).meaning=Sensor; \ additional_data(7).data=$19; \ additional_data(8).type=string; \ additional_data(8).meaning=Sensor; \ additional_data(8).data=$21; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$8; \ source(0).service.port=$16; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$17; \ last #DESCRIPTION:IDS Anomaly / Attack Anomaly #CATEGORY:IDS Anomaly / Attack Anomaly regex=devname=(\S+),devid=(\S+),logid=0421(\d+),+.+vd=(\S+)(\,)severity=(\S+)(\,)srcip=([\d\.]+),dstip=([\d\.]+),+.+proto=(\d+)(\,)service=(\S+)(\,)attackname=(\S+)(\,)srcport=(\d+),dstport=(\d+),attackid=(\d+),sensor=(\S+)(\,)ref=(\S+)(\,)incidentserialno; \ classification.text= $14; \ id=80024; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=$6; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: IDS Anomaly / Attack Anomaly.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0421$3; \ additional_data(3).type=string; \ additional_data(3).meaning=VDOM; \ additional_data(3).data=$4; \ additional_data(4).type=string; \ additional_data(4).meaning=Service; \ additional_data(4).data=$12; \ additional_data(5).type=string; \ additional_data(5).meaning=Proto; \ additional_data(5).data=$10; \ additional_data(6).type=string; \ additional_data(6).meaning=Attack ID; \ additional_data(6).data=$18; \ additional_data(7).type=string; \ additional_data(7).meaning=Sensor; \ additional_data(7).data=$19; \ additional_data(8).type=string; \ additional_data(8).meaning=Sensor; \ additional_data(8).data=$21; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$8; \ source(0).service.port=$16; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$17; \ last #DESCRIPTION:IDS Generic Event #CATEGORY:Generic IDS/IPS regex=devname=(\S+),devid=(\S+),logid=04(\d+),+.+vd=(\S+)(\,)severity=(\S+)(\,)srcip=([\d\.]+),dstip=([\d\.]+),+.+proto=(\d+)(\,)service=(\S+)(\,)+.+attackname=(\S+)(\,)srcport=(\d+),dstport=(\d+),attackid=(\d+),sensor=(\S+)(\,)ref=(\S+)(\,)incidentserialno; \ classification.text= $14; \ id=80025; \ revision=1; \ analyzer(0).name=Fortigate; \ analyzer(0).manufacturer=www.fortinet.com; \ analyzer(0).class=UTM; \ assessment.impact.severity=$6; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Log message type: IDS Generic Event.; \ additional_data(0).type=string; \ additional_data(0).meaning=Device Name; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Device ID; \ additional_data(1).data=$2; \ additional_data(2).type=string; \ additional_data(2).meaning=Log ID; \ additional_data(2).data=0000$3; \ additional_data(3).type=string; \ additional_data(3).meaning=VDOM; \ additional_data(3).data=$4; \ additional_data(4).type=string; \ additional_data(4).meaning=Service; \ additional_data(4).data=$12; \ additional_data(5).type=string; \ additional_data(5).meaning=Proto; \ additional_data(5).data=$10; \ additional_data(6).type=string; \ additional_data(6).meaning=Attack ID; \ additional_data(6).data=$18; \ additional_data(7).type=string; \ additional_data(7).meaning=Sensor; \ additional_data(7).data=$19; \ additional_data(8).type=string; \ additional_data(8).meaning=Sensor; \ additional_data(8).data=$21; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$8; \ source(0).service.port=$16; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$17; \ last �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/grsecurity.rules����������������������������������������������������0000664�0001750�0001750�00000106761�13537533463�022221� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Grsecurity #VERSION: 1.0 #DESCRIPTION: Grsecurity is an extensive security enhancement to the Linux kernel that defends against a wide range of security threats through intelligent access control, memory corruption-based exploit prevention, and a host of other system hardening that generally require no configuration. ##### # # Copyright (C) 2005-2019 CS-SI <support.prelude@c-s.fr> # Author: Yoann Vandoorselaere <yoann.v@prelude-siem.com> # All Rights Reserved. # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:GRSEC2 event #CATEGORY:Hardening Features #LOG:Jan 11 01:40:09 gw kernel: grsec: From X: denied attach of shared memory outside of chroot by /chroot/usr/local/apache/bin/httpd[httpd:21579] uid/euid:1000/1000 gid/egid:103/103, parent /chroot/apache/usr/local/apache/bin/httpd[httpd:20755] uid/euid:0/0 gid/egid:0/0 regex=uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+), parent; \ id=690; \ source(0).user.category=application; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).number=$1; \ source(0).user.user_id(1).type=user-privs; \ source(0).user.user_id(1).number=$2; \ source(0).user.user_id(2).type=current-group; \ source(0).user.user_id(2).number=$3; \ source(0).user.user_id(3).type=group-privs; \ source(0).user.user_id(3).number=$4; \ chained; silent #DESCRIPTION:Generic GRSEC2 goto rules #CATEGORY:Hardening Features regex=(to|on|against) ([^[ ]+)\[([^:]+):(\d+)] uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+), parent ([^[]+)\[([^:]+):(\d+)] uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+); \ id=691; \ revision = 1; \ target(0).process.path=$2; \ target(0).process.name=$3; \ target(0).process.pid=$4; \ target(0).user.category=application; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).number=$5; \ target(0).user.user_id(1).type=user-privs; \ target(0).user.user_id(1).number=$6; \ target(0).user.user_id(2).type=current-group; \ target(0).user.user_id(2).number=$7; \ target(0).user.user_id(3).type=group-privs; \ target(0).user.user_id(3).number=$8; \ # target(1).process.path = $9; \ # target(1).process.name = $10; \ # target(1).process.pid = $11; \ # target(1).user.user_id(0).type = current-user; \ # target(1).user.user_id(0).number = $12; \ # target(1).user.user_id(1).type = user-privs; \ # target(1).user.user_id(1).number = $13; \ # target(1).user.user_id(2).type = current-group; \ # target(1).user.user_id(2).number = $14; \ # target(1).user.user_id(3).type = group-privs; \ # target(1).user.user_id(3).number = $15; \ chained; silent #DESCRIPTION:Generic GRSEC2 goto rules #CATEGORY:Hardening Features #LOG:Jan 11 01:40:09 gw kernel: grsec: From 123.123.123.123: denied ptrace of /usr/sbin/sw-engine-fpm(sw-engine-fpm:8880) by /usr/sbin/sw-engine-fpm[sw-engine-fpm:8881] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/sbin/sw-engine-fpm[sw-engine-fpm:8880] uid/euid:1000/1000 gid/egid:1000/1000 regex=From (\S+):; \ id=693; \ revision = 1; \ source(0).node.address(0).address = $1; \ chained; silent #DESCRIPTION:GRSEC2 event. Generic #CATEGORY:Hardening Features regex=(by|for) (IP:([^ ]+) )?([^[ ]+)\[([^:]+):(\d+)]( uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+))?, parent ([^[]+)\[([^:]+):(\d+)]( uid/euid:(\d+)/(\d+) gid/egid:(\d+)/(\d+))?; \ optgoto=693; \ id=692; \ revision = 1; \ source(0).node.address(0).address = $3; \ source(0).process.path=$4; \ source(0).process.name=$5; \ source(0).process.pid=$6; \ chained; silent #DESCRIPTION:GRSEC2 event. Failed #CATEGORY:Hardening Features #LOG:Jan 11 01:40:09 gw kernel: grsec: From 123.123.123.123: denied ptrace of /usr/sbin/sw-engine-fpm(sw-engine-fpm:8880) by /usr/sbin/sw-engine-fpm[sw-engine-fpm:8881] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/sbin/sw-engine-fpm[sw-engine-fpm:8880] uid/euid:1000/1000 gid/egid:1000/1000 regex=denied; \ id=694; \ assessment.impact.completion = failed; \ chained; silent #DESCRIPTION:GRSEC2 event. Succeeded regex=successful; \ id=695; \ assessment.impact.completion = succeeded; \ chained; silent #DESCRIPTION:Attemptation to ptrace. Access denied #CATEGORY:Recognition #LOG:Jan 11 01:40:09 gw kernel: grsec: From 123.123.123.123: denied ptrace of /usr/sbin/sw-engine-fpm(sw-engine-fpm:8880) by /usr/sbin/sw-engine-fpm[sw-engine-fpm:8881] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/sbin/sw-engine-fpm[sw-engine-fpm:8880] uid/euid:1000/1000 gid/egid:1000/1000 regex=denied ptrace of ([^(]+)\(([^:]+):(\d+)\) by ; \ goto=692; \ optgoto=693-695; \ classification.text=Denied ptrace; \ id=611; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).process.path = $1; \ target(0).process.name = $2; \ target(0).process.pid = $3; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to ptrace $1. Access was denied.; \ last #DESCRIPTION:Denied use of (ioperm|iopl) #CATEGORY:Hardening Features #LOG:Jan 11 01:40:09 gw kernel: grsec: From 192.168.1.51: denied use of ioperm() by /usr/bin/scanimage[scanimage:20422] uid/euid:0/0 gid/egid:0/0, parent /usr/local/bin/scanfile.sh[scanfile.sh:20421] uid/euid:0/0 gid/egid:0/0 regex=denied use of (ioperm|iopl)\(\) by ; \ goto=692; \ optgoto=693-695; \ classification.text=Denied user of $1; \ id=604; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ last #DESCRIPTION:Define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by " #CATEGORY:Hardening Features #LOG:FIXME #DESCRIPTION:Define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by " #CATEGORY:Hardening Features #LOG:FIXME #DESCRIPTION:Denied attach of shared memory outside of chroot #CATEGORY:Hardening Features #LOG:Jan 11 01:40:09 gw kernel: grsec: From X: denied attach of shared memory outside of chroot by /chroot/usr/local/apache/bin/httpd[httpd:21579] uid/euid:1000/1000 gid/egid:103/103, parent /chroot/apache/usr/local/apache/bin/httpd[httpd:20755] uid/euid:0/0 gid/egid:0/0 regex=denied attach of shared memory outside of chroot by; \ goto=692; \ classification.text=Denied attach of shared memory segment; \ id=605; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.severity=low; \ assessment.impact.description=Denied attach of shared memory segment outside of chroot; \ last #DESCRIPTION:Attemptation to ((mmap )?write|open). Denied #CATEGORY:Integrity #LOG:Jan 11 01:40:09 gw kernel: grsec: From 10.0.2.2: (root:U:/) denied open of /proc/1677/oom_score_adj for writing by /usr/sbin/sshd[sshd:1677] uid/euid:0/0 gid/egid:0/0, parent regex=denied ((mmap )?write|open) of (/dev/[^ ]+) by; \ optgoto=693-694; \ classification.text=Denied $1 of $2; \ id=606; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was denied to $1 $2.; \ last #DESCRIPTION:Attemptation to access to an hidden file #CATEGORY:Integrity #LOG:Jan 14 10:48:00 gw kernel: grsec: (default:D:/) denied access to hidden file /tmp by /bin/bash[bash:8531] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:18897] uid/euid:1000/1000 gid/egid:1000/1000 regex=denied access to hidden file ([^ ]+) by ; \ goto=692; \ optgoto=693-695; \ classification.text=Denied access to hidden file; \ id=608; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $1; \ target(0).file(0).category = current; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to access the hidden file $1. This access was denied by the ACL system. This could have resulted from an incomplete ACL, or an attack may be in progress on your system.; \ last #DESCRIPTION:Attemptation to write to a FIFO in a world-writable directory that was created by a non-root user. Denied #CATEGORY:Integrity #LOG:Jan 13 15:28:40 gw kernel: grsec: denied writing FIFO /tmp/kmsg of 17.17 by /bin/dd[dd:1407] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 regex=(denied|successful) (open|create|writing) (of|FIFO) for ; \ classification.text=Potential FIFO race; \ id=609; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to write to a FIFO in a world-writable +t directory that was created by a non-root user. This attempt was denied. It is possible that this was the result of an intentional FIFO race on your system.; \ last #DESCRIPTION:Denied mknod from chroot #CATEGORY:Command Execution #LOG:Jan 13 15:28:40 gw kernel: grsec: denied mknod of /tmp/test00030374_mknod from chroot by /root/regression/chroot_mknod_test[chroot_mknod_te:30374] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0 regex=denied mknod of ([^ ]+) from chroot by ; \ goto=692; \ optgoto=693-695; \ classification.text=Denied mknod from chroot; \ id=610; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ target(0).file(0).path = $1; \ target(0).file(0).category = current; \ assessment.impact.description=An attempt was made to mknod the device $1 from a chroot jail.; \ last #DESCRIPTION:Attemptation to connect to UNIX domain #CATEGORY:Network Security #LOG:Jan 11 01:40:09 gw kernel: grsec: (default:D:/) denied connect() to the unix domain socket /dev/log by /bin/login[login:31903] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 regex=(denied|successful) connect\(\) to the unix domain socket ([^ ]+) by ; \ goto=692; \ optgoto=693-694; \ classification.text=Attempted UNIX connect; \ id=674; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).name = $2; \ target(0).file(0).category = current; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt to connect to the unix domain socket $2 was $1.; \ last #DESCRIPTION:Terminal being sniffed #CATEGORY:Network Security #LOG:Jan 11 01:35:04 gw kernel: grsec: terminal being sniffed by IP:0.0.0.0 /usr/bin/vmnet-natd[vmnet-natd:574], parent /sbin/init[init:1] against /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0 regex=terminal being sniffed by; \ goto=691; \ goto=692; \ classification.text=Terminal sniffed; \ id=675; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ last #DESCRIPTION:Attemptation to (rename|link|symlink) #CATEGORY:Command Execution #LOG:FIXME regex=(denied|successful) (rename|link|symlink) (of|from) ([^ ]+) to ([^ ]+) by ; \ goto=692; \ optgoto=693-694; \ classification.text=Attempted $2; \ id=618; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $4; \ target(0).file(0).category = current; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to $2 $4 to $5. Access was $1. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \ last #DESCRIPTION:Possible exploit bruteforcing #CATEGORY:Generic IDS/IPS regex=possible exploit bruteforcing on; \ goto=691; #DESCRIPTION:Possible exploit bruteforcing #CATEGORY:Generic IDS/IPS regex=banning uid (\d+) from login for (\d+) seconds; \ optgoto=692-694; \ classification.text=Possible exploit bruteforcing; \ id=622; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=original-user; \ source(0).user.user_id(0).number=$1; \ assessment.impact.description=A possible exploit bruteforce attempt was made. The user with uid $1 has been banned from logging in for $2 seconds for causing this alert.; \ last #DESCRIPTION:Possible exploit bruteforcing #CATEGORY:Generic IDS/IPS regex=possible exploit bruteforcing on; \ goto=691; #DESCRIPTION:Possible exploit bruteforcing #CATEGORY:Generic IDS/IPS #LOG:Oct 31 21:02:08 data kernel: grsec: From 1.1.1.1: (default:D:/) possible exploit bruteforcing on /home/jdupond/work/test_getpwnam/getpwnam[getpwnam:14350] uid/euid:500/500 gid/egid:500/500, parent /usr/bin/ltrace[ltrace:14349] uid/euid:500/500 gid/egid:500/500 banning execution for 600 seconds/home/jdupond/work/test_getpwnam/getpwnam[getpwnam:14350] uid/euid:500/500 gid/egid:500/500, parent /usr/bin/ltrace[ltrace:14349] uid/euid:500/500 gid/egid:500/500 regex=banning execution for (\d+) seconds; \ optgoto=692-694; \ classification.text=Possible exploit bruteforcing; \ id=623; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=A possible exploit bruteforce attempt was made. The process being bruteforced is banned from execution for $1 seconds.; \ last #DESCRIPTION:Denied chmod #CATEGORY:Command Execution #LOG:Jan 13 15:20:27 gw kernel: grsec: denied chmod +s /tmp/test0008410_chmod by /root/regression/chroot_chmod_test[chroot_chmod_te:8410] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:15418] uid/euid:0/0 gid/egid:0/0 regex=denied chmod \+s ([^ ]+) by ; \ goto=692; \ optgoto=692-695; \ classification.text=Denied chmod +s from chroot; \ id=638; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to chmod +s the file $1. Access was denied.; \ last #DESCRIPTION:Denied fchdir outside of chroot #CATEGORY:Command Execution #LOG:Jan 13 15:28:40 gw kernel: grsec: denied fchdir outside of chroot to /etc by /root/regression/chroot_fchdir_test[chroot_fchdir_t:9025] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0 regex=denied fchdir outside of chroot to ([^ ]+) by; \ goto=692; \ optgoto=693-695; \ classification.text=Denied fchdir out of chroot; \ id=631; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $1; \ target(0).file(0).category = current; \ assessment.impact.completion=failed; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to fchdir out of a chroot jail to the directory $1. Access was denied.; \ last #DESCRIPTION:Shutdown auth (success|failure) #CATEGORY:Account Management #LOG:Jan 11 01:36:27 gw kernel: grsec: shutdown auth success for /sbin/gradm[gradm:27128] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:14872] uid/euid:0/0 gid/egid:0/0 #LOG:Jan 11 01:51:59 gw kernel: grsec: (default:D:/sbin/gradm) shutdown auth failure for /sbin/gradm[gradm:8974] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:27363] uid/euid:0/0 gid/egid:0/0 regex=shutdown auth (success|failure) for; \ goto=692; \ optgoto=693-694; \ classification.text=Grsecurity ACL shutdown; \ id=676; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ source(0).node.address(0).address = $1; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ last #DESCRIPTION:ACL system segvmod #CATEGORY:Account Management #LOG:FIXME regex=segvmod auth (success|failure); \ classification.text=ACL system segvmod $1; \ id=644; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=admin; \ assessment.impact.severity=high; \ assessment.impact.description=$1 in removing a ban on a user or binary due to possible exploit bruteforcing.; \ last #DESCRIPTION:Ignoring segvmod for disabled RBAC system #CATEGORY:Monitoring #LOG:FIXME regex=ignoring segvmod for disabled RBAC system for ; \ classification.text=ACL system segvmod ignored; \ id=646; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=admin; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was ignored to remove a ban on a user or binary due to possible exploit bruteforcing.; \ last #DESCRIPTION:RBAC system loaded #CATEGORY:Monitoring #LOG:Jan 11 01:35:04 gw kernel: grsec: (default:D:/sbin/gradm) grsecurity 2.1.1 RBAC system loaded by /sbin/gradm[gradm:1182] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0 regex=RBAC system loaded by; \ goto=692; \ classification.text=RBAC system loaded; \ id=647; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.severity=high; \ assessment.impact.description=The RBAC system was successfully loaded.; \ last #DESCRIPTION:Attemptation failed to (load|reload) the ACL system #CATEGORY:Monitoring #LOG:Jan 13 15:28:40 gw kernel: grsec: From 192.168.101.52: Failed reload of grsecurity 2.0 for (gradm:3056) uid/euid:0/0 gid/egid:0/0, parent (bash:9160) uid/euid:0/0 gid/egid:0/0 regex=([Uu]nable to|[Ff]ailed) (load|reload); \ goto=692; \ classification.text=$2 failed; \ id=649; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=admin; \ assessment.impact.severity=high; \ assessment.impact.description=Failed attempt to $2 the ACL system.; \ last #DESCRIPTION:Attemptation to change the priority of a process. Access denied. #CATEGORY:Monitoring #LOG:Jan 13 15:28:40 gw kernel: grsec: denied priority change of process (chroot_nice_tes:15707) by /root/regression/chroot_nice_test[chroot_nice_tes:15707] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/make[make:31808] uid/euid:0/0 gid/egid:0/0 regex=denied priority change of process \(([^:]+):(\d+)\) by ; \ goto=692; \ optgoto=693-695; \ classification.text=Denied process priority change; \ id=658; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ target(0).process.name=$1; \ target(0).process.pid=$2; \ assessment.impact.description=An attempt was made to change the priority of a process. Access was denied.; \ last #DESCRIPTION:Program tried to fork and failed #CATEGORY:Monitoring #LOG:Mar 15 16:14:35 sysadmin kernel: grsec: From 192.168.1.25: failed fork with errno -11 by /root/test/fork-bomb[fork-bomb:4362] uid/euid:0/0 gid/egid:0/0, parent /root/test/fork-bomb[fork-bomb:4009] uid/euid:0/0 gid/egid:0/0 regex=failed fork with errno (-?\d+) by ([^[]+); \ optgoto=691; \ optgoto=692-695; \ classification.text=Fork failure; \ id=659; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=Program $2 tried to fork and failed with errno $1.; \ last #DESCRIPTION:Signal sent to a process #CATEGORY:Monitoring #LOG:Jan 9 22:36:13 gw kernel: grsec: signal 11 sent to /usr/lib/vmware/bin/vmware-vmx[vmware-vmx:11733] uid/euid:1000/1000 gid/egid:1000/1000, parent /usr/lib/vmware/bin/vmware[vmware:25692] uid/euid:1000/1000 gid/egid:1000/1000 #LOG:May 2 18:13:42 lt kernel: grsec: From 82.226.58.44: signal 11 sent to /usr/lib/paxtest/writetext[writetext:2806] uid/euid:1/2 gid/egid:3/4, parent /usr/lib/paxtest/writetext[writetext:23332] uid/euid:5/6 gid/egid:7/8 regex=signal (\d+) sent to; \ goto=691; \ optgoto=692-695; \ id=662; \ classification.text=Signal $1 sent; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=Signal $1 was sent to a process.; \ last #DESCRIPTION:Attemptation to send signal to a protected process. Access denied. #CATEGORY:Monitoring #LOG:May 2 18:13:42 lt kernel: grsec: (root:U:/) denied send of signal 19 to protected task /sbin/udevd[udevd:277] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 by /sbin/killall5[killall5:1550] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/sendsigs[sendsigs:1546] uid/euid:0/0 gid/egid:0/0 regex=denied send of signal (\d+) to protected task; \ goto=691; \ goto=692; \ classification.text=Denied signal to protected process; \ id=664; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was made to send signal $1 to a protected process. Access was denied.; \ last #DESCRIPTION:System time changed #CATEGORY:Monitoring #LOG:Jan 10 06:32:09 gw kernel: grsec: time set by /usr/sbin/ntpdate[ntpdate:18730] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:24082] uid/euid:0/0 gid/egid:0/0 #LOG:Jun 19 15:53:23 lomo kernel: grsec: time set by /sbin/hwclock[hwclock:27144] uid/euid:1/2 gid/egid:3/4, parent /sbin/rc[rc:1229] uid/euid:5/6 gid/egid:7/8 #LOG:May 2 12:55:27 lsd kernel: grsec: From x.x.y.z: time set by /usr/bin/ntpd[ntpd:30864] uid/euid:123/123 gid/egid:123/123, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 regex=time set by; \ goto=692; \ optgoto=692-694; \ id = 669; \ classification.text=System time changed; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=The system time was modified.; \ last #DESCRIPTION:Attemptation to (mmap|mprotect) a file. #CATEGORY:Monitoring #LOG:Jun 19 15:53:23 lomo kernel: grsec: From x.x.x.x: denied executable mmap of /var/www/blah.gif by /usr/sbin/apache-ssl[apache-ssl:257] uid/euid:33/33 gid/egid:33/33, parent /usr/sbin/apache-ssl[apache-ssl:14121] uid/euid:0/0 gid/egid:0/0 regex=(denied|successful) executable (mmap|mprotect) of ([^ ]+) by ; \ goto=691; \ optgoto=692-694; \ classification.text=Attempted $2 executable; \ id=670; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ target(0).file(0).name = $3; \ assessment.impact.description=An attempt was made to $2 the file $3 executable. Access was $1.; \ last #DESCRIPTION:Attemptation to socket XXX made. #CATEGORY:Monitoring #LOG:Jul 10 01:15:47 worker kernel: grsec: (root:U:/usr/lib/cgi-bin/awstats.pl) denied socket(inet,stream,ip) by /usr/lib/cgi-bin/awstats.pl[awstats.pl:22937] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:29005] uid/euid:0/0 gid/egid:0/0 regex=(successful|denied) socket\((\w+),(\w+),(\w+)\) by ; \ goto=692; \ optgoto=693-694; \ classification.text=Attempted socket use; \ id=671; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt to socket($2, $3, $4) was made. Access was $1.; \ last #DESCRIPTION:Attemtation to (connect|bind) denied. #CATEGORY:Monitoring #LOG:Jul 10 01:15:47 worker kernel: grsec: From 10.0.2.2: (root:U:/) denied connect() to the unix domain socket /dev/log by /usr/sbin/sshd[sshd:1677] uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/sshd[sshd:1527] uid/euid:0/0 gid/egid:0/0 #LOG:Jul 10 01:15:47 worker kernel: grsec: (root:U:/bin/mount) denied bind() to 0.0.0.0 port 725 sock type stream protocol tcp by /bin/mount[mount:3259] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 regex=denied (connect\(\)|bind\(\)) to; \ goto=692; \ optgoto=693-694; \ classification.text=Denied $1; \ id=672; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt to $1 was denied.; \ last #DESCRIPTION:Attemptation to (connect|bind) denied #CATEGORY:Monitoring #LOG:Jul 10 01:15:47 worker kernel: grsec: From 1.2.3.4: (root:U:/usr/sbin/proftpd) denied bind() to 1.1.1.1 port 46304 sock type stream protocol tcp by /usr/sbin/proftpd[proftpd:27198] uid/euid:0/104 gid/egid:65534/65534, parent /usr/sbin/inetd[inetd:538] uid/euid:0/0 gid/egid:0/0 regex=denied (connect|bind)\(\) to (\d+\.\d+\.\d+\.\d+) port (\d+) sock type (\w+) protocol (\w+); \ goto=692; \ optgoto=693-694; \ classification.text=Denied $1; \ id=673; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).node.address(0).address = $2; \ target(0).service.port = $3; \ target(0).service.iana_protocol_name = $4; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt to $1 to $2:$3 was denied.; \ last #DESCRIPTION:Filesystem (unmount|remount) #CATEGORY:Monitoring #LOG:Jan 13 12:08:42 gw kernel: grsec: unmount of none by /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0, parent /[swapper/0:0] uid/euid:0/0 gid/egid:0/0 regex=(unmount|remount) of ([^ ]+) by; \ goto=691; \ optgoto=692-694; \ classification.text=Filesystem $1ed; \ id=677; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $2; \ target(0).file(0).category = current; \ assessment.impact.type=file; \ assessment.impact.severity=medium; \ assessment.impact.description=$2 was $1ed.; \ last #DESCRIPTION:Filesystem mounted #CATEGORY:Monitoring #LOG:Jan 13 12:08:42 gw kernel: grsec: mount of proc to /proc by /bin/mount[mount:669] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[sh:650] uid/euid:0/0 gid/egid:0/0 regex=(mount) of ([^ ]+) to ([^ ]+) by; \ goto=691; \ optgoto=692-694; \ classification.text=Filesystem $1ed; \ id=678; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $2; \ target(0).file(0).category = current; \ assessment.impact.type=file; \ assessment.impact.severity=medium; \ assessment.impact.description=$2 was $1ed to $3; \ last #DESCRIPTION:Attemptation du change directory #CATEGORY:Monitoring #LOG:Jan 13 12:08:42 gw kernel: grsec: From 192.168.1.25: chdir to /home/client/test by /bin/bash[bash:2532] uid/euid:1000/1000 gid/egid:2000/2000, parent /usr/sbin/sshd[sshd:2531] uid/euid:1000/1000 gid/egid:2000/2000 regex=chdir to ([^ ]+) by ; \ goto=692; \ optgoto=693-694; \ classification.text=Attempted chdir; \ id=630; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.description=An attempt was made to chdir to the directory $1. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \ last #DESCRIPTION:Binary executed #CATEGORY:Command Execution #LOG:Jan 13 12:08:42 gw kernel: grsec: exec of /sbin/start-stop-daemon (start-stop-daemon --stop --quiet --exec /sbin/klogd --pidfile /var/run/klogd.pid ) by /etc/init.d/klogd[K89klogd:7612] uid/euid:0/0 gid/egid:0/0, parent /etc/init.d/klogd[K89klogd:11922] uid/euid:0/0 gid/egid:0/0 regex=exec of ([^ ]+) \(([^ ]+) ([^)]+)\) by ; \ goto=692; \ optgoto=693-694; \ classification.text=Binary executed; \ id=682; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=file; \ assessment.impact.severity=low; \ target(0).process.name = $2; \ target(0).process.path = $1; \ target(0).process.arg(0) = $3; \ assessment.impact.description=The command: $1 was executed.; \ last #DESCRIPTION:(semaphore|message queue) created #CATEGORY:Monitoring #LOG:Mar 22 11:25:37 sysadmin kernel: grsec: From 192.168.1.25: semaphore created by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000 regex=(semaphore|message queue) created by ; \ classification.text=$1 created; \ id=685; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=file; \ assessment.impact.severity=low; \ assessment.impact.description=A $1 was created.; \ last #DESCRIPTION:Shared memory created #CATEGORY:Monitoring #LOG:Mar 22 11:25:29 sysadmin kernel: grsec: From 192.168.1.25: shared memory of size 1024 created by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000 regex=shared memory of size (\d+) created by ; \ classification.text=Shared memory created; \ id=688; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=succeeded; \ assessment.impact.type=file; \ assessment.impact.severity=low; \ assessment.impact.description=Shared memory of size $1 was created.; \ last #DESCRIPTION:(message queue|semaphore|shared memory) removed #CATEGORY:Monitoring #LOG:Mar 22 11:25:37 sysadmin kernel: grsec: From 192.168.1.25: shared memory of uid:1000 euid:1000 removed by /home/client/testshm.php[testshm.php:17904] uid/euid:1000/1000 gid/egid:2000/2000, parent /bin/bash[bash:17888] uid/euid:1000/1000 gid/egid:2000/2000 regex=(message queue|semaphore|shared memory) of uid:(\d+) euid:(\d+) removed by ; \ goto=692; \ optgoto=693-694; \ classification.text=$1 removed; \ id=684; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).number=$2; \ target(0).user.user_id(1).type=user-privs; \ target(0).user.user_id(1).number=$3; \ assessment.impact.completion=succeeded; \ assessment.impact.severity=low; \ assessment.impact.description=A $1 was removed.; \ last #DESCRIPTION:Attemptation to overstep the process limit. #CATEGORY:Monitoring #LOG:Jan 12 19:48:15 gw kernel: grsec: denied resource overstep by requesting 495360 for RLIMIT_DATA against limit 0 by /usr/bin/valgrind.bin[valgrind.bin:29839] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:31044] uid/euid:0/0 gid/egid:0/0 regex=denied resource overstep by requesting (\d+) for (\w+) against limit (\d+) by ; \ goto=692; \ optgoto=693-694; \ classification.text=Denied resource overstep; \ id=620; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=An attempt was denied to overstep the process limit.; \ last #DESCRIPTION:Incomplete ACL, or an attack may be in progress on the system. #CATEGORY:Integrity #LOG:Jan 11 01:51:51 gw kernel: grsec: (default:D:/) denied open of /var/log/lastlog for reading writing by /bin/login[login:27363] uid/euid:0/0 gid/egid:0/0, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 #LOG:Jan 11 01:36:18 gw kernel: grsec: (default:D:/) successful open of /root/.nano_history for writing by /bin/nano[pico:27085] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0 regex=(denied|successful) (open|access) of ([^ ]+) for (.*) by ; \ goto=692; \ optgoto=693-695; \ classification.text=Attempted $2; \ id=603; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ target(0).file(0).path = $3; \ target(0).file(0).category = current; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=$1 $2 of $3 for $4. This may have been the result of an incomplete ACL, or an attack may be in progress on the system.; \ last #DESCRIPTION:Attemptation command (denied|successful) #CATEGORY:Command Execution #LOG:Jan 11 01:36:18 gw kernel: grsec: (default:D:/) successful execution of /bin/blah by /bin/nano[pico:27085] uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:23506] uid/euid:0/0 gid/egid:0/0 #LOG:Jan 13 15:28:40 gw kernel: grsec: denied chmod of /tmp/su by /usr/sbin/ntpdate[ntpdate:1189] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:23536] uid/euid:0/0 gid/egid:0/0 #LOG:Jan 13 15:28:40 gw kernel: grsec: successful chmod of /tmp/su by /usr/sbin/ntpdate[ntpdate:1189] uid/euid:0/0 gid/egid:0/0, parent /etc/cron.daily/ntpdate[ntpdate:23536] uid/euid:0/0 gid/egid:0/0 regex=(denied|successful) (mknod|mkdir|rmdir|unlink|untrusted exec|execution|truncate|access time change|fchmod|chmod|chown|executable mmap|executable mprotect) of ([^ ]+) by ; \ goto=692; \ optgoto=693-695; \ classification.text=Attempted $2; \ id=612; \ revision=1; \ analyzer(0).name=grsecurity; \ analyzer(0).manufacturer=www.grsecurity.net; \ analyzer(0).class=Kernel; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ target(0).file(0).path = $3; \ target(0).file(0).category = current; \ assessment.impact.description=An attempt was made to $2 the file $3. Access was $1.; \ last ���������������prelude-lml-rules-5.1.0/ruleset/honeyd.rules��������������������������������������������������������0000664�0001750�0001750�00000044203�13537533463�021277� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Honeyd #VERSION: 1.0 #DESCRIPTION: Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. ##### # # RulesID: 2600 to 2610 # Copyright (C) 2003 Michael Boman <mboman at gentoo dot org> # All Rights Reserved # # RulesID: 2611 to 2615 # Copyright (C) 2006 Bjoern Weiland <bjoern-dot-weiland-at-web-dot-de> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Someone tried to connect to a port on the honeypot #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Honeypot #LOG:Dec 30 20:09:03 hacklab honeyd[5711]: Killing attempted connection: tcp (127.0.0.1:46190 - 192.168.1.20:646) regex=Killing attempted connection: (tcp|udp) \(([\d\.]+):(\d+) - ([\d\.]+):(\d+)\); \ classification.text=Killing attempted connection; \ id=2600; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ source(0).service.iana_protocol_name=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.port=$5; \ target(0).service.iana_protocol_name=$1; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to connect to a port on the honeypot; \ last #DESCRIPTION:Someone tried to connect to a closed port on the honeypot #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Honeypot #LOG:Dec 30 20:09:05 hacklab honeyd[5711]: Connection to closed port: udp (127.0.0.1:37806 - 192.168.1.20:1) regex=Connection to closed port: (tcp|udp) \(([\d\.]+):(\d+) - ([\d\.]+):(\d+)\); \ classification.text=Connection to closed port; \ id=2601; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ source(0).service.iana_protocol_name=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.port=$5; \ target(0).service.iana_protocol_name=$1; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to connect to a closed port on the honeypot; \ last #DESCRIPTION:Someone tried to connect to a port on the honeypot #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Honeypot #LOG:Dec 30 20:09:08 hacklab honeyd[5711]: Killing unknown connection: tcp (127.0.0.1:37814 - 192.168.1.20:80) regex=Killing unknown connection: (tcp|udp) \(([\d\.]+):(\d+) - ([\d\.]+):(\d+)\); \ classification.text=Connection to closed port; \ id=2602; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ source(0).service.iana_protocol_name=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.port=$5; \ target(0).service.iana_protocol_name=$1; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to connect to a port on the honeypot; \ last #DESCRIPTION:Honeypot replied to a ICMP echo request #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Honeypot #LOG:Dec 30 20:09:01 hacklab honeyd[5711]: Sending ICMP Echo Reply: 192.168.1.20 -> 127.0.0.1 regex=Sending ICMP Echo Reply: ([\d\.]+) -> ([\d\.]+); \ classification.text=Sending ICMP Echo Reply; \ id=2603; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=icmp; \ source(0).service.iana_protocol_number=1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ target(0).service.iana_protocol_name=icmp; \ target(0).service.iana_protocol_number=1; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=Honeypot replied to a ICMP echo request; \ last #DESCRIPTION:Honeypot established a proxy connection #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Honeypot #LOG:Dec 30 20:09:01 hacklab honeyd[5711]: Connection established: 192.168.1.20 -> proxy to 192.168.1.22:42 regex=Connection established: ([\d\.]+) -> proxy to ([\d\.]+):(\d+); \ classification.text=Proxy connection establised; \ id=2604; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ target(0).service.port=$3; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=Honeypot established a proxy connection; \ last #DESCRIPTION:Attacker accessed virtual service on honeypot #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Honeypot regex=Connection established: ([\d\.]+) -> subsystem "(.*)"; \ classification.text=Subsystem connection establised; \ id=2605; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).process=$2; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=Attacker accessed virtual service on honeypot; \ last #DESCRIPTION:Honeypot virtual service responded to attacker #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Honeypot regex=Connection established: subsystem \"(.*)\" -> ([\d\.]+); \ classification.text=Subsystem connection establised; \ id=2606; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).process=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=Honeypot virtual service responded to attacker; \ last #DESCRIPTION:Honeypot switched to polling mode #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Honeypot #LOG:Dec 30 20:09:01 hacklab honeyd[5711]: Switching to polling mode regex=switching to polling mode; \ classification.text=Subsystem connection establised; \ id=2607; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=low; \ assessment.impact.description=Honeypot switched to polling mode; \ last #DESCRIPTION:Honeypot virtual service died #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Service Management regex=Subsystem \"(.*)\" died; \ classification.text=Virtual service died; \ id=2608; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=high; \ assessment.impact.description=Honeypot virtual service died; \ last #DESCRIPTION:Honeypot virtual service attempted an illigal bind #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Honeypot regex=Subsystem (.*) on (.*) attempts illegal bind ([\d\.]+):(\d+); \ classification.text=Virtual service attempts illegal bind; \ id=2609; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=high; \ assessment.impact.description=Honeypot virtual service attempted an illigal bind; \ last #DESCRIPTION:Honeypot started #DESCRIPTION:Rule for honeyd version 0.5 (and perhaps later, NOT TESTED with later!) #CATEGORY:Service Management #LOG:Dec 30 20:08:24 hacklab honeyd[5711]: listening on eth0: ip and not ether src 00:10:5a:7a:6c:47 #LOG:Dec 30 20:12:21 hacklab honeyd[5752]: listening on eth0: ip and (dst 192.168.1.20) and not ether src 00:10:5a:7a:6c:47 #LOG:Dec 30 20:15:53 hacklab honeyd[5779]: listening on lo: ip and (dst 192.168.1.20) regex=listening on (\S+):; \ classification.text=Honeypot starting; \ id=2610; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=info; \ assessment.impact.description=Honeypot started; \ source(0).interface=$1; \ last #DESCRIPTION:Honeyd has (started|stopped) to write to its logfile #DESCRIPTION:Rule for honeyd version 1.5 (and probably later, NOT TESTED with later!). The rules should apply since honeyd version 0.7 or 0.8. #CATEGORY:Honeypot #LOG:2006-08-18-12:21:12.1239 honeyd log started ------ regex=honeyd log (started|stopped) ------; \ classification.text=Honeypot log $1; \ id=2611; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ assessment.impact.completion=succeeded; \ assessment.impact.type=file; \ assessment.impact.severity=info; \ assessment.impact.description=Honeyd has $1 to write to its logfile; \ last #DESCRIPTION:Honeypot *probably* replied to an echo request (PING) #DESCRIPTION:Rule for honeyd version 1.5 (and probably later, NOT TESTED with later!). The rules should apply since honeyd version 0.7 or 0.8. #CATEGORY:Honeypot #LOG:2006-08-18-12:21:12.1239 icmp(1) - 11.11.11.11 22.22.22.22: 8(0): 84 [SunOS 4.1 ] regex=icmp\(1\) - ([\d\.]+) ([\d\.]+): (\d+)\((\d+)\): (\d*) \[(.*)\]; \ classification.text=ICMP connection; \ id=2612; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=ICMP; \ source(0).service.iana_protocol_number=1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ target(0).service.iana_protocol_name=ICMP; \ target(0).service.iana_protocol_number=1; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=low; \ assessment.impact.description=Your honeypot *probably* replied to an echo request (PING), see additional data for details; \ additional_data(0).type=integer; \ additional_data(0).meaning=ICMP type; \ additional_data(0).data=$3; \ additional_data(1).type=integer; \ additional_data(1).meaning=ICMP code; \ additional_data(1).data=$4; \ additional_data(2).type=integer; \ additional_data(2).meaning=Packet size; \ additional_data(2).data=$5; \ additional_data(3).type=string; \ additional_data(3).meaning=Target OS; \ additional_data(3).data=$6; \ last #DESCRIPTION:Someone tried to connect to a closed port on honeypot #DESCRIPTION:Rule for honeyd version 1.5 (and probably later, NOT TESTED with later!). The rules should apply since honeyd version 0.7 or 0.8. #CATEGORY:Honeypot #LOG:2006-08-18-12:21:12.1239 tcp(6) - 11.11.11.11 53952 22.22.22.22 10078: 44 S [Linux 2.6 ] regex=tcp\(6\) - ([\d\.]+) (\d+) ([\d\.]+) (\d+): (\d+) (\S*) \[(.*)\]; \ classification.text=TCP connection to closed port; \ id=2613; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.port=$2; \ source(0).service.iana_protocol_name=TCP; \ source(0).service.iana_protocol_number=6; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$3; \ target(0).service.port=$4; \ target(0).service.iana_protocol_name=TCP; \ target(0).service.iana_protocol_number=6; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to connect to a closed port on your honeypot; \ additional_data(0).type=integer; \ additional_data(0).meaning=Packet size; \ additional_data(0).data=$5; \ additional_data(1).type=string; \ additional_data(1).meaning=TCP flags; \ additional_data(1).data=$6; \ additional_data(2).type=string; \ additional_data(2).meaning=Target OS; \ additional_data(2).data=$7; \ last #DESCRIPTION:Someone tried to connect to a closed port on honeypot #DESCRIPTION:Rule for honeyd version 1.5 (and probably later, NOT TESTED with later!). The rules should apply since honeyd version 0.7 or 0.8. #CATEGORY:Honeypot #LOG:2006-08-18-12:21:12.1239 udp(17) - 11.11.11.11 36722 22.22.22.22 545: 28 [Linux 2.6 ] regex=udp\(17\) - ([\d\.]+) (\d+) ([\d\.]+) (\d+): (\d+) \[(.*)\]; \ classification.text=UDP connection to closed port; \ id=2614; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.port=$2; \ source(0).service.iana_protocol_name=UDP; \ source(0).service.iana_protocol_number=17; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$3; \ target(0).service.port=$4; \ target(0).service.iana_protocol_name=UDP; \ target(0).service.iana_protocol_number=17; \ assessment.impact.completion=failed; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=Someone tried to connect to a closed port on your honeypot; \ additional_data(0).type=integer; \ additional_data(0).meaning=Packet size; \ additional_data(0).data=$5; \ additional_data(1).type=string; \ additional_data(1).meaning=Target OS; \ additional_data(1).data=$6; \ last #DESCRIPTION:(udp|tcp) connection to honeypot has been closed #DESCRIPTION:Rule for honeyd version 1.5 (and probably later, NOT TESTED with later!). The rules should apply since honeyd version 0.7 or 0.8. #CATEGORY:Honeypot #LOG:2006-08-18-12:21:12.1239 udp(17) E 11.11.11.11 43569 22.22.22.22 135: 280 0 regex=(udp|tcp)\((\d+)\) E ([\d\.]+) (\d+) ([\d\.]+) (\d+): (\d+) (\d+); \ classification.text=End of connection; \ id=2615; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=$1; \ source(0).service.iana_protocol_number=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=$1; \ target(0).service.iana_protocol_number=$2; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=$1 connection to your honeypot has been closed; \ additional_data(0).type=integer; \ additional_data(0).meaning=Data received; \ additional_data(0).data=$7; \ additional_data(1).type=integer; \ additional_data(1).meaning=Data sent; \ additional_data(1).data=$8; \ last #DESCRIPTION:(udp|tcp) connection to honeypot has been opened #DESCRIPTION:Rule for honeyd version 1.5 (and probably later, NOT TESTED with later!). The rules should apply since honeyd version 0.7 or 0.8. #CATEGORY:Honeypot #LOG:2006-08-18-12:21:12.1239 tcp(6) S 11.11.11.11 48877 22.22.22.22 2778 [Linux 2.6 ] regex=(udp|tcp)\((\d+)\) S ([\d\.]+) (\d+) ([\d\.]+) (\d+) \[(.*)\]; \ classification.text=Start of connection; \ id=2616; \ revision=1; \ analyzer(0).name=honeyd; \ analyzer(0).manufacturer=www.honeyd.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=$1; \ source(0).service.iana_protocol_number=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=$1; \ target(0).service.iana_protocol_number=$2; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=medium; \ assessment.impact.description=$1 connection to your honeypot has been opened; \ additional_data(0).type=string; \ additional_data(0).meaning=Target OS; \ additional_data(0).data=$7; \ last ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/honeytrap.rules�����������������������������������������������������0000664�0001750�0001750�00000006175�13537533463�022030� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Honeytrap #VERSION: 1.0 #DESCRIPTION: Honeytrap is a network security tool written to observe attacks against TCP or UDP services. ##### # # Copyright (C) 2007 Bjoern Weiland <bjoern-dot-weiland-at-web-dot-de> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Reconnaissance Probe #CATEGORY:Honeypot #LOG:[2007-05-26 16:48:09] * 22 No bytes received from 157.100.50.58:57701. regex=\* (\d+)\s+No bytes received from (\S+):(\d+).; \ classification.text=Reconnaissance Probe; \ id=40000; \ revision=1; \ analyzer(0).name=Honeytrap; \ analyzer(0).manufacturer=http://honeytrap.mwcollect.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ target(0).service.port=$1; \ #assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.severity=low; \ assessment.impact.description=A connection to honeytrap has been established, but no data was received.; \ last #DESCRIPTION:Attack attempt #CATEGORY:Honeypot #LOG:[2007-05-26 16:49:23] * 22 724 bytes attack string from 157.100.50.58:47537. regex=\* (\d+)\s+(\d+) bytes attack string from (\S+):(\d+).; \ classification.text=Attack attempt; \ id=40001; \ revision=1; \ analyzer(0).name=Honeytrap; \ analyzer(0).manufacturer=http://honeytrap.mwcollect.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ target(0).service.port=$1; \ assessment.impact.severity=medium; \ assessment.impact.description=Attack string has been saved; \ additional_data(0).type=integer; \ additional_data(0).meaning=Attack string size; \ additional_data(0).data=$2; \ last #DESCRIPTION:Attempt to download Malware #CATEGORY:Honeypot #LOG:[2007-05-26 17:14:30] FTP download - Requesting 'install_58181.exe' from 193.11.129.193:5836. regex=(\S*) download - Requesting '(.*)' from (\S+):(\d+).; \ classification.text=Malware download attempt; \ id=40002; \ revision=1; \ analyzer(0).name=Honeytrap; \ analyzer(0).manufacturer=http://honeytrap.mwcollect.org; \ analyzer(0).class=Honeypot; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ #target(0).file(0).name=$2; \ assessment.impact.type=file; \ assessment.impact.severity=high; \ assessment.impact.description=Trying to download Malware via $1; \ additional_data(0).type=string; \ additional_data(0).meaning=Filename; \ additional_data(0).data=$2; \ last ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/httpd.rules���������������������������������������������������������0000664�0001750�0001750�00000033775�13537533463�021150� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Apache HTTP Server (httpd) #VERSION: 1.0 #AUTHOR: Prelude Team <support.prelude@c-s.fr> #DESCRIPTION: The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP server for modern operating systems including UNIX and Windows. https://httpd.apache.org/docs/2.4/en/mod/core.html#errorlogformat. Versions supported : 2.2.x to 2.4.x. #ID: 4100 ##### # # Copyright (C) 2005 Ruben Alonso <1rualons@rigel.deusto.es> # Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com> # Copyright (C) 2015-2019 CS-SI. All Rights Reserved. # # This file is part of the Prelude-LML program. # ##### ##### # # Rules for Apache HTTP Server # # 4100 to 4149 : generic rules # 4150 to 4179 : specific rules # 4180 to 4199 : old apache (<2.4) # ##### ##### # # Configuration for ruleset/pcre.conf: # # regex=[((\S+):|:|)(warn|error|crit|alert|emerg)\]; include = httpd.rules; # # For old apache (<2.4) # regex=(\[error\]|Pass|httpd); include = httpd.rules; # ##### regex=\[pid (\d+)\]; \ id=4101; \ target(0).process.pid=$1; \ chained; silent; regex=\[client (\S+?(?=:)|\S+)(:(\d+)|)\]; \ id=4102; \ source(0).node.address(0).address=$1; \ chained; silent; regex=\[host (\S+)\]; \ id=4103; \ target(0).node.address(0).address=$1; \ chained; silent; regex=referer: ([^,].+(?=,)|[^,]\S+); \ id=4104; \ additional_data(>>).type=string; \ additional_data(-1).meaning=referrer; \ additional_data(-1).data=$1; \ chained; silent; regex=(AH\d{5}): ([^,].+(?=,)|[^,].*); \ id=4105; \ classification.reference(0).name=$1; \ classification.reference(0).url=https://wiki.apache.org/httpd/ListOfErrors; \ classification.reference(0).meaning=$2; \ classification.reference(0).origin=vendor-specific; \ classification.text=$2; \ chained; silent; regex=\[(\S+):(warn|error|crit|alert|emerg)\]; \ id=4106; \ additional_data(0).type=string; \ additional_data(0).meaning=apache module; \ additional_data(0).data=$1; \ chained; silent; #LOG:[Sun Jan 31 18:26:01 2016] [error] [client 1.2.3.4] [host foo.cluster42.ovh.net] request failed: error reading the headers regex=request failed: ([^,]*); \ id=4150; \ classification.text=Request failed; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ additional_data(>>).type=string; \ additional_data(-1).meaning=error; \ additional_data(-1).data=$1; \ chained; last; #LOG:[Sun Jan 31 16:35:18 2016] [warn] [client 1.2.3.4] [host foo.ovh] [ovhconfig] syntax error in /homez.1337/foo/.ovhconfig:5 regex=syntax error in ([^,].+(?=,)|[^,]\S+); \ id=4151; \ classification.text=Syntax error; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ additional_data(>>).type=string; \ additional_data(-1).meaning=file; \ additional_data(-1).data=$1; \ chained; last; #LOG:[Wed Oct 21 19:28:42 2015] [:error] [pid 1337] [client 1.2.3.4:1234] script '/var/www/wordpress/wp-login.php' not found or unable to stat regex=script '(\S+)' not found; \ id=4152; \ classification.text=Script not found; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ additional_data(>>).type=string; \ additional_data(-1).meaning=script; \ additional_data(-1).data=$1; \ chained; last; #LOG:[Wed Oct 21 19:28:42 2015] [error] [client 1.2.3.4] PHP Warning: pg_connect(): in /var/wordpress/foo.php on line 666 #LOG:[Wed Oct 21 19:28:42 2015] [error] [client 1.2.3.4] PHP Notice: Constant WP_DEBUG already defined in /var/www/wordpress/wp-config.php on line 42 #LOG:[Wed Oct 21 19:28:42 2015] [error] [client 1.2.3.4] PHP Fatal error: Call to undefined method dbrc_wpdb::get_charset_collate() in /var/www/wordpress/wp-admin/includes/schema.php on line 512 regex=(PHP [^:].+(?=:)): (.*); \ id=4153; \ classification.text=PHP error; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ additional_data(>>).type=string; \ additional_data(-1).meaning=PHP error; \ additional_data(-1).data=$2; \ chained; last; #LOG:[Wed Oct 21 19:28:42 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) regex=(RFC(\s|)(\d+)); \ id=4154; \ classification.reference(>>).name=$1; \ classification.reference(-1).url=https://tools.ietf.org/html/rfc$3; \ classification.reference(-1).origin=vendor-specific; \ chained; silent; #LOG:[Wed Oct 21 19:28:42 2015] [error] (9)Bad file descriptor: apr_socket_accept: (client socket) regex=Bad file descriptor; \ id=4155; \ classification.text=Bad file descriptor; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ chained; last; #LOG:[Wed Oct 21 19:28:42 2015] [error] [client 1.2.3.4] File does not exist: /var/www/wordpress/robots.txt regex=File does not exist: ([^,].+(?=,)|[^,].*); \ id=4156; \ classification.text=File does not exist; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ additional_data(>>).type=string; \ additional_data(-1).meaning=file; \ additional_data(-1).data=$1; \ chained; last; #LOG:[Wed Oct 21 19:28:42 2015] [error] [client 1.2.3.4] client denied by server configuration: /var/www/wordpress/wp-login.php regex=client denied by server configuration: ([^,].+(?=,)|[^,].*); \ id=4157; \ classification.text=Client denied by server configuration; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ additional_data(>>).type=string; \ additional_data(-1).meaning=url; \ additional_data(-1).data=$1; \ chained; last; #LOG:[Wed Oct 21 19:28:42 2015] [error] [client 1.2.3.4] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /foobar.cgi regex=client sent (\S+) request without hostname; \ id=4158; \ classification.text=Client sent request without hostname; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ additional_data(>>).type=string; \ additional_data(-1).meaning=http protocol; \ additional_data(-1).data=$1; \ chained; last; #LOG:[Wed Oct 21 19:28:42 2015] [error] Invalid URI in request GET HTTP/1.1 HTTP/1.1 regex=Invalid URI in request; \ id=4159; \ classification.text=Invalid URI in request; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ chained; last; #LOG:[Wed Oct 21 19:28:42 2015] [error] Directory index forbidden by Options directive: /var/www/wordpress/wp-includes/css/ regex=Directory index forbidden by (.*): ([^,].+(?=,)|[^,].*); \ id=4160; \ classification.text=Directory index forbidden by $1; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ additional_data(>>).type=string; \ additional_data(-1).meaning=path; \ additional_data(-1).data=$2; \ chained; last; #LOG:[Wed Oct 21 19:28:42 2015] [error] Hostname 10.11.12.13 provided via SNI and hostname *.foobar.com provided via HTTP are different regex=Hostname (\S+) provided via (\S+) and hostname (\S+) provided via (\S+) are different; \ id=4161; \ classification.text=Hostnames are different; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ additional_data(>>).type=string; \ additional_data(-1).meaning=hostname provided by $2; \ additional_data(-1).data=$2; \ additional_data(>>).type=string; \ additional_data(-1).meaning=hostname provided by $4; \ additional_data(-1).data=$3; \ chained; last; #LOG:[Sun Feb 01 06:25:03 2015] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366) regex=Init:\s(.*); \ id=4162; \ classification.text=$1; \ chained; last; #DESCRIPTION:Format : [<date>] (1) (2) (3) (4) <message> (5) where (1) = "[<module>:<level>]" or "[:<level>]" or "[<level>]", (2) = "[pid <pid>]" if PID exists, (3) = "[client <ip>]" if client exists, (4) = "<key> <value>]" or "[<value>]" n times with n >= 0, (5) = optional values like "<key>: <value>" regex=\[((\S+):|:|)(warn|error|crit|alert|emerg)\](\s\[(\S+\s\S+|\S+)\]|){1,}(.*); \ id=4100; \ analyzer(0).name=Apache HTTP Server; \ analyzer(0).manufacturer=https://httpd.apache.org; \ analyzer(0).class=Service; \ source(0).service.portlist=80,443; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ target(0).process.name=httpd; \ assessment.impact.description=$6; \ optgoto=4101-4106; \ optgoto=4154; \ optgoto=4150-4153; \ optgoto=4155-4162; \ silent; #DESCRIPTION:Web server - Error #CATEGORY:Web Service #LOG:[Sat Mar 12 22:56:12 2005] [error] [client 127.0.0.1] File does not exist: /var/www/favicon.ico #LOG:[Sat Mar 12 22:56:13 2005] [error] [client 127.0.0.1] Premature end of script headers: /var/www/sample/index.pl #LOG:[Sat Mar 12 22:48:24 2005] [error] [client 127.0.0.1] Directory index forbidden by rule: /var/www/sample/ #LOG:[Sat Mar 12 22:38:41 2005] [error] [client 127.0.0.1] client denied by server configuration: /var/www/sample/ #LOG:[Sun Jan 2 22:42:47 2005] [error] [client 127.0.0.1] request failed: error reading the headers #LOG:[Sun Jan 2 23:48:19 2005] [error] [client 127.0.0.1] request failed: URI too long regex=\[error\] \[client ([\d\.]+)\] ((File|Premature|Directory|client|request)[\S+\s]+): (.+); \ classification.text=Web server error; \ id=4180; \ revision=1; \ analyzer(0).name=httpd; \ analyzer(0).manufacturer=www.apache.org; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Apache httpd '$2' error: '$4'; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ last #DESCRIPTION:Web server - Error #CATEGORY:Web Service #LOG:[Sat Apr 16 14:30:12 2005] [error] [client ::1] File does not exist: /var/www/favicon.ico regex=\[error\] \[client ([A-Fa-f\d:]+)\] ((File|Premature|Directory|client|request)[\S+\s]+): (.+); \ classification.text=Web server error; \ id=4181; \ revision=1; \ analyzer(0).name=httpd; \ analyzer(0).manufacturer=www.apache.org; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Apache httpd '$2' error: '$4'; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ last #DESCRIPTION:Web server - SSL passphrase correct #CATEGORY:Authentication #LOG:Apr 17 12:58:51 mail httpd: OK: Pass Phrase Dialog successful. regex=OK: Pass Phrase Dialog successful; \ classification.text=Web server SSL passphrase correct; \ id=4182; \ revision=1; \ analyzer(0).name=httpd; \ analyzer(0).manufacturer=www.apache.org; \ analyzer(0).class=Service; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Apache was started and an SSL passphrase was required. This passphrase was entered correctly.; \ last #DESCRIPTION:Web server - SSL passphrase incorrect #CATEGORY:Authentication #LOG:Apr 17 12:58:48 mail httpd: Apache:mod_ssl:Error: Pass phrase incorrect (5 more retries permitted). regex=Error: Pass phrase incorrect \(; \ classification.text=Web server SSL passphrase incorrect; \ id=4183; \ revision=1; \ analyzer(0).name=httpd; \ analyzer(0).manufacturer=www.apache.org; \ analyzer(0).class=Service; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=Apache was started and an SSL passphrase was required. This passphrase was not entered correctly, but additional passphrase attempts will be allowed.; \ last #DESCRIPTION:Web server - SSL passphrase incorrect #CATEGORY:Authentication #LOG:Apr 17 14:00:48 mail httpd: Apache:mod_ssl:Error: Pass phrase incorrect. regex=Error: Pass phrase incorrect\.; \ classification.text=Web server SSL passphrase incorrect; \ id=4184; \ revision=1; \ analyzer(0).name=httpd; \ analyzer(0).manufacturer=www.apache.org; \ analyzer(0).class=Service; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.description=Apache was started and an SSL passphrase was required. This passphrase was not entered correctly. No additional passphrase attempts will be allowed.; \ last #DESCRIPTION:Web server - shutdown #CATEGORY:Service Management #LOG:Apr 17 14:00:13 mail httpd: httpd shutdown succeeded regex=httpd shutdown succeeded; \ classification.text=Web server shutdown; \ id=4185; \ revision=1; \ analyzer(0).name=httpd; \ analyzer(0).manufacturer=www.apache.org; \ analyzer(0).class=Service; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Apache httpd shutdown seen.; \ target(0).service.name=http; \ last #DESCRIPTION:Web server - startup #CATEGORY:Service Management #LOG:Apr 17 14:02:41 mail httpd: httpd startup succeeded regex=httpd startup succeeded; \ classification.text=Web server startup; \ id=4186; \ revision=1; \ analyzer(0).name=httpd; \ analyzer(0).manufacturer=www.apache.org; \ analyzer(0).class=Service; \ assessment.impact.severity=info; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Apache httpd startup seen.; \ target(0).service.name=http; \ last ���prelude-lml-rules-5.1.0/ruleset/ipchains.rules������������������������������������������������������0000664�0001750�0001750�00000017323�13537533463�021612� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: IP Firewalling Chains #VERSION: 1.0 #DESCRIPTION: Linux IP Firewalling Chains (ipchains) control the packet filter or firewall capabilities in the 2.2 series of Linux kernels. Support Ipchains events v0.1.1. ##### # # Copyright (C) 2016-2019 CS-SI <support.prelude@c-s.fr> # Author : Simon Castro <scastro [at] entreelibre.com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:TCP packet denied #CATEGORY:Packet Filtering #LOG:May 14 11:03:57 gateway kernel: Packet log: input DENY eth0 PROTO=6 1.2.3.4:3894 5.6.7.8:10008 L=60 S=0x00 I=50210 F=0x4000 T=48 regex=Packet log: ([\w-]+) DENY (\w+) PROTO=6 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ classification.text=TCP packet denied; \ id=700; \ revision=1; \ analyzer(0).name=ipchains; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Ipchains denied a TCP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).interface=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ last #DESCRIPTION:UDP packet denied #CATEGORY:Packet Filtering #LOG:May 14 11:03:57 gateway kernel: Packet log: input DENY eth0 PROTO=17 1.2.3.4:67 5.6.7.8:68 L=328 S=0x01 I=35569 F=0x4000 T=64 (#3) regex=Packet log: ([\w-]+) DENY (\w+) PROTO=17 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ classification.text=UDP packet denied; \ id=701; \ revision=1; \ analyzer(0).name=ipchains; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Ipchains denied an UDP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=udp; \ source(0).service.iana_protocol_number=17; \ source(0).interface=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=udp; \ target(0).service.iana_protocol_number=17; \ last #DESCRIPTION:ICMP Packet denied #CATEGORY:Packet Filtering #LOG:Dec 15 12:30:15 firewall kernel: Packet log: bad-if DENY lo PROTO=1 1.2.3.4:3 5.6.7.8:1 L=92 S=0xC0 I=4595 F=0x0000 T=255 (#1) regex=Packet log: ([\w-]+) DENY (\w+) PROTO=1 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ classification.text=ICMP Packet denied; \ id=702; \ revision=1; \ analyzer(0).name=ipchains; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Ipchains denied an ICMP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=icmp; \ source(0).service.iana_protocol_number=1; \ source(0).interface=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=icmp; \ target(0).service.iana_protocol_number=1; \ last #DESCRIPTION:TCP packet accepted #CATEGORY:Packet Filtering #LOG:May 19 16:00:12 redhat kernel: Packet log: input ACCEPT eth1 PROTO=6 1.2.3.4:1318 5.6.7.8:80 L=48 S=0x00 I=40225 F=0x4000 T=126 SYN (#1) regex=Packet log: ([\w-]+) ACCEPT (\w+) PROTO=6 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ classification.text=TCP packet accepted; \ id=703; \ revision=1; \ analyzer(0).name=ipchains; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Ipchains accepted a TCP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).interface=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ last #DESCRIPTION:UDP packet accepted #CATEGORY:Packet Filtering #LOG:Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 1.2.3.4:1563 5.6.7.8:53 L=77 S=0x00 I=5608 F=0x0000 T=128 (#11) regex=Packet log: ([\w-]+) ACCEPT (\w+) PROTO=17 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ classification.text=UDP packet accepted; \ id=704; \ revision=1; \ analyzer(0).name=ipchains; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Ipchains accepted an UDP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=udp; \ source(0).service.iana_protocol_number=17; \ source(0).interface=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=udp; \ target(0).service.iana_protocol_number=17; \ last #DESCRIPTION:ICMP Packet accepted #CATEGORY:Packet Filtering #LOG:Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=1 1.2.3.4:8 5.6.7.8:0 L=60 S=0x00 I=5612 F=0x0000 T=128 (#11) regex=Packet log: ([\w-]+) ACCEPT (\w+) PROTO=1 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ classification.text=ICMP Packet accepted; \ id=705; \ revision=1; \ analyzer(0).name=ipchains; \ analyzer(0).manufacturer=www.netfilter.org; \ analyzer(0).class=Firewall; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Ipchains accepted an ICMP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).service.port=$4; \ source(0).service.iana_protocol_name=icmp; \ source(0).service.iana_protocol_number=1; \ source(0).interface=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ target(0).service.iana_protocol_name=icmp; \ target(0).service.iana_protocol_number=1; \ last �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/linksys-wap11.rules�������������������������������������������������0000664�0001750�0001750�00000005012�13537533463�022427� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Linksys WAP11 #VERSION: 1.0 #DESCRIPTION: The linksys WAP11 is an external wireless network access point for wireless networks based on the IEEE 802.11b standard. ##### # # Copyright (C) 2003 Yoann Vandoorselaere <yoann@prelude-siem.org> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Wireless PC connected #CATEGORY:Wireless Network #LOG:Jan 21 17:22:34 192.168.0.17 Wireless PC connected 00-30-65-05-17-AD #LOG:Jul 17 19:46:15 smf-syslog-02.smf.ragingwire.net smf-wap-02/smf-wap-02 Wireless PC connected 00-12-F0-0D-2C-66 regex=Wireless PC connected[\s]+([A-Fa-f\d-]+); \ classification.text=Wireless PC connected; \ id=2200; \ revision=3; \ analyzer(0).manufacturer=Linksys; \ analyzer(0).name=WAP11; \ analyzer(0).class=Router; \ assessment.impact.completion=succeeded; \ assessment.impact.severity=low; \ assessment.impact.description=Successful wireless PC connection from $1; \ source(0).node.address(0).category=mac; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Unauthorized wireless PC connection attempt #CATEGORY:Wireless Network #LOG:Jan 21 17:27:46 192.168.0.17 Unauthorized wireless PC try to connected 00-30-65-05-17-AD #LOG:Jul 18 16:18:09 smf-syslog-02.smf.ragingwire.net smf-wap-02/smf-wap-02 Unauthorized wireless PC try to connected 00-90-4B-AD-2A-AC regex=Unauthorized wireless PC try to connected[\s]+([A-Fa-f\d\-]+); \ classification.text=Unauthorized wireless PC connection attempt; \ id=2201; \ revision=3; \ analyzer(0).manufacturer=Linksys; \ analyzer(0).name=WAP11; \ analyzer(0).class=Router; \ assessment.impact.completion=failed; \ assessment.impact.severity=medium; \ assessment.impact.description=Unauthorized wireless PC connection attempt from $1; \ source(0).node.address(0).category=mac; \ source(0).node.address(0).address=$1; \ last ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/ms-sql.rules��������������������������������������������������������0000664�0001750�0001750�00000005113�13537533463�021222� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Microsoft SQL #VERSION: 1.0 #DESCRIPTION: SQL Database from Microsoft. The rules included here were developed using Microsoft SQL Server 2000 SP3a events collected using NTSysLog. ##### # # Copyright (C) 2003 G Ramon Gomez <gene at gomezbrothers dot com> # Tyco Fire and Security GTS (www.tycofireandsecurity.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Attempt failed to login to MS-SQL instance as generic user #CATEGORY:Authentication #LOG:Nov 24 14:45:58 testdb.itg.sac.tfs mssqlserver[info] 17055 18456 : Login failed for user 'probe'. regex=(mssql.+)\[\w+\] \d+ \d+ : Login failed for user '(?!sa)(.+)'; \ classification.text=Database user login; \ id=1000; \ revision=2; \ analyzer(0).name=SQL Server; \ analyzer(0).manufacturer=Microsoft; \ analyzer(0).class=Database; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=An attempt was made to login to MS-SQL instance $1 using account $2; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$2; \ target(0).process.name=$1; \ last #DESCRIPTION:Attempt failed to login to MS-SQL instance as admin user #CATEGORY:Authentication #LOG:Nov 24 14:45:58 testdb.itg.sac.tfs mssqlserver[info] 17055 18456 : Login failed for user 'sa'. regex=(mssql.+)\[\w+\] \d+ \d+ : Login failed for user 'sa'; \ classification.text=Database admin login; \ id=1001; \ revision=2; \ analyzer(0).name=SQL Server; \ analyzer(0).manufacturer=Microsoft; \ analyzer(0).class=Database; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=admin; \ assessment.impact.description=An attempt was made to login to MS-SQL instance $1 as sa; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=sa; \ target(0).process.name=$1; \ last �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/navce.rules���������������������������������������������������������0000664�0001750�0001750�00000013272�13537533463�021107� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Norton AntiVirus CE #VERSION: 1.0 #DESCRIPTION: Norton Anti Virus Corporate Edition is an antivirus. The rules included here were developed using Norton Antivirus Corportate Edition 7.60 events collected using NTSysLog. ##### # # Copyright (C) 2003 G Ramon Gomez <gene at gomezbrothers dot com> # Tyco Fire and Security GTS (www.tycofireandsecurity.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Virus found #CATEGORY:Malware #LOG:Nov 3 17:10:28 mrfreeze.itg.sac.tfs norton antivirus[error] 5 Virus Found!Virus name: W32.Yaha.F@mm.enc in File: C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_6e44a57a01c3a270000282de.EML by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access denied regex=Virus Found!Virus name: (\S+) in File: (.+) by: (.+). Action: (.+); \ classification.text=Virus found: $1; \ id=1200; \ revision=2; \ analyzer(0).name=Norton Antivirus Corporate Edition; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=A virus has been identified by Norton Antivirus; \ source(0).process.name=$3; \ additional_data(0).type=string; \ additional_data(0).meaning=File location; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Malware name; \ additional_data(1).data=$1; \ additional_data(2).type=string; \ additional_data(2).meaning=Action taken; \ additional_data(2).data=$4; \ last #DESCRIPTION:Download of virus definition file #CATEGORY:Update #LOG:Nov 6 00:23:51 superman.itg.sac.tfs norton antivirus[info] 16 Download of virus definition file from LiveUpdate server succeeded. regex=Download of virus definition file from LiveUpdate server succeeded; \ classification.text=Virus definition update; \ id=1201; \ revision=2; \ analyzer(0).name=Norton Antivirus Corporate Edition; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Norton Antivirus Virus definitions have been updated; \ last #DESCRIPTION:New virus definition file loaded #CATEGORY:Update #LOG:Oct 23 08:46:50 smf-syslog-02 norton/smf-utility-01 antivirus[info] New virus definition file loaded. Version: 81019bn. regex=New virus definition file loaded. Version: (\S+); \ classification.text=Virus definition update; \ id=1202; \ revision=1; \ analyzer(0).name=Norton Antivirus Corporate Edition; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Norton Antivirus Virus definitions have been updated; \ additional_data(0).type=string; \ additional_data(0).meaning=Definition version; \ additional_data(0).data=$1; \ last #DESCRIPTION:Norton Antivirus Virus definition update failed #CATEGORY:Update #LOG:Oct 25 11:28:00 smf-syslog-02 norton/smf-utility-01 antivirus[info] Update to computer SMF-SLS-CBROWN2 of virus definition file 81019bn failed. Status FFFFFFFF regex=Update to computer (\S+) of virus definition file (\S+) failed. Status (\S+); \ classification.text=Virus definition update; \ id=1203; \ revision=1; \ analyzer(0).name=Norton Antivirus Corporate Edition; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=medium; \ assessment.impact.type=other; \ assessment.impact.completion=failed; \ assessment.impact.description=Norton Antivirus Virus definition update to $1 failed.; \ target(0).node.address(0).category=unknown; \ target(0).node.address(0).address=$1; \ target(0).node.name=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=Definition version; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Error code; \ additional_data(1).data=$3; \ last #DESCRIPTION:Norton Antivirus no longer manages system #CATEGORY:Monitoring #LOG:Oct 23 09:05:04 smf-syslog-02 norton/smf-utility-01 antivirus[info] Removed Client SMF-HR-JLEE_::_CE2C654442CBAD576E3B25A97E378EFF Last Checkin Time: Thu Oct 19 18:33:08 2006 regex=Removed Client (\S+)_::\S+ Last Checkin Time: (.+); \ classification.text=System unmanaged; \ id=1204; \ revision=1; \ analyzer(0).name=Norton Antivirus Corporate Edition; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=medium; \ assessment.impact.type=other; \ assessment.impact.completion=failed; \ assessment.impact.description=$1 hasn't checked in with Norton Antivirus Virus since $2. Norton Antivirus is no longer managing it.; \ target(0).node.address(0).category=unknown; \ target(0).node.address(0).address=$1; \ target(0).node.name=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=Last checkin; \ additional_data(0).data=$2; \ last ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/netscreen.rules�����������������������������������������������������0000664�0001750�0001750�00000006375�13537533463�022007� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: NetScreen #VERSION: 1.0 #DESCRIPTION: The Juniper Networks NetScreen-5GT provides IPSec VPN and firewall services for abroadband telecommuter, a branch office, or a retail outlet. ##### # # Copyright (C) 2005 G Ramon Gomez <gene at gomezbrothers dot com> # Based on rules by Jean-Françs SURET <tilaris at wanadoo dot fr> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:A high-severity event has occured N times #CATEGORY:Network Security #LOG:Apr 28 08:45:38 2.0.0.2 ns5gt: NetScreen device_id=ns5gt [Root]system-emergency-00005: SYN flood! From 2.0.0.3:38254 to 20.0.0.3:74, proto TCP (zone Untrust, int untrust). Occurred 1 times. (2002-01-31 00:01:51) regex=system-emergency-\d+: (.+)! From ([\d\.]+)?:?(\d+) to ([\d\.]+)?:?(\d+), proto (\S+) \(zone (\S+), int (\S.+)\). Occurred (\d+) times; \ classification.text=$1; \ id=4400; \ revision=1; \ analyzer(0).name=Netscreen; \ analyzer(0).manufacturer=Juniper Networks; \ analyzer(0).class=Firewall; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.description=A $1 was seen $9 times coming from the $7 zone.; \ source(0).interface=$8; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ source(0).service.iana_protocol_name=$6; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.port=$5; \ target(0).service.iana_protocol_name=$6; \ last #DESCRIPTION:A medium-severity event has occured N times #CATEGORY:Network Security #LOG:Apr 28 08:45:38 2.0.0.2 ns5gt: NetScreen device_id=ns5gt [Root]system-alert-00016: Port scan! From 1.2.3.4:5 to 6.7.8.9:10, proto TCP (zone Untrust, int untrust). Occurred 11 times. regex=system-alert-\d+: (.+)! From ([\d\.]+)?:?(\d+) to ([\d\.]+)?:?(\d+), proto (\S+) \(zone (\S+), int (\S.+)\). Occurred (\d+) times; \ classification.text=$1; \ id=4401; \ revision=1; \ analyzer(0).name=Netscreen; \ analyzer(0).manufacturer=Juniper Networks; \ analyzer(0).class=Firewall; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.description=A $1 was seen $9 times coming from the $7 zone.; \ source(0).interface=$8; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ source(0).service.iana_protocol_name=$6; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$4; \ target(0).service.port=$5; \ target(0).service.iana_protocol_name=$6; \ last �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/webmin.rules��������������������������������������������������������0000664�0001750�0001750�00000005452�13537533463�021275� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Webmin #VERSION: 1.0 #DESCRIPTION: Webmin is a web-based system configuration tool. The rules included here were developed using Webmin 1.130. ##### # # Copyright (C) 2004 G Ramon Gomez <gene at gomezbrothers dot com> # Tyco Fire and Security GTS (www.tycofireandsecurity.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:A user began a Webmin session #CATEGORY:Authentication #LOG:Mar 14 15:18:22 gtsproduxlvs1 webmin[27244]: Successful login as root from 12.34.56.78 regex=Successful login as (.+) from ([\d\.]+); \ classification.text=Web administration admin login; \ id=2900; \ revision=2; \ analyzer(0).name=Webmin; \ analyzer(0).manufacturer=www.webmin.com; \ analyzer(0).class=Administration; \ assessment.impact.severity=medium; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=User $1 began a Webmin session.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ last #DESCRIPTION:A user tried to begin a Webmin session. Failed #CATEGORY:Authentication #LOG:Mar 17 19:18:32 gtsdmzuxids1 webmin[28655]: Invalid login as root from 10.100.17.38 regex=Invalid login as (.+) from ([\d\.]+); \ classification.text=Web administration admin login; \ id=2901; \ revision=2; \ analyzer(0).name=Webmin; \ analyzer(0).manufacturer=www.webmin.com; \ analyzer(0).class=Administration; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.type=admin; \ assessment.impact.description=A user tried to began a Webmin session as $1.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ last ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/xg45-datapower.rules������������������������������������������������0000664�0001750�0001750�00000033504�13537533463�022566� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: DataPower XG45 #VERSION: 1.0 #DESCRIPTION: DataPower SOA Appliances is a family of pre-built, pre-configured rack mountable network devices (XML appliances) that can help accelerate XML and Web Services deployments while extending SOA infrastructure. #The rules included here were developed using a IBM Data Power xG45. #Special configuration is needed for the support: #* In your DPW Web interface: # - Go to "Control Panel -> Administration -> Access -> SNMP Settings" and create # a new SNMP destination for send traps in "Trap and Notification Targets". # - Then, go to "Control Pannel -> Objects -> Logging Configuration -> Log Target", # and create a new log target to send traps. You must select "Target Type: SNMP", # "Timestamp Format: syslog" in "General Configuration", and select a "Event Category = all, # and "Minimum Event Priority = notice" in the "Event Subscriptions" tab. # - In The "Trap Event Subscriptions", select "Enable Default Event Subscriptions = on" and # "Minimum Priority = debug". # Note: You can suppress messages from your DPW by adding the event log ID on # "Event Suppression Filter" in the "Event Filters" tab, on log target configuration form. #* On your Prelude system, run snmptrapd using this command: # "snmptrapd -Ls 16 -Osq" ##### # # Copyright (C) 2012 Seguridadx <operador@seguridadx.com> # twitter: <www.twitter.com/seguridad_x> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Event generated by the XML Firewall of IBM (High impact) #CATEGORY:Network Security #LOG:Mar 8 17:08:02 prelude-siem snmptrapd[1581]: 2013-03-08 17:07:52 x.x.x.x(via UDP: [x.x.x.x]:15065->[x.x.x.x]) TRAP, SNMP v1, community br0u#012#011enterprises.14685.3.3.2 Enterprise Specific Trap (1) Uptime: 2:2:19:54.43#012#011enterprises.14685.3.3.1.1.0 71#011enterprises.14685.3.3.1.2.0 4#011enterprises.14685.3.3.1.3.0 "Fri Mar 08 2013 16:07:51"#011enterprises.14685.3.3.1.5.0 enterprises.14685.3.2.55#011enterprises.14685.3.3.1.6.0 "xxx"#011enterprises.14685.3.3.1.7.0 3518401#011enterprises.14685.3.3.1.4.0 "xxx"#011enterprises.14685.3.3.1.8.0 "xxx"#011enterprises.14685.3.3.1.9.0 "0x80e00160" regex=snmptrapd\[(\d+)]:+.+via UDP: \[([\d\.]+)\]:+.+011enterprises.14685.3.3.1.1.0 (\d+)+.+011enterprises.14685.3.3.1.2.0 [1,2,3,4]+.+011enterprises.14685.3.3.1.6.0 "([\S ]+|\S+)"+.+011enterprises.14685.3.3.1.7.0 (\d+)+.+011enterprises.14685.3.3.1.4.0 "([\S ]+|\S+)"+.+011enterprises.14685.3.3.1.8.0 "(\S+)"+.+011enterprises.14685.3.3.1.9.0 "(\S+)"; \ classification.text=$6 - $4; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ibm_id; \ classification.reference(0).name=$8; \ classification.reference(0).url=http://www.ibm.com; \ id=7001; \ revision=1; \ analyzer(0).name=DPW; \ analyzer(0).manufacturer=IBM; \ analyzer(0).class=Firewall XML; \ analyzer(0).node.name=$2; \ assessment.impact.severity=high; \ assessment.impact.description=This event was generated by the XML Firewall of IBM.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=n/a; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$7; \ additional_data(0).type=string; \ additional_data(0).meaning=Category:; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Level:; \ additional_data(1).data=Emerg - Error.; \ additional_data(2).type=string; \ additional_data(2).meaning=tid:; \ additional_data(2).data=$5; \ additional_data(3).type=string; \ additional_data(3).meaning=Object Name:; \ additional_data(3).data=$4; \ additional_data(4).type=string; \ additional_data(4).meaning=Domain:; \ additional_data(4).data=$7; \ additional_data(5).type=string; \ additional_data(5).meaning=Events Codes:; \ additional_data(5).data=http://publib.boulder.ibm.com/infocenter/wsdatap/v4r0m2/index.jsp?topic=%2Fcom.ibm.dp.doc%2Fmessages03.htm; \ last #DESCRIPTION:Event generated by the XML Firewall of IBM (Medium impact) #CATEGORY:Network Security regex=snmptrapd\[(\d+)]:+.+via UDP: \[([\d\.]+)\]:+.+011enterprises.14685.3.3.1.1.0 (\d+)+.+011enterprises.14685.3.3.1.2.0 [5,6]+.+011enterprises.14685.3.3.1.6.0 "([\S ]+|\S+)"+.+011enterprises.14685.3.3.1.7.0 (\d+)+.+011enterprises.14685.3.3.1.4.0 "([\S ]+|\S+)"+.+011enterprises.14685.3.3.1.8.0 "(\S+)"+.+011enterprises.14685.3.3.1.9.0 "(\S+)"; \ classification.text=$6 - $4; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ibm_id; \ classification.reference(0).name=$8; \ classification.reference(0).url=http://www.ibm.com; \ id=7002; \ revision=1; \ analyzer(0).name=DPW; \ analyzer(0).manufacturer=IBM; \ analyzer(0).class=Firewall XML; \ analyzer(0).node.name=$2; \ assessment.impact.severity=medium; \ assessment.impact.description=This event was generated by the XML Firewall of IBM.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=n/a; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$7; \ additional_data(0).type=string; \ additional_data(0).meaning=Category:; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Level:; \ additional_data(1).data=Emerg - Error.; \ additional_data(2).type=string; \ additional_data(2).meaning=tid:; \ additional_data(2).data=$5; \ additional_data(3).type=string; \ additional_data(3).meaning=Object Name:; \ additional_data(3).data=$4; \ additional_data(4).type=string; \ additional_data(4).meaning=Domain:; \ additional_data(4).data=$7; \ additional_data(5).type=string; \ additional_data(5).meaning=Events Codes:; \ additional_data(5).data=http://publib.boulder.ibm.com/infocenter/wsdatap/v4r0m2/index.jsp?topic=%2Fcom.ibm.dp.doc%2Fmessages03.htm; \ last #DESCRIPTION:Event generated by the XML Firewall of IBM (Low impact) #CATEGORY:Network Security regex=snmptrapd\[(\d+)]:+.+via UDP: \[([\d\.]+)\]:+.+011enterprises.14685.3.3.1.1.0 (\d+)+.+011enterprises.14685.3.3.1.2.0 [7,8]+.+011enterprises.14685.3.3.1.6.0 "([\S ]+|\S+)"+.+011enterprises.14685.3.3.1.7.0 (\d+)+.+011enterprises.14685.3.3.1.4.0 "([\S ]+|\S+)"+.+011enterprises.14685.3.3.1.8.0 "(\S+)"+.+011enterprises.14685.3.3.1.9.0 "(\S+)"; \ classification.text=$6 - $4; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ibm_id; \ classification.reference(0).name=$8; \ classification.reference(0).url=http://www.ibm.com; \ id=7003; \ revision=1; \ analyzer(0).name=DPW; \ analyzer(0).manufacturer=IBM; \ analyzer(0).class=Firewall XML; \ analyzer(0).node.name=$2; \ assessment.impact.severity=low; \ assessment.impact.description=This event was generated by the XML Firewall of IBM.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=n/a; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$7; \ additional_data(0).type=string; \ additional_data(0).meaning=Category:; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Level:; \ additional_data(1).data=Emerg - Error.; \ additional_data(2).type=string; \ additional_data(2).meaning=tid:; \ additional_data(2).data=$5; \ additional_data(3).type=string; \ additional_data(3).meaning=Object Name:; \ additional_data(3).data=$4; \ additional_data(4).type=string; \ additional_data(4).meaning=Domain:; \ additional_data(4).data=$7; \ additional_data(5).type=string; \ additional_data(5).meaning=Events Codes:; \ additional_data(5).data=http://publib.boulder.ibm.com/infocenter/wsdatap/v4r0m2/index.jsp?topic=%2Fcom.ibm.dp.doc%2Fmessages03.htm; \ last #DESCRIPTION:Event generated by the XML Firewall of IBM (High impact) #CATEGORY:Network Security #LOG:Mar 6 15:56:34 prelude-siem snmptrapd[4314]: 2013-03-06 15:56:24 x.x.x.x(via UDP: [x.x.x.x]:52075->[x.x.x.x]) TRAP, SNMP v1, community br0u#012#011enterprises.14685.3.3.2 Enterprise Specific Trap (2) Uptime: 0:0:58:50.57#012#011enterprises.14685.3.3.1.1.0 254#011enterprises.14685.3.3.1.2.0 8#011enterprises.14685.3.3.1.3.0 "Wed Mar 06 2013 14:46:48"#011enterprises.14685.3.3.1.7.0 815#011enterprises.14685.3.3.1.4.0 "xxx"#011enterprises.14685.3.3.1.8.0 "xxx"#011enterprises.14685.3.3.1.9.0 "0x80e006e0" regex=snmptrapd\[(\d+)]:+.+via UDP: \[([\d\.]+)\]:+.+011enterprises.14685.3.3.1.1.0 (\d+)+.+011enterprises.14685.3.3.1.2.0 [1,2,3,4]+.+011enterprises.14685.3.3.1.7.0 (\d+)+.+011enterprises.14685.3.3.1.4.0 "([\S ]+|\S+)"+.+011enterprises.14685.3.3.1.8.0 "(\S+)"+.+011enterprises.14685.3.3.1.9.0 "(\S+)"; \ classification.text=$5; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ibm_id; \ classification.reference(0).name=$7; \ classification.reference(0).url=http://www.ibm.com; \ id=7004; \ revision=1; \ analyzer(0).name=DPW; \ analyzer(0).manufacturer=IBM; \ analyzer(0).class=Firewall XML; \ analyzer(0).node.name=$2; \ assessment.impact.severity=high; \ assessment.impact.description=This event was generated by the XML Firewall of IBM.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=n/a; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ additional_data(0).type=string; \ additional_data(0).meaning=Category:; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Level:; \ additional_data(1).data=Emerg - Error.; \ additional_data(2).type=string; \ additional_data(2).meaning=tid:; \ additional_data(2).data=$4; \ additional_data(3).type=string; \ additional_data(3).meaning=Domain:; \ additional_data(3).data=$6; \ additional_data(4).type=string; \ additional_data(4).meaning=Events Codes:; \ additional_data(4).data=http://publib.boulder.ibm.com/infocenter/wsdatap/v4r0m2/index.jsp?topic=%2Fcom.ibm.dp.doc%2Fmessages03.htm; \ last #DESCRIPTION:Event generated by the XML Firewall of IBM (Medium impact) #CATEGORY:Network Security regex=snmptrapd\[(\d+)]:+.+via UDP: \[([\d\.]+)\]:+.+011enterprises.14685.3.3.1.1.0 (\d+)+.+011enterprises.14685.3.3.1.2.0 [5,6]+.+011enterprises.14685.3.3.1.7.0 (\d+)+.+011enterprises.14685.3.3.1.4.0 "([\S ]+|\S+)"+.+011enterprises.14685.3.3.1.8.0 "(\S+)"+.+011enterprises.14685.3.3.1.9.0 "(\S+)"; \ classification.text=$5; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ibm_id; \ classification.reference(0).name=$7; \ classification.reference(0).url=http://www.ibm.com; \ id=7005; \ revision=1; \ analyzer(0).name=DPW; \ analyzer(0).manufacturer=IBM; \ analyzer(0).class=Firewall XML; \ analyzer(0).node.name=$2; \ assessment.impact.severity=medium; \ assessment.impact.description=This event was generated by the XML Firewall of IBM.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=n/a; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ additional_data(0).type=string; \ additional_data(0).meaning=Category:; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Level:; \ additional_data(1).data=Warn - Notice.; \ additional_data(2).type=string; \ additional_data(2).meaning=tid:; \ additional_data(2).data=$4; \ additional_data(3).type=string; \ additional_data(3).meaning=Domain:; \ additional_data(3).data=$6; \ additional_data(4).type=string; \ additional_data(4).meaning=Events Codes:; \ additional_data(4).data=http://publib.boulder.ibm.com/infocenter/wsdatap/v4r0m2/index.jsp?topic=%2Fcom.ibm.dp.doc%2Fmessages03.htm; \ last #DESCRIPTION:Event generated by the XML Firewall of IBM (Low impact) #CATEGORY:Network Security regex=snmptrapd\[(\d+)]:+.+via UDP: \[([\d\.]+)\]:+.+011enterprises.14685.3.3.1.1.0 (\d+)+.+011enterprises.14685.3.3.1.2.0 [7,8]+.+011enterprises.14685.3.3.1.7.0 (\d+)+.+011enterprises.14685.3.3.1.4.0 "([\S ]+|\S+)"+.+011enterprises.14685.3.3.1.8.0 "(\S+)"+.+011enterprises.14685.3.3.1.9.0 "(\S+)"; \ classification.text=$5; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ibm_id; \ classification.reference(0).name=$7; \ classification.reference(0).url=http://www.ibm.com; \ id=7006; \ revision=1; \ analyzer(0).name=DPW; \ analyzer(0).manufacturer=IBM; \ analyzer(0).class=Firewall XML; \ analyzer(0).node.name=$2; \ assessment.impact.severity=low; \ assessment.impact.description=This event was generated by the XML Firewall of IBM.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=n/a; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$6; \ additional_data(0).type=string; \ additional_data(0).meaning=Category:; \ additional_data(0).data=$3; \ additional_data(1).type=string; \ additional_data(1).meaning=Level:; \ additional_data(1).data=Info - Debug.; \ additional_data(2).type=string; \ additional_data(2).meaning=tid:; \ additional_data(2).data=$4; \ additional_data(3).type=string; \ additional_data(3).meaning=Domain:; \ additional_data(3).data=$6; \ additional_data(4).type=string; \ additional_data(4).meaning=Events Codes:; \ additional_data(4).data=http://publib.boulder.ibm.com/infocenter/wsdatap/v4r0m2/index.jsp?topic=%2Fcom.ibm.dp.doc%2Fmessages03.htm; \ last ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/arbor.rules���������������������������������������������������������0000664�0001750�0001750�00000020141�13537533463�021111� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Arbor #VERSION: 1.0 #DESCRIPTION: Arbor Networks provides several products, designed to protect against DDoS and detect Advanced Threats through NetFlow and packet capture. ##### # # Copyright (C) 2005 Herve Debar <herve dot debar at francetelecom dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Arbor Anomaly #CATEGORY:Network Security #LOG:Apr 17 06:52:57 arbordos.mynetwork.net pfDoS: anomaly Protocol id 92480 status ongoing severity 5 src 0.0.0.0/0 All dst 2.2.0.0/16 Intellig_ start 2005-04-17 06:45:41 +0200 duration 360 percent 214.27 rate 5e+06 rateUnit bps protocol tcp flags nil url https://doscont/anomaly/?attack_id=92480 regex=anomaly ([a-zA-Z_-]+) id (\d+) status (\w+) severity (\d+) src ([\d\.\/]+) \w+ dst ([\d\.\/]+) \w+ start ([\d\- :\+]+) duration (\d+) percent (\d+\.?\d*) rate ([\de\+\-]+) rateUnit (\w+) protocol (\w+) flags (\w+) url (\S+); \ classification.text=Arbor Anomaly $1; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=arbor_id; \ classification.reference(0).name=$2; \ classification.reference(0).url=http://www.arbornetworks.com/; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=arbor_status; \ classification.reference(1).name=$3; \ classification.reference(1).url=http://www.arbornetworks.com/; \ classification.reference(2).origin=vendor-specific; \ classification.reference(2).meaning=arbor_severity; \ classification.reference(2).name=$4; \ classification.reference(2).url=http://www.arbornetworks.com/; \ id=4300; \ revision= 1; \ analyzer(0).name=ArborDos; \ analyzer(0).manufacturer=Arbor; \ assessment.impact.type=dos; \ assessment.impact.severity=medium; \ assessment.impact.description=DDoS attack $3 detected; \ source(0).node.address(0).category=ipv4-net; \ source(0).node.address(0).address=$5; \ target(0).node.address(0).category=ipv4-net; \ target(0).node.address(0).address=$6; \ additional_data(0).type=date-time; \ additional_data(0).meaning=Attack start time; \ additional_data(0).data=$7; \ additional_data(1).type=integer; \ additional_data(1).meaning=Attack duration in seconds; \ additional_data(1).data=$8; \ additional_data(2).type=real; \ additional_data(2).meaning=arbor percent; \ additional_data(2).data=$9; \ additional_data(3).type=real; \ additional_data(3).meaning=Traffic rate in $11; \ additional_data(3).data=$10; \ additional_data(4).type=string; \ additional_data(4).meaning=Attack protocol; \ additional_data(4).data=$12; \ additional_data(5).type=string; \ additional_data(5).meaning=Protocol flags; \ additional_data(5).data=$13; \ additional_data(6).type=string; \ additional_data(6).meaning=Detailed information; \ additional_data(6).data=$14; \ last #DESCRIPTION:Arbor Anomaly Router #CATEGORY:Network Security #LOG:Apr 17 06:52:57 arbordos.mynetwork.net pfDoS: anomaly Protocol id 92480 status ongoing severity 5 router 1.2.3.4 interface 14 incoming regex=anomaly ([a-zA-Z_-]+) id (\d+) status (\w+) severity (\d+) router ([\d\./]+) interface (\S+) (\S+); \ classification.text=Arbor Anomaly Router $1; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=arbor_id; \ classification.reference(0).name=$2; \ classification.reference(0).url=http://www.arbornetworks.com/; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=arbor_status; \ classification.reference(1).name=$3; \ classification.reference(1).url=http://www.arbornetworks.com/; \ classification.reference(2).origin=vendor-specific; \ classification.reference(2).meaning=arbor_severity; \ classification.reference(2).name=$4; \ classification.reference(2).url=http://www.arbornetworks.com/; \ id=4301; \ revision= 1; \ analyzer(0).name=ArborDos; \ analyzer(0).manufacturer=Arbor; \ assessment.impact.type=dos; \ assessment.impact.severity=medium; \ assessment.impact.description=DDoS attack $3 detected at router; \ additional_data(0).type=string; \ additional_data(0).meaning=Router; \ additional_data(0).data=$5; \ additional_data(1).type=integer; \ additional_data(1).meaning=Interface; \ additional_data(1).data=$6; \ additional_data(2).type=string; \ additional_data(2).meaning=Direction; \ additional_data(2).data=$7; \ last #DESCRIPTION:Arbor Collector #CATEGORY:Network Security regex=collector (\S+) (\S+) since (.+) duration (\d+); \ classification.text=Arbor Collector; \ id=4302; \ revision=1; \ analyzer(0).name=ArborDos; \ analyzer(0).manufacturer=Arbor; \ assessment.impact.description=DDoS attack measurement; \ additional_data(0).type=string; \ additional_data(0).meaning=Collector; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Status; \ additional_data(1).data=$2; \ additional_data(2).type=date-time; \ additional_data(2).meaning=Since; \ additional_data(2).data=$3; \ additional_data(3).type=integer; \ additional_data(3).meaning=Duration; \ additional_data(3).data=$4; \ last #DESCRIPTION:Arbor Netflow #CATEGORY:Network Security regex=internalError location (\S+) reason (\S+) since (.+) duration (\d+); \ classification.text=Arbor Netflow; \ id=4303; \ revision=1; \ analyzer(0).name=ArborDos; \ analyzer(0).manufacturer=Arbor; \ assessment.impact.description=DDoS attack measurement; \ additional_data(0).type=string; \ additional_data(0).meaning=Location; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Reason; \ additional_data(1).data=$2; \ additional_data(2).type=date-time; \ additional_data(2).meaning=Since; \ additional_data(2).data=$3; \ additional_data(3).type=integer; \ additional_data(3).meaning=Duration; \ additional_data(3).data=$4; \ last #DESCRIPTION:Arbor DarkIP #CATEGORY:Network Security #LOG:Apr 17 07:31:22 arbordos.mynetwork.net pfDoS: rtr 1.2.3.4 rtrSampleRate 1000 proto 17 src 192.168.0.69 dst 1.2.3.4 dstPort 11328 firstSeen 2005-04-17 06:31:46 +0200 lastSeen 2005-04-17 06:31:46 +0200 bytes 53 pkts 1 flows 1 regex=rtr ([\d\.\/]+) rtrSampleRate (\d+) proto (\d+) src ([\d\.\/]+) dst ([\d\.\/]+) dstPort (\d+) firstSeen ([\d\- :\+]+) lastSeen ([\d\- :\+]+) bytes (\d+) pkts (\d+) flows (\d+); \ classification.text=Arbor DarkIP; \ id=4304; \ revision=1; \ analyzer(0).name=ArborDos; \ analyzer(0).manufacturer=Arbor; \ assessment.impact.description=DDoS attack measurement; \ source(0).node.address(0).category=ipv4-net; \ source(0).node.address(0).address=$4; \ target(0).node.address(0).category=ipv4-net; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ additional_data(0).type=string; \ additional_data(0).meaning=Router; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Router sample rate; \ additional_data(1).data=$2; \ additional_data(2).type=integer; \ additional_data(2).meaning=Protocol; \ additional_data(2).data=$3; \ additional_data(3).type=string; \ additional_data(3).meaning=first seen; \ additional_data(3).data=$7; \ additional_data(4).type=string; \ additional_data(4).meaning=last seen; \ additional_data(4).data=$8; \ additional_data(5).type=integer; \ additional_data(5).meaning=bytes; \ additional_data(5).data=$9; \ additional_data(6).type=integer; \ additional_data(6).meaning=packets; \ additional_data(6).data=$10; \ additional_data(7).type=integer; \ additional_data(7).meaning=flows; \ additional_data(7).data=$11; \ last �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/asterisk.rules������������������������������������������������������0000664�0001750�0001750�00000005024�13537533463�021634� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Asterisk #VERSION: 1.0 #DESCRIPTION: Asterisk is a software implementation of a telephone private branch exchange (PBX). ##### # # Copyright (C) 2007 Sebastien Tricaud <stricaud at inl dot fr> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Registration failed #CATEGORY:VoIP #LOG:Nov 29 09:44:15 NOTICE[23701] chan_sip.c: Registration from '<sip:dmc@asterisk-server>' failed for '192.168.33.180' - Wrong password regex=Registration from '<sip:(\S*)>' failed for '(\S+)' - (.*)$; \ classification.text=$3; \ id=6000; \ revision=1; \ analyzer(0).name=Asterisk; \ analyzer(0).manufacturer=Digium; \ analyzer(0).class=Private Branch Exchange; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ assessment.impact.description=SIP user could not be registered by the SIP server; \ source(0).node.address(0).address=$2; \ target(0).service.name=sip; \ target(0).user.user_id(0).type=original-user; \ target(0).user.user_id(0).name=$1; \ last #DESCRIPTION:Invalid SIP message #CATEGORY:VoIP #LOG:Dec 3 10:32:10 NOTICE[23701] chan_sip.c: Invalid to address: '' from 192.168.33.180 (missing sip:) trying to use anyway... regex=: ([[:print:]]+): '(\S*)' from (\S+) \(([[:print:]]+)\) trying to use anyway...; \ classification.text=$1; \ id=6001; \ revision=1; \ analyzer(0).name=Asterisk; \ analyzer(0).manufacturer=Digium; \ analyzer(0).class=Private Branch Exchange; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=recon; \ assessment.impact.description=The SIP message is invalid: '$4'. This is probably due to a crafted SIP message; \ source(0).node.address(0).address=$3; \ target(0).service.name=sip; \ target(0).user.user_id(0).type=original-user; \ target(0).user.user_id(0).name=$2; \ last ������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/cacti-thold.rules���������������������������������������������������0000664�0001750�0001750�00000006204�13537533463�022203� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Cacti Thold #VERSION: 1.0 #DESCRIPTION: Cacti is a web-based network monitoring and graphing tool designed as a front-end application for the data logging tool RRDtool. The Thold plugin is for the alerting of data found within any graph within Cacti. The rules included here were developed using thold 0.3.0. The rules assume you haven't modified the default format for graph names significantly...some modification is acceptable, but the default location for hostname has been used to gather that info. ##### # # Copyright (C) 2006 G Ramon Gomez <gene at gomezbrothers dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Service threshold CRITICAL #CATEGORY:Monitoring #LOG:Oct 2 05:26:15 smf-syslog-02 172/172 CactiTholdLog[19647]: smf-core-02 - 5 Minute CPU went above threshold of 85 with 90.8067 at trigger 1 out of 1 regex=(\S+) - (.+) went above threshold of ([\d\.]+) with ([\d\.]+) at trigger; \ classification.text=Service CRITICAL; \ id=4500; \ revision=1; \ analyzer(0).name=Cacti thold; \ analyzer(0).manufacturer=www.cactiusers.org; \ analyzer(0).class=State Monitoring; \ assessment.impact.severity=medium; \ assessment.impact.type=dos; \ assessment.impact.description=Service $2 on $1 has exceeded a pre-defined threshold; \ target(0).node.name=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=Service name; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Threshold; \ additional_data(1).data=$3; \ additional_data(2).type=string; \ additional_data(2).meaning=Current value; \ additional_data(2).data=$4; \ last #DESCRIPTION:Service OK #CATEGORY:Monitoring #LOG:Oct 2 05:30:46 smf-syslog-02 172/172 CactiTholdLog[25849]: smf-core-02 - 5 Minute CPU restored to normal with 68.1533 at trigger 1 out of 1 regex=(\S+) - (.+) restored to normal with ([\d\.]+) at trigger; \ classification.text=Service OK; \ id=4501; \ revision=1; \ analyzer(0).name=Cacti thold; \ analyzer(0).manufacturer=www.cactiusers.org; \ analyzer(0).class=State Monitoring; \ assessment.impact.severity=medium; \ assessment.impact.type=dos; \ assessment.impact.description=Service $2 on $1 has returned to normal; \ target(0).node.name=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=Service name; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Current value; \ additional_data(1).data=$3; \ last ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/cisco-ace.rules�����������������������������������������������������0000664�0001750�0001750�00000070255�13537533463�021645� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Cisco ACE #VERSION: 1.0 #DESCRIPTION: The Cisco ACE (Application Control Engine) Module is a load-balancing and application-delivery solution. The rules included here were developed using a Cisco ACE 4700. ##### # # Copyright (C) 2012 Seguridadx <operador@seguridadx.com> # twitter: <www.twitter.com/seguridad_x> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Health probe detection - State change to DOWN #CATEGORY:Service Management #LOG:Sep 25 11:53:19 x.x.x.x ACE_NAME %ACE-4-442002: Health probe CHECK_NAME detected SERVER_NAME (interface vlanXX) in serverfarm SF_NAME changed state to DOWN regex=-442002: Health probe (\S+) detected (\S+) \(interface (\S+)\) in serverfarm (\S+) changed state to DOWN; \ classification.text=Health probe $1; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=442002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5101; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Health probe $1 detected $2 (interface $3) in serverfarm $4 changed state to DOWN; \ target(0).interface=$3; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:Health probe detection - State change to UP #CATEGORY:Service Management #LOG:Sep 25 11:53:19 x.x.x.x ACE_NAME %ACE-4-442001: Health probe CHECK_NAME detected SERVER_NAME (interface vlanXX) in serverfarm SF_NAME changed state to UP regex=-442001: Health probe (\S+) detected (\S+) \(interface (\S+)\) in serverfarm (\S+) changed state to UP; \ classification.text=Health probe $1; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=442001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5102; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Health probe $1 detected $2 (interface $3) in serverfarm $4 changed state to UP; \ target(0).interface=$3; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last #DESCRIPTION:VIP in class - State change from XXX to YYY #CATEGORY:Service Management #LOG:Sep 25 12:02:44 x.x.x.x ACE_NAME %ACE-4-442007: VIP in class: 'VIP_NAME' changed state from OUTOFSERVICE to INSERVICE regex=-442007: VIP in class: '(\S+)' changed state from (\S+) to (\S+); \ classification.text=VIP in class $1 changed state; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=442007; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5103; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=VIP in class:$1 changed state to $3; \ last #DESCRIPTION:Serverfarm back in service #CATEGORY:Monitoring #LOG:Sep 25 12:02:44 x.x.x.x ACE_NAME %ACE-5-441002: Serverfarm (SF_NAME) is now back in service in policy_map (PM_NAME) --> class_map (#class_default_slb). Number of failovers = 0, number of times back in service = 0 regex=-441002: Serverfarm \((\S+)\) is now back in service; \ classification.text=Serverfarm $1 is now back in service; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=441002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5104; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Serverfarm $1 is now back in service.; \ last #DESCRIPTION:Serverfarm failed over to backup #CATEGORY:Monitoring regex=-441001: Serverfarm \((\S+)\) failed over to backup; \ classification.text=Serverfarm $1 failed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=441001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5105; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Serverfarm $1 failed over to backup.; \ last #DESCRIPTION:HA - FT Track Interface is UP #CATEGORY:High Availability #LOG:Sep 20 18:10:44 x.x.x.x ACE_NAME %ACE-2-727017: HA: FT Track Interface XX is UP. regex=-727017: HA: FT Track Interface (\d+); \ classification.text=FT Track Interfac is UP; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=727017; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5106; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=HA: FT Track Interface $1 is UP.; \ last #DESCRIPTION:HA - FT Track Interface is DOWN #CATEGORY:High Availability #LOG:Sep 20 18:10:57 x.x.x.x ACE_NAME %ACE-2-727018: HA: FT Track Interface XX is DOWN. regex=-727018: HA: FT Track Interface (\d+); \ classification.text=FT Track Interface is DOWN; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=727018; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5107; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=HA: FT Track Interface $1 is DOWN.; \ last #DESCRIPTION:HA - FT Group state changes #CATEGORY:High Availability #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-2-727012: HA: FT Group 1 changed state to FSM_FT_STATE_STANDBY_HOT. Event: FSM_FT_EV_BULK_SYNC_STATUS regex=-727012: HA: FT Group (\d+) changed state to (\S+); \ classification.text=FT Group changed state $2; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=727012; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5108; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description= HA: FT Group $1 changed state to $2.; \ last #DESCRIPTION:Memory allocation Error #CATEGORY:Monitoring #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-3-211001: Memory allocation Error regex=-211001; \ classification.text=Memory allocation Error; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-3-211001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5109; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation Failed to allocate RAM system memory.; \ last #DESCRIPTION:ACL resource usage beyond maximum limit #CATEGORY:Monitoring #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-4-254001: ACL resource usage beyond maximum limit for context context_id. Free up some resources. regex=-254001; \ classification.text=ACL resource usage beyond maximum limit; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-4-254001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5110; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation This message indicates that ACL resources in use for the specified context (context_id) are above the maximum limit allowed by the resource class.; \ last #DESCRIPTION:Line protocol - changed state to up #CATEGORY:Monitoring #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-4-411001: Line protocol on interface interface_name changed state to up regex=-411001; \ classification.text=Line protocol changed state to up; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-4-411001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5111; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The status of the line protocol has changed from down to up.; \ last #DESCRIPTION:Line protocol - changed state to down #CATEGORY:Monitoring #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-4-411002: Line protocol on interface interface_name changed state to down regex=-411002; \ classification.text=Line protocol changed state to down; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-4-411002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5112; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The status of the line protocol has changed from up to down; \ last #DESCRIPTION:Configuration status - changed state to up #CATEGORY:Monitoring #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-4-411003: Configuration status on interface interface_name changed state to up regex=-411003; \ classification.text=Configuration status changed state to up; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-4-411003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5113; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The configuration status of the interface has changed from down to up; \ last #DESCRIPTION:Configuration status - changed state to down #CATEGORY:Monitoring #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-4-411004: Configuration status on interface interface_name changed state to down regex=-411004; \ classification.text=Configuration status changed state to down; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-4-411004; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5114; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The configuration status of the interface has changed from down to up; \ last #DESCRIPTION:HA - Configuration replication will not happen #CATEGORY:High Availability #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-2-727011: HA: Configuration replication for context ctx name will not happen. regex=-727011; \ classification.text=HA: Configuration replication will not happen; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-2-727011; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5115; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=The configuration synchronization does not occur for a context. The error string indicates the reason for the failure.; \ last #DESCRIPTION:HA - Heartbeats from Peer become unidirectional #CATEGORY:High Availability #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-2-727014: HA: Heartbeats from Peer PEER_ID have become unidirectional. regex=-727014; \ classification.text=HA: Heartbeats from Peer become unidirectional; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-2-727014; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5116; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation Redundancy heartbeats from a peer have become unidirectional. That is, the peer cannot receive (only send) heartbeats. This problem occurs if one of the network processors has a problem.; \ last #DESCRIPTION:HA - FT Track track type track name is DOWN #CATEGORY:High Availability #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-2-727018: HA: FT Track track type track name is DOWN. regex=-727018; \ classification.text=HA: FT Track track type track name is DOWN; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-2-727018; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5117; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The FT track is down. The track type variable can be one of the following: Interface, HSRP, Host.; \ last #DESCRIPTION:HA - Detected mismatch in heartbeat interval #CATEGORY:High Availability #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-2-727015: HA: Detected mismatch in heartbeat interval from Peer peer id. Modified interval to interval. regex=-727015; \ classification.text=HA: Detected mismatch in heartbeat interval; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-2-727015; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5118; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The redundancy heartbeat received from one peer differs from the value of the second peer. This condition can occur when you choose to dynamically change the heartbeat interval. The modified heartbeat interval that is displayed shows the adjusted interval. This value is the greater of the two values.; \ last #DESCRIPTION:Deny MAC address MAC_address, possible spoof attempt #CATEGORY:Network Security #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-3-322001: Deny MAC address MAC_address, possible spoof attempt on interface interface regex=-322001; \ classification.text=Deny MAC address MAC_address, possible spoof attempt; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-3-322001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5119; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The ACE received a packet from the offending MAC address on the specified interface, but the source MAC address in the packet is statically bound to another interface in your configuration. This situation can be caused by either a MAC-spoofing attack or a misconfiguration.; \ last #DESCRIPTION:ARP inspection check failed #CATEGORY:Monitoring #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-3-322002: ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is {statically|dynamically} bound to MAC Address MAC_address_2. regex=-322002; \ classification.text=ARP inspection check failed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-3-322002; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5120; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation If ARP inspection is enabled, the ACE checks whether a new ARP entry advertised in the packet conforms to the statically configured or dynamically learned IP-MAC address binding before forwarding ARP packets. If this check fails, the ACE drops the ARP packet and generates this message. This situation can be caused by either ARP spoofing attacks in the network or an invalid configuration (IP-MAC binding).; \ last #DESCRIPTION:ARP inspection check failed #CATEGORY:Monitoring #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-3-322003: ARP inspection check failed for arp {request|response} received from host MAC_address on interface interface. This host is advertising MAC Address MAC_address_1 for IP Address IP_address, which is not bound to any MAC Address. regex=-322003; \ classification.text=ARP inspection check failed; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-3-322003; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5121; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=.; \ last #DESCRIPTION:Event on Cisco ACE #CATEGORY:Network Security #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-4-400000: IDS:1000 IP Option Bad Option List from IP_address to IP_address on interface interface_name regex=-4000(\d+): IDS:(\d+); \ classification.text=IDS:$2 Event on Cisco ACE; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-4-4000$1; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5122; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation Cisco Intrusion Detection System signature message: See original log.; \ last #DESCRIPTION:Received ARP collision #CATEGORY:Network Security #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-4-405001: Received ARP {request | response} collision from IP_address/mac_address on interface interface_name regex=-405001: Received ARP (\S+) collision from ([\d\.]+); \ classification.text=Received ARP collision; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-4-405001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5123; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The ACE received an ARP packet, and the MAC address in the packet differs from the ARP cache entry.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).user.category=os-device; \ last #DESCRIPTION:Dropped UDP DNS #CATEGORY:Packet Filtering #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-4-410001: Dropped UDP DNS packet_type from source_interface:source_address/source_port to dest_interface:dest_address/dest_port; error_length_type length length bytes exceeds max_length_type limit of maximum_length bytes regex=-410001; \ classification.text=Dropped UDP DNS; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-4-410001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5124; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The domain-name length exceeds 255 bytes in a UDP DNS packet. (See RFC 1035 section 3.1.); \ last #DESCRIPTION:MAC address moved from interface #CATEGORY:Monitoring #LOG:Sep 20 18:25:50 x.x.x.x ACE_NAME %ACE-4-412001: MAC MAC_address moved from interface_1 to interface_2 regex=-412001; \ classification.text=MAC address moved from interface; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-4-412001; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5125; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=high; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Explanation The ACE detects that a host was moved from one module interface to another. In a transparent ACE, mapping between the host (MAC) and the ACE port is maintained in a Layer 2 forwarding table. The table dynamically binds packet source MAC addresses to an ACE port. When movement of a host from one interface to another interface is detected during this binding process, this error message is generated.; \ last #DESCRIPTION:User executed command #CATEGORY:Command Execution #LOG:Dec 13 17:58:27 x.x.x.x xxx %ACE-5-111008: User 'xx' executed the 'no set tcp timeout embryonic 30' command. regex=-111008; \ classification.text=User $1 executed command; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=asa_id; \ classification.reference(0).name=ACE-5-111008; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA1_7_/configuration/system/message/guide/messags.html#wp456001; \ id=5126; \ revision=0; \ analyzer(0).name=ACE; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Aplication Control Engine; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=User exceuted a configuration command.; \ last ���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/cisco-common.rules��������������������������������������������������0000664�0001750�0001750�00000017515�13537533463�022405� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Cisco Common #VERSION: 1.0 #DESCRIPTION: Cisco designs, manufactures, and sells networking equipment. This ruleset can work with any Cisco device. #These rules where created from logs of Cisco switchs. #Some models but not limited to are : #- C3750 #- C35xx series (C3500, C3500 in.power, C3550, C3560G, etc) #- C29xx series (C2900, C2900M, C2950 TSI, C2960, etc) #At first, this file was cisco-switch.rules, but then I realize that there are a load of Cisco messages that are the same for all IOS. #So it is now cisco-commons.rules. Logic would require to put some other rules in this cisco-commons.rules. #Logic would require to put some other rules in this file. For example the "LINEPROTO-5-UPDOWN" rule in cisco-router.rules. ##### # # Copyright (C) 2006 Alexandre Racine <alexandreracine@gmail.com> # www.alexandreracine.com # Currently maintained by Alexandre Racine <alexandreracine@gmail.com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Cisco says: %CDP-4-NATIVE_VLAN_MISMATCH : Native VLAN mismatch discovered on [chars] ([dec]), with [chars] [chars] ([dec]) #CATEGORY:Monitoring #LOG:Dec 11 18:41:14: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1 (1), with C3524pwr-049-1.somedomain.ca FastEthernet0/19 (49). regex=%CDP-\d-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on (\S+) \(\d+\), with (\S+) (\S+) \(\d+\); \ classification.text=Native VLAN mismatch; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=cisco_id; \ classification.reference(0).name=%CDP-4-NATIVE_VLAN_MISMATCH; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/ios/12_2/sem1/system/message/emfc6msf.html#wp946895; \ id=5500; \ revision=2; \ analyzer(0).name=Cisco IOS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Router; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=CDP has discovered a mismatch of native VLAN configuration.; \ source(0).interface=$1; \ target(0).node.name=$2; \ target(0).service.name=CDP; \ target(0).interface=$3; \ last #DESCRIPTION:Cisco says: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on [chars] ([chars]), with [chars] [chars] ([chars]) #CATEGORY:Monitoring #LOG:Dec 11 18:41:14: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet0/1 (not half duplex), with C3524pwr-049-1.cslaval.qc.ca FastEthernet0/19 (half duplex). regex=%CDP-\d-DUPLEX_MISMATCH: duplex mismatch discovered on (\S+) \([\w\s]+\), with (\S+) (\S+) \([\w\s]+\); \ classification.text=Duplex mismatch; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=cisco_id; \ classification.reference(0).name=%CDP-4-DUPLEX_MISMATCH; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/ios/12_2/sem1/system/message/emfc6msf.html#wp946885; \ id=5501; \ revision=2; \ analyzer(0).name=Cisco IOS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Router; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=low; \ assessment.impact.description=CDP has discovered a mismatch of duplex configuration.; \ source(0).interface=$1; \ target(0).node.name=$2; \ target(0).service.name=CDP; \ target(0).interface=$3; \ last #DESCRIPTION:Cisco says: %PORT_SECURITY-2-SECURITYREJECT: Security violation occurred on module [dec] port [dec] caused by MAC address [enet] #CATEGORY:Network Security #LOG:Dec 11 18:41:14: %PORT_SECURITY-2-SECURITYREJECT: Security violation occurred on module 0 port 6 caused by MAC address 0021.e6f2.e644 regex=%PORT_SECURITY-\d-SECURITYREJECT: Security violation occurred on module \d+ port \d+ caused by MAC address (\S*); \ classification.text=Port Security; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=cisco_id; \ classification.reference(0).name=%PORT_SECURITY-2-SECURITYREJECT; \ classification.reference(0).url=https://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/release12.0_5_wc6/scg/swmsg.html#wp1007036; \ id=5502; \ revision=2; \ analyzer(0).name=Cisco IOS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Router; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=A packet with an unexpected source address is received on a secure port.; \ source(0).node.address(0).category=mac; \ source(0).node.address(0).address=$1; \ last #DESCRIPTION:Cisco says: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred caused by MAC [enet] on port [chars] #CATEGORY:Network Security #LOG:Dec 11 18:41:14: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0462.0000.0464 on port FastEthernet0/22. regex=%PORT_SECURITY-\d-PSECURE_VIOLATION: Security violation occurred, caused by MAC address (\S*) on port (\S+); \ classification.text=Port Security; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=cisco_id; \ classification.reference(0).name=%PORT_SECURITY-2-PSECURE_VIOLATION; \ classification.reference(0).url=http://www.cisco.com/en/US/docs/switches/lan/catalyst2955/software/release/12_1_12c_ea1/system/message/msg_desc.html#wp1103356; \ id=5503; \ revision=2; \ analyzer(0).name=Cisco IOS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Router; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=high; \ assessment.impact.description=This message means that an unauthorized device attempted to connect on a secure port. $1 is the MAC address of the unauthorized device, and $2 is the secure port.; \ source(0).node.address(0).category=mac; \ source(0).node.address(0).address=$1; \ source(0).interface=$2; \ last #DESCRIPTION:Cisco says: %RTD-1-ADDR_FLAP [chars] relearning [dec] addrs per min #CATEGORY:Network Security #LOG:Dec 11 18:41:14: %RTD-1-ADDR_FLAP: FastEthernet0/23 relearning 7 addrs per min regex=%RTD-\d-ADDR_FLAP: (\S+) relearning (\d+) addrs per min; \ classification.text=Port Security; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=cisco_id; \ classification.reference(0).name=%RTD-1-ADDR_FLAP; \ classification.reference(0).url=http://supportwiki.cisco.com/ViewWiki/index.php/What_does_the_RTD-1-ADDR_FLAP_system_message_mean%3F; \ id=5504; \ revision=2; \ analyzer(0).name=Cisco IOS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Router; \ assessment.impact.completion=failed; \ assessment.impact.type=other; \ assessment.impact.severity=medium; \ assessment.impact.description=Normally, MAC addresses are learned once on a port. Occasionally, when a switched network reconfigures, due to either manual or STP reconfiguration, addresses learned on one port are relearned on a different port. However, if there is a port anywhere in the switched domain that is looped back to itself, addresses will jump back and forth between the real port and the port that is in the path to the looped back port. In this message, $1 is the interface, and $2 is the number of addresses being learnt.; \ source(0).interface=$2; \ last �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/clamav.rules��������������������������������������������������������0000664�0001750�0001750�00000004570�13537533463�021257� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: ClamAV #VERSION: 1.0 #DESCRIPTION: Clam AntiVirus (ClamAV) is an antivirus software tool-kit able to detect many types of malicious software, including viruses. The rules included here were developed using Clam AV 0.70-1. ##### # # Copyright (C) 2004 G Ramon Gomez <gene at gomezbrothers dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Virus found #CATEGORY:Malware #LOG:May 10 15:19:28 mail clamd[14292]: /usr/share/doc/clamav-0.70/test/test2.badext: ClamAV-Test-Signature FOUND regex=(\S+): (\S+) FOUND; \ classification.text=Virus found: $2; \ id=3200; \ revision=2; \ analyzer(0).name=Clam Antivirus; \ analyzer(0).manufacturer=www.clamav.net; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=A virus has been identified by ClamAV; \ additional_data(0).type=string; \ additional_data(0).meaning=File location; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Malware name; \ additional_data(1).data=$1; \ last #DESCRIPTION:Virus definition update #CATEGORY:Update #LOG:May 10 15:18:56 mail clamd[14292]: Database correctly reloaded (21517 viruses) regex=Database correctly reloaded \(\d+ viruses\); \ classification.text=Virus definition update; \ id=3201; \ revision=2; \ analyzer(0).name=Clam Antivirus; \ analyzer(0).manufacturer=www.clamav.net; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Clam AV definitions have been updated; \ last ����������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/juniper-vpn.rules���������������������������������������������������0000664�0001750�0001750�00000016774�13537533463�022302� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Juniper VPN #VERSION: 1.0 #DESCRIPTION: Juniper Networks offers a wide range of VPN configuration possibilities, such as Route Based VPN, Policy Based VPN, Dial-up VPN, and L2TP over IPSec. ##### # # Copyright (C) 2012 Seguridadx <operador@seguridadx.com> # twitter: <www.twitter.com/seguridad_x> # All Rights Reserved # # Copyright (C) 2014-2019 CS-SI <support.prelude@c-s.fr> # All Rights Reserved. # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:General Messages #CATEGORY:Monitoring #LOG:Mar 30 15:11:50 127.167.193.109 Juniper: 2012-03-30 15:11:50 - vpn - [142.186.141.93] Root::System(Intranet)[Administrators] - Login failed. Reason: Failed regex=- (\S+) - \[([^\]]+)\] (?:Root::)?(\S+)\([^\)]*\)\[\w*\] ; \ classification.reference(0).origin=vendor-specific; \ id=158000000; \ chained; silent; \ revision=1; \ analyzer(0).name=Juniper SA/MAG; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=VPN; \ source(0).user.user_id(0).name=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1 #DESCRIPTION:Login failed #CATEGORY:Authentication #LOG:Mar 30 15:11:50 127.167.193.109 Juniper: 2012-03-30 15:11:50 - vpn - [142.186.141.93] Root::System(Intranet)[Administrators] - Login failed. Reason: Failed #LOG:Jul 8 17:02:23 224.195.17.199 Juniper: 2013-07-08 17:00:55 - vpn - [224.195.17.199] bob(Users)[Administrators] - Login failed using auth server Administrators (Local Authentication). Reason: Failed #LOG:Mar 30 14:36:29 45.208.182.48 Juniper: 2012-03-30 14:36:29 - vpn - [111.198.162.171] Root::pparker(Intranet)[] - Login failed. Reason: NoRoles regex=Login failed.+ Reason: (\w+); \ classification.text=Login failed; \ id=158000100; \ revision=1; \ analyzer(0).name=Juniper SA/MAG; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=VPN; \ assessment.impact.severity=low; \ assessment.impact.type=user; \ assessment.impact.completion=failed; \ assessment.impact.description=The user has not logged in for reason $1; \ goto=158000000; \ last #DESCRIPTION:Login succeeded #CATEGORY:Authentication #LOG:Jul 8 17:02:23 224.195.17.199 Juniper: 2008-08-21 08:01:22 - vpn - [192.168.1.2] Root::jsmith(Intranet)[Employee] - Login succeeded for jsmith/EPT-ACCESS from 192.168.1.2. regex=Login succeeded for; \ classification.text=Login succeeded; \ id=158000101; \ revision=1; \ analyzer(0).name=Juniper SA/MAG; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=VPN; \ assessment.impact.severity=info; \ assessment.impact.type=user; \ assessment.impact.completion=succeeded; \ assessment.impact.description=The user has logged in successfully; \ goto=158000000; \ last #DESCRIPTION:Virus signature list imported successfully #CATEGORY:Update #LOG:Apr 10 12:23:33 181.150.154.85 Juniper: 2012-04-10 12:23:33 - vpn - [17.4.29.105] Root::System()[] - The current virus signature list imported successfully regex=The current virus signature list imported successfully; \ classification.text=Virus Signature Update; \ id=158000200; \ revision=1; \ analyzer(0).name=Juniper SA/MAG; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=VPN; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=The current virus signature list das been downloaded and imported successfully.; \ goto=158000000; \ last #DESCRIPTION:Patch Management data imported successfully #CATEGORY:Update #LOG:Apr 10 12:23:33 181.150.154.85 Juniper: 2012-04-10 12:23:33 - vpn - [17.4.29.105] Root::System()[] - The current patch management data imported successfully regex=The current patch management data imported successfully; \ classification.text=Patch Management Update; \ id=158000201; \ revision=1; \ analyzer(0).name=Juniper SA/MAG; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=VPN; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=The current patch management data has been downloaded and imported successfully.; \ goto=158000000; \ last #DESCRIPTION:Patch Management Update failed #CATEGORY:Update #LOG:Apr 10 12:23:33 181.150.154.85 Juniper: 2012-04-10 12:23:33 - vpn - [17.4.29.105] Root::System()[] - Unable to download current patch management regex=Unable to download current patch management; \ classification.text=Patch Management Update; \ id=158000202; \ revision=1; \ analyzer(0).name=Juniper SA/MAG; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=VPN; \ assessment.impact.severity=low; \ assessment.impact.type=other; \ assessment.impact.completion=failed; \ assessment.impact.description=Patch Management download failed.; \ goto=158000000; \ last #DESCRIPTION:Virus Signature Update failed #CATEGORY:Update #LOG:Apr 10 12:23:33 181.150.154.85 Juniper: 2012-04-10 12:23:33 - vpn - [17.4.29.105] Root::System()[] - Unable to download current virus signature regex=Unable to download current virus signature; \ classification.text=Virus Signature Update; \ id=158000203; \ revision=1; \ analyzer(0).name=Juniper SA/MAG; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=VPN; \ assessment.impact.severity=low; \ assessment.impact.type=other; \ assessment.impact.completion=failed; \ assessment.impact.description=Virus Signature download failed.; \ goto=158000000; \ last #DESCRIPTION:Node deactivated in cluster #CATEGORY:Monitoring #LOG:2009-04-28 15:53:14 Juniper: 2009-04-28 15:53:13 - vpnmaster - [192.168.1.1] System()[] - Node 'vpnmaster' deactivated in cluster 'vpncluster [vpnslave, 192.168.1.2] [vpnmaster, 192.168.1.1]'. regex=Node '(\S+)' deactivated in cluster; \ classification.text=Failover: deactivated in cluster; \ id=158000300; \ revision=1; \ analyzer(0).name=Juniper SA/MAG; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=VPN; \ assessment.impact.severity=medium; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=$1 deactivated in cluster; \ goto=158000000; \ last #DESCRIPTION:Node activated in cluster #CATEGORY:Monitoring #LOG:2009-04-28 15:53:14 Juniper: 2009-04-28 15:53:13 - vpnmaster - [192.168.1.1] System()[] - Node 'vpnmaster' activated in cluster 'vpncluster [vpnslave, 192.168.1.2] [vpnmaster, 192.168.1.1]'. regex=Node '(\S+)' activated in cluster; \ classification.text=Failover: activated in cluster; \ id=158000301; \ revision=1; \ analyzer(0).name=Juniper SA/MAG; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=VPN; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=$1 activated in cluster; \ goto=158000000; \ last ����prelude-lml-rules-5.1.0/ruleset/ms-cluster.rules����������������������������������������������������0000664�0001750�0001750�00000010441�13537533463�022104� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: Microsoft Cluster #VERSION: 1.0 #DESCRIPTION: Cluster service from Microsoft. The rules included here were developed using NTSyslog and Windows 2003 Cluster Service. ##### # # Copyright (C) 2006 G Ramon Gomez <gene at gomezbrothers dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Cluster communication failure #CATEGORY:High Availability #LOG:Oct 22 04:15:01 smf-syslog-02 smf-exchange-06/smf-exchange-06 clussvc[error] 1079 The node cannot join the cluster because it cannot communicate with node SMF-EXCHANGE-05 over any network configured for internal cluster communication. Check the network configuration of the node and the cluster. regex=The node cannot join the cluster because it cannot communicate with node (\S+) over any network configured for internal cluster communication.; \ classification.text=Cluster communication failure; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=1079; \ id=4900; \ revision=1; \ analyzer(0).name=Cluster Server; \ analyzer(0).manufacturer=Microsoft; \ analyzer(0).class=Cluster; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=dos; \ assessment.impact.description=$1 could not connect to the active cluster member/cluster coordinator. It will be removed from the cluster.; \ source(0).process.name=clussvc; \ source(0).node.address(0).category=unknown; \ source(0).node.address(0).address=$1; \ source(0).node.name=$1; \ target(0).process.name=clussvc; \ last #DESCRIPTION:Cluster node removed from the active cluster membership #CATEGORY:High Availability #LOG:Oct 22 04:16:04 smf-syslog-02 smf-exchange-05/smf-exchange-05 clussvc[warning] 1135 Cluster node SMF-EXCHANGE-06 was removed from the active cluster membership. The Clustering Service may have been stopped on the node, the node may have failed, or the node may have lost communication with the other active cluster nodes regex=Cluster node (\S+) was removed from the active cluster membership; \ classification.text=Cluster communication failure; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=Windows Event ID; \ classification.reference(0).name=1135; \ id=4901; \ revision=1; \ analyzer(0).name=Cluster Server; \ analyzer(0).manufacturer=Microsoft; \ analyzer(0).class=Cluster; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=dos; \ assessment.impact.description=The active cluster member/cluster coordinator could not connect to $1. $1 will be removed from the cluster.; \ source(0).process.name=clussvc; \ source(0).node.address(0).category=unknown; \ source(0).node.address(0).address=$1; \ source(0).node.name=$1; \ target(0).process.name=clussvc; \ last #DESCRIPTION:Cluster is UP #CATEGORY:High Availability #LOG:Oct 23 19:09:38 smf-syslog-02 smf-exchange-02/smf-exchange-02 clussvc[info] Cluster network 'Public' is operational (up). All available cluster nodes attached to the network can communicate using it. regex=Cluster network '(.+)' is operational \(up\); \ classification.text=Cluster up; \ id=4902; \ revision=1; \ analyzer(0).name=Cluster Server; \ analyzer(0).manufacturer=Microsoft; \ analyzer(0).class=Cluster; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=The cluster $1 is now up.; \ additional_data(0).type=string; \ additional_data(0).meaning=Cluster name; \ additional_data(0).data=$1; \ last �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/ruleset/netapp-ontap.rules��������������������������������������������������0000664�0001750�0001750�00000013611�13537533463�022416� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������#FULLNAME: NetApp ONTAP #VERSION: 1.0 #DESCRIPTION: Data ONTAP is NetApp's internal operating system, specially optimised for storage functions at high and low level. The rules included here were developed using NetApp ONTAP 6.4.4R1 on a F820 Filer. ##### # # Copyright (C) 2004 G Ramon Gomez <gene at gomezbrothers dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # ##### #DESCRIPTION:Storage full #CATEGORY:Monitoring #LOG:Jul 22 12:12:57 cahco3 Thu Jul 22 12:09:00 PDT [monitor.globalStatus.nonCritical:warning]: /vol/RanchoFiles is full (using or reserving 98% of space and 6% of inodes). regex=\[monitor.globalStatus.nonCritical:warning\]: (\S+) is full \(using or reserving (\d+%) of space and (\d+%) of inodes; \ classification.text=Storage capacity warning; \ id=3900; \ revision=1; \ analyzer(0).name=ONTAP; \ analyzer(0).manufacturer=NetApp; \ analyzer(0).class=Storage; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=The storage on volume $1 is either approaching or has reached full capacity. $2 of available storage and $3 of available inodes have been consumed.; \ last #DESCRIPTION:Directory close to the maxdirsize limit #CATEGORY:Monitoring #LOG:Jul 15 13:21:04 cahco3 Thu Jul 15 13:17:16 PDT [FastEnet-10/100/e0:warning]: Directory /vol/Imaging/idmds/MAXLIB01/stacks/shelf006/ is getting close to the maxdirsize limit. Please increase the maxdirsize by using the vol option command. regex=Directory (\S+) is getting close to the maxdirsize limit; \ classification.text=Storage capacity warning; \ id=3901; \ revision=1; \ analyzer(0).name=ONTAP; \ analyzer(0).manufacturer=NetApp; \ analyzer(0).class=Storage; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=The directory $1 is either approaching or has reached full capacity.; \ last #DESCRIPTION:HTTP Authentication failed #CATEGORY:Authentication #LOG:Jul 15 10:55:40 cahco3 Thu Jul 15 10:51:52 PDT [httpd_slowproc:warning]: HTTP Authentication from 12.34.56.78 to realm Administration failed regex=\[httpd_slowproc:warning\]: HTTP Authentication from ([\d\.]+) to realm \w+ failed; \ classification.text=Web administration admin login; \ id=3902; \ revision=2; \ analyzer(0).name=ONTAP; \ analyzer(0).manufacturer=NetApp; \ analyzer(0).class=Storage; \ assessment.impact.severity=high; \ assessment.impact.completion=failed; \ assessment.impact.type=admin; \ assessment.impact.description=A failed attempt was made to log into the ONTAP web administration console.; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=http; \ last #DESCRIPTION:Remote Login #CATEGORY:Authentication #LOG:Jul 15 10:57:55 cahco3 Thu Jul 15 10:54:07 PDT [telnet_0:info]: clark logged in from host: localhost regex=\[telnet_\d+:info\]: (\S+) logged in from host: ([\w\-\.]+); \ classification.text=Remote control admin login; \ id=3903; \ revision=2; \ analyzer(0).name=ONTAP; \ analyzer(0).manufacturer=NetApp; \ analyzer(0).class=Storage; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=A user logged into the NetApp Filer using telnet.; \ source(0).service.iana_protocol_name=tcp; \ source(0).service.iana_protocol_number=6; \ source(0).node.name=$1; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ target(0).service.iana_protocol_name=tcp; \ target(0).service.iana_protocol_number=6; \ target(0).service.name=telnet; \ last #DESCRIPTION:Addition of disk success #CATEGORY:Monitoring #LOG:Jul 15 11:20:49 cahco3 Thu Jul 15 11:17:01 PDT [raid.vol.disk.add.done:notice]: Addition of disk 8.64 (S/N 3HZ6YQHN00007433ARFV) to volume Callrec has completed successfully regex=\[raid.vol.disk.add.done:notice\]: Addition of disk ([\d\.]+) \(S\/N (\S+)\) to volume (\S+) has completed successfully; \ classification.text=Storage disk added to RAID; \ id=3904; \ revision=1; \ analyzer(0).name=ONTAP; \ analyzer(0).manufacturer=NetApp; \ analyzer(0).class=Storage; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Disk $1 with serial $2 was added to volume $3.; \ last #DESCRIPTION:Disk zeroing complete #CATEGORY:Monitoring #LOG:Jul 15 11:39:59 cahco3 Thu Jul 15 11:36:11 PDT [raid.disk.zero.done:notice]: 8.34 (S/N 3FP0H0JE000072074RFP): disk zeroing complete regex=\[raid.disk.zero.done:notice]: ([\d\.]+) \(S\/N (\S+)\): disk zeroing complete; \ classification.text=Storage disk zeroed; \ id=3905; \ revision=1; \ analyzer(0).name=ONTAP; \ analyzer(0).manufacturer=NetApp; \ analyzer(0).class=Storage; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=Disk $1 with serial $2 was zeroed.; \ last �����������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/COPYING���������������������������������������������������������������������0000664�0001750�0001750�00000043254�13537533463�016312� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.> Copyright (C) <year> <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. <signature of Ty Coon>, 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/README����������������������������������������������������������������������0000664�0001750�0001750�00000000312�13537533463�016123� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������Ruleset for pcre LML plugin (https://www.prelude-siem.org) These rules are brought to you by CS and the Prelude Community. Rules ID ======== ID from 100000000 to 100010000 are dedicated to local rules ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/NEWS������������������������������������������������������������������������0000664�0001750�0001750�00000007344�13537533463�015756� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������* 2019-09-13, prelude-lml-rules-5.1.0: * 2019-09-04, prelude-lml-rules-5.1.0rc1: No new changes. * 2019-07-17, prelude-lml-rules-5.1.0beta1: Author: Song Tran - Modify ModSecurity rules * 2019-03-15, prelude-lml-rules-5.1.0alpha1: Author: Antoine Luong - Fix typo * 2018-09-07, prelude-lml-rules-5.0.0: * 2018-08-17, prelude-lml-rules-5.0.0rc1: * 2018-05-04, prelude-lml-rules-5.0.0beta2: * 2018-04-13, prelude-lml-rules-5.0.0beta1: No new changes. * 2018-02-09, prelude-lml-rules-4.2.0rc1: Author: Song Tran - Update ModSecurity rules - Fix classification text for Apache rules - Fix ruleset order for Apache and ModSecurity - Fix 'DESCRIPTION' field * 2017-07-21, prelude-lml-rules-4.1.0: Author: Thomas Andrejak - Update apache2/httpd rules * 2017-07-13, prelude-lml-rules-4.1.0rc2: Author: Thomas Andrejak - Add ID range for local rules * 2017-06-30, prelude-lml-rules-4.1.0rc1: Author: Enguerrand de Mauduit - Add #DESCRIPTION to rules - Add #CATEGORY to rules * 2017-06-23, prelude-lml-rules-4.1.0beta2: No new changes. * 2017-06-16, prelude-lml-rules-4.1.0beta1: Author: Antoine Luong - Fix duplicate IDs in openhostapd.rules and zyxel.rules * 2017-02-16, prelude-lml-rules-4.0.0: No new changes. * 2017-02-12, prelude-lml-rules-4.0.0rc3: Author: Camille Gardet - Add NXLog rules * 2017-02-03, prelude-lml-rules-4.0.0rc2: * 2017-01-27, prelude-lml-rules-4.0.0rc1: * 2017-01-12, prelude-lml-rules-4.0.0beta2: * 2016-12-23, prelude-lml-rules-4.0.0beta1: No new changes. * 2016-09-14, prelude-lml-rules-3.1.0: * 2016-09-01, prelude-lml-rules-3.1.0rc3: * 2016-08-19, prelude-lml-rules-3.1.0rc2: No new changes. * 2016-08-05, prelude-lml-rules-3.1.0rc1: Author: Thomas Andrejak - Update FSF address and copyrights - Fix GRSecurity and Snare rules * 2016-04-22, prelude-lml-rules-3.0.0: * 2016-04-15, prelude-lml-rules-3.0.0rc4: No new changes. * 2016-04-08, prelude-lml-rules-1.3.0rc3: Author: Louis-David Gabet - Update Cisco ASA rules * 2016-04-01, prelude-lml-rules-1.3.0rc2: No new changes. * 2016-03-25, prelude-lml-rules-1.3.0rc1: Author: Louis-David Gabet - Fix rule in single.rules - Fix ID duplicates - Regular expression fixes * 2016-03-18, prelude-lml-rules-1.3.0beta2: Author: Antoine Luong - Add the fortigate ruleset (operador@seguridadx.com) * 2016-03-01, prelude-lml-rules-1.3.0beta1: Author: Louis-David Gabet - Regular expression fixes - Add information header for each ruleset Author: Sélim Menouar - Add group sudo for admin group in shadow-utils * 2016-01-11, prelude-lml-rules-1.3.0alpha1: Author: Thomas Andrejak - Fix Arbor and CISCO ASA rules - Sanitization for #LOG: Author: Louis-David Gabet - Rules for userdel and groupdel - Update rules for yum - Sanitization of rulesets Author: Selim Menouar - Ignore case for UID and GID in shadow-utils.rules Author: Antoine Luong - Update from prelude-ids.org to prelude-siem.org * 2015-07-27, prelude-lml-rules-1.2.6: Author: Antoine Luong - Syntax fixes * 2014-07-07, prelude-lml-rules-1.2.5: - Updated/fixed rules for - Juniper SA - Symantec Antivirus - Removed duplicated freeradius ruleset - Added prelude-lml-rules-check prelude-lml-rules-check : sort rules ids * 2013-09-18, prelude-lml-rules-1.0.0: - Initial release from prelude-lml ruleset - Updated rules for - Juniper MAG SSLVPN (operador@seguridadx.com) - Symantec Endpoint Protection Manager 12.1.2x (operador@seguridadx.com) - Cisco ASA 8.2.x (operador@seguridadx.com) - New rules for - Cisco ACE (operador@seguridadx.com) - Cisco IPS module (operador@seguridadx.com) - FreeRadius 1.1.7 (operador@seguridadx.com) - Symantec Critical System Protection 5.2 (operador@seguridadx.com) - IBM Data Power XG45 (operador@seguridadx.com) ��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������prelude-lml-rules-5.1.0/AUTHORS���������������������������������������������������������������������0000664�0001750�0001750�00000002004�13537533463�016313� 0����������������������������������������������������������������������������������������������������ustar �tandreja������������������������tandreja���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������The Prelude LML rules have been made by the Prelude Community : Alexander Afonyashin <firm@iname.com> Alexandre Racine <alexandreracine@gmail.com> Arnaud Guignard Bjoern Weiland <bjoern-dot-weiland-at-web-dot-de> Brad Spengler <spender@grsecurity.net> CS-SI Daniel Kopecek <dkopecek@redhat.com> Dennis Hadderingh <dennis.hadderingh@is-company.nl> Exaprobe Exaprotect Technology G Ramon Gomez <gene@gomezbrothers.com> Herve Debar <herve.debar@francetelecom.com> Igor Manassypov <imanassypov@rogers.com> John Green <john@giggled.org> Laurent Oudot <oudot.laurent@wanadoo.fr> M LeBlanc <mleblanc@cpan.org> Michael Boman <mboman@gentoo.org> Nicholas Nachefski <nicholas-nachefski@hotmail.com> Nicolas Delon <nicolas@prelude-ids.org> Operador <operador@seguridadx.com> Peter Vrabec <pvrabec@redhat.com> Reyk Floeter <reyk@vantronix.net> Ruben Alonso <1rualons@rigel.deusto.es> Sebastien Tricaud <stricaud at inl dot fr> Stephane Loeuillet <stephane.loeuillet@tiscali.fr> Vincent Glaume Yoann Vandoorselaere <yoann@prelude-ids.org> ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������