rpms/sec/devel bsd-general.sec, NONE, 1.1 bsd-mpd.sec, NONE, 1.1 cisco-syslog.sec, NONE, 1.1 import.log, NONE, 1.1 pix-general.sec, NONE, 1.1 .cvsignore, 1.4, 1.5 amavisd.sec, 1.1, 1.2 bsd-MONITOR.sec, 1.1, 1.2 bsd-PHYSMOD.sec, 1.1, 1.2 bsd-USERACT.sec, 1.1, 1.2 conf.README, 1.1, 1.2 cvs.sec, 1.1, 1.2 dameware.sec, 1.1, 1.2 hp-openview.sec, 1.1, 1.2 labrea.sec, 1.1, 1.2 pix-security.sec, 1.1, 1.2 pix-url.sec, 1.1, 1.2 portscan.sec, 1.1, 1.2 sec.init, 1.1, 1.2 sec.logrotate, 1.1, 1.2 sec.spec, 1.6, 1.7 snort.sec, 1.1, 1.2 snortsam.sec, 1.1, 1.2 sources, 1.4, 1.5 ssh-brute.sec, 1.1, 1.2 ssh.sec, 1.1, 1.2 vtund.sec, 1.1, 1.2 windows.sec, 1.1, 1.2 001_init.sec, 1.1, NONE clamav.sec, 1.1, NONE dbi-example.sec, 1.1, NONE general.sec, 1.1, NONE mpd.sec, 1.1, NONE syslog-ng.txt, 1.1, NONE
Stefan Schulze Frielinghaus
stefansf at fedoraproject.org
Sat Oct 3 07:35:43 UTC 2009
- Previous message (by thread): rpms/pyparted/F-12 .cvsignore, 1.36, 1.37 pyparted.spec, 1.66, 1.67 sources, 1.41, 1.42
- Next message (by thread): rpms/sec/F-12 bsd-general.sec, NONE, 1.1 bsd-mpd.sec, NONE, 1.1 cisco-syslog.sec, NONE, 1.1 import.log, NONE, 1.1 pix-general.sec, NONE, 1.1 .cvsignore, 1.4, 1.5 amavisd.sec, 1.1, 1.2 bsd-MONITOR.sec, 1.1, 1.2 bsd-PHYSMOD.sec, 1.1, 1.2 bsd-USERACT.sec, 1.1, 1.2 conf.README, 1.1, 1.2 cvs.sec, 1.1, 1.2 dameware.sec, 1.1, 1.2 hp-openview.sec, 1.1, 1.2 labrea.sec, 1.1, 1.2 pix-security.sec, 1.1, 1.2 pix-url.sec, 1.1, 1.2 portscan.sec, 1.1, 1.2 sec.init, 1.1, 1.2 sec.logrotate, 1.1, 1.2 sec.spec, 1.6, 1.7 snort.sec, 1.1, 1.2 snortsam.sec, 1.1, 1.2 sources, 1.4, 1.5 ssh-brute.sec, 1.1, 1.2 ssh.sec, 1.1, 1.2 vtund.sec, 1.1, 1.2 windows.sec, 1.1, 1.2 001_init.sec, 1.1, NONE clamav.sec, 1.1, NONE dbi-example.sec, 1.1, NONE general.sec, 1.1, NONE mpd.sec, 1.1, NONE syslog-ng.txt, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: stefansf
Update of /cvs/pkgs/rpms/sec/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv25630/devel
Modified Files:
.cvsignore amavisd.sec bsd-MONITOR.sec bsd-PHYSMOD.sec
bsd-USERACT.sec conf.README cvs.sec dameware.sec
hp-openview.sec labrea.sec pix-security.sec pix-url.sec
portscan.sec sec.init sec.logrotate sec.spec snort.sec
snortsam.sec sources ssh-brute.sec ssh.sec vtund.sec
windows.sec
Added Files:
bsd-general.sec bsd-mpd.sec cisco-syslog.sec import.log
pix-general.sec
Removed Files:
001_init.sec clamav.sec dbi-example.sec general.sec mpd.sec
syslog-ng.txt
Log Message:
- New upstream release
- SPEC file cleanup
- Init script cleanup
- Removed some examples because of licensing issues. Upstream has clarified
and changed most of the license tags to GPLv2. Additionally, upstream
will include the examples in the next release.
- Removed a provide statement since a period was in the name and no other
package required that special name.
--- NEW FILE bsd-general.sec ---
# General log events, unix systems. From various sources
#
# Copyright (C) 2003-2009 Jim Brown
# This is free software. You may redistribute copies of it under the terms of
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
#
# Bad su
# -----------
#
type=Single
ptype=RegExp
desc=$0
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: BAD SU (\S+) to (\S+) on (\S+)
action=pipe '$2 failed SU to $3 on $1 at %t' /usr/bin/mail -s "USER: $2 Failed SU on $1" alerts at example.com
type=Single
ptype=RegExp
desc=$0
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: BAD SU (\S+) to (\S+) on (\S+)
action=pipe '$2 failed SU to $3 on $1 at %t' /usr/bin/mail -s "USER: $2 Failed SU on $1" alerts at example.com
# MONITOR.conf - SEC rules to pick up disruptive monitoring
# events.
#
#Logs involving syslogd disabled or unusual promiscuous mode (MONITOR)
#----------------------------------------------------------------------
#Nov 15 20:02:48 foohost syslogd: exiting on signal 15
#Nov 22 02:00:02 foohost syslogd: restart
#Nov 11 15:58:55 foohost /kernel: de0: promiscuous mode enabled
#Nov 11 15:58:57 foohost /kernel: de0: promiscuous mode disabled
#
#
# Syslog Exit
# -----------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: exiting on signal (\d+)
desc=$0
action=write - MONITOR: $1 syslog exit on signal $2 at %t
#
# Syslog Restart
# ---------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: restart
desc=$0
action=write - MONITOR: $1 syslog restart at %t
#
# Syslog Exit
# -----------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+) promiscuous mode (\S+)
desc=$0
action=write - MONITOR: $1 $2 promiscuous mode $3 at %t
#
# sshd Problems
# --------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
desc=$0
action=write - USERACT: $1 sshd $2 problem, text: $3 at %t
#
# sshd Accepted
# --------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: Accepted (.*)
desc=$0
action=write - USERACT: $1 sshd accepted login, text: $2 at %t
#
# login FAILURES
# ---------------
#
#type=Single
#ptype=RegExp
#pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+login: (.*?FAILURE.)(.*?ON) (.*)
#desc=$0
#action=write - USERACT: $1 login $2 on $4 at %t
#SSH Auth failure on bsd 5
#type=Single
#ptype=RegExp
#pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: error: PAM: authentication error for (/S+) from (/S+)
#desc=$0
#action=pipe 'SSHD: 1 $1 2 $2 3 $3 to 4 $4 on 5 $5 at %t' /usr/bin/mail -s "SSHD: $1 $2 $3 to $4 on $5 at %t' alerts at example.com
#
# su bad
# -----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (BAD SU) (\S+) to (\S+) on (\S+)
desc=$0
action=pipe 'USER: $1 SU: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t' alerts at example.com
#Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0
#Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3
#Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0
#
#
# su good to root
# -----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (\S+) to root on (\S+)
desc=$0
action=pipe 'USER: $1 GOOD SU: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t' alerts at example.com
#action=write - USERACT: $1 su: $2 to ROOT on $4 at %t
#
# Cabling Problem
# ----------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+)\s+(.*?:) cable problem
desc=$0
action=event 0 $1 PHYSMOD:ORANGE cable problem on $2, text: $3 at %t
# USERACT - Events concerning user activities.
#
# Sample BSD logs involving logins, change of UID and privilege escalations.
#---------------------------------------------------------------------------
#Nov 14 12:14:58 foohost sshd[3388]: fatal: Timeout before authentication for 192.168.1.1
#Nov 14 19:58:34 foohost sshd[6597]: Bad protocol version identification '^B^S^D^Q^L' from 192.168.1.100
#Oct 18 06:16:53 foohost sshd[131]: Accepted keyboard-interactive/pam for foouser from 192.168.1.1 port 1077 ssh2
#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2
#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2, mysql
#Oct 18 03:20:46 foohost login: 2 LOGIN FAILURES ON ttyv0
#Oct 18 02:52:04 foohost login: ROOT LOGIN (root) ON ttyv1
#Oct 18 06:11:11 foohost login: login on ttyv0 as root
#Nov 10 19:40:03 foohost su: foouser to root on /dev/ttyp0
#Nov 18 09:37:38 foohost su: BAD SU foouser to root on /dev/ttyp3
#Nov 22 12:26:44 foohost su: BAD SU goodboy to root on /dev/ttyp0
#
#
# sshd Problems
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
desc=$0
action=pipe 'USER: $1 su: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t' alerts at example.com
#action=event 0 $1 USERACT:YELLOW sshd $2 problem, text: $3 at %t
#
# login FAILURES
# ---------------
# ORANGE
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+(sshd|login): (.*?FAILURE.)(.*?ON) (.*)
desc=$0
action=pipe 'USER: $1: Login Failure $2 on $4 at %t' /usr/bin/mail -s "USER: $1 su: $2 $3 to $4 on $5 at %t' alerts at example.com
#action=event 0 $1 USERACT:YELLOW login $2 on $4 at %t
# NETWACT - SEC rules to pick up suspicious network events.
#
# Sample BSD logs involving odd or suspicious network activity.
#--------------------------------------------------------------
#Jun 3 17:46:24 foohost named[38298]: client 10.12.127.176#3714: request has invalid signature: tsig verify failure
#Apr 14 16:23:08 foohost /kernel: arp: 10.10.152.12 moved from 00:90:27:37:35:cf to 00:d0:59:aa:61:11 on de0
#Apr 1 11:23:39 sixshooter /kernel: Limiting closed port RST response from 368 to 200 packets per second
#
# named Dynamic DNS Update rejection
# ----------------------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+named\[\d+\]: client (\S+): request has invalid signature:(.*)
desc=$0
action=pipe 'NET: $1 dyndns attempt from $2' /usr/bin/mail -s "NET: $1 dyndns attempt from $2, text: $3 at %t" alerts at example.com
#
# MAC address moved
# -----------------
# ORANGE
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: arp: (\S+) moved from (\S+) to (\S+) on (\S+)
desc=$0
action=pipe 'NET: $1 arp moved on $2' /usr/bin/mail -s "NET: $1 arp moved on $2 from: $3 to $4 on $5 at %t" alerts at example.com
#
# DoS RST rate limit
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: Limiting closed port RST response from (\d+) to (\d+)
desc=$0
action=pipe 'NET: $1 RST limit enforced: $2 to $3 at %t' /usr/bin/mail =s "NET: $1 RST limit enforced: $2 to $3" alerts at example.com
# COMPROM - SEC rules to pick up potential system compromise events.
#
# Sample BSD logs involving potential system compromise.
#-------------------------------------------------------
#May 25 18:09:55 foohost ntpd[1325]: ntpd exiting on signal 11
#Jul 21 18:33:16 foohost /kernel: pid 55454 (ftpd), uid 1001: exited on signal 8
#Apr 9 12:57:06 foohost /kernel: pid 28039 (telnet), uid 0: exited on signal 3 (core dumped)
#
# ntpd crash
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+ntpd\[\d+\]: ntpd exiting on signal (\d+)
desc=$0
action=pipe 'CRASH: $1 ntpd crashed on signal $2 at %t' /usr/bin/mail -s "CRASH: $1 ntpd crashed" alerts at example.com
#
# Process crash
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: pid \d+ \(\S+\), uid (\d+): exited on signal (\d+)
desc=$0
action=pipe 'CRASH: $1 $2 crashed on signal $4, uid $3 at %t' /usr/bin/mail -s "CRASH: $1 $2 crashed" alerts at example.com
# PROCESS - SEC rules to pick up suspicious process events.
#
# Sample BSD logs involving unusual processes.
#---------------------------------------------
#Mar 23 08:05:52 foohost thttpd[126]: thttpd/2.25b 29dec2003 starting on port 8090
#
# Suspicious processes
# --------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+(thttpd)\[(\d+)\]:(.*)
desc=$0
action=pipe 'SUSPROC: $1 suspicious process $2 pid $3, text: $4 at %t' /usr/bin/mail -s "SUSPROC: $1 suspicious process $2" alerts at example.com
# SHUTRST - SEC rules to pick up system shutdown, restart events.
#
# Sample BSD logs involving system shutdown and reset.
#-----------------------------------------------------
#Mar 6 16:28:13 foohost reboot: rebooted by foouser
#Jul 15 17:35:49 foohost halt: halted by root
#Mar 6 16:29:17 foohost /kernel: Copyright (c) 1992-2003 The FreeBSD Project.
#
# Reboot message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+reboot: rebooted by (\S+)
desc=$0
action=pipe 'REBOOT: $1 rebooted by $2' /usr/bin/mail -s "REBOOT: $1 rebooted by $2" alerts at example.com
#
# Halt message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+halt: halted by (\S+)
desc=$0
action=pipe 'HALT: $1 halted by $2' /usr/bin/mail -s "HALT: $1 halted by $2" alerts at example.com
#
# Restart message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: Copyright \(c\) (\S+) The FreeBSD Project
desc=$0
action=pipe 'RESTART: $1 restart message at %t' /usr/bin/mail -s "RESTART: $1 restart message" alerts at example.com
--- NEW FILE bsd-mpd.sec ---
#############################################################################
# BSD mpd events
#
# Copyright (C) 2003-2009 Matt Jonkman
# This is free software. You may redistribute copies of it under the terms of
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
#############################################################################
type=single
desc = mpd connection start
ptype=regexp
pattern=([A-z._0-9-]*) mpd: PPTP connection from (\d+\.\d+\.\d+\.\d+):\d+
action=add GENERAL_REPORT MPD Start from $2 on $1
type=single
ptype=regexp
pattern=([A-z._0-9-]*) mpd: Name: (.*)
desc = mpd user auth
action=add GENERAL_REPORT MPD User $2 Auth on $1
type=Single
ptype=RegExp
pattern=([A-z._0-9-]*) mpd: pptp\d: killing connection with (\d+\.\d+\.\d+\.\d+):\d+
desc=mpd connection end
action=add GENERAL_REPORT MPD Connection end from $2 on $1
--- NEW FILE cisco-syslog.sec ---
#############################################################################
# SEC rules for processing Cisco syslog messages
#
# Copyright (C) 2008-2009 Omer Ben-Shalom, Risto Vaarandi
# This is free software. You may redistribute copies of it under the terms of
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
#############################################################################
# ----- Process system configuration events -----
# System configuration events
# suppressed because we don't care about it
#
type=suppress
ptype=substr
pattern=%SYS-5-CONFIG_I:
desc=device configuration
# System configuration sync to standby router
# suppressed because we don't care about it
#
type=suppress
ptype=substr
pattern=%PFINIT-SP-5-CONFIG_SYNC:
desc=config sync
# ----- Process reload and restart events -----
# Looks for a reload
#
type=single
continue=takeNext
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SYS-5-RELOAD: (.*)
desc=(WARNING) reload requested for $1
action=pipe '%s details:$2' mail -s 'cisco event' root at example.com
# Looks for a reload followed by a restart event
#
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SYS-5-RELOAD:
desc=(CRITICAL) $1 RELOAD_PROBLEM
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=($1).*?%SYS-5-RESTART:
desc2=(NOTICE) $1 RELOAD_OK
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=300
# Looks for a restart without reload command
#
type=single
ptype=regexp
pattern=(\S+) \d+:.*?%SYS-5-RESTART:
desc=(CRITICAL) $1 restart without reload command
action=pipe '%s' mail -s 'cisco event' root at example.com
# ----- process SNMP authentication failure events -----
# this rule handles the SNMP authentication failures
# only one notification is sent for each source that is doing this per day
#
type=singleWithSuppress
ptype=regexp
pattern=(\S+) \d+:.*?%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host (\S+)
desc=(WARNING) Auth fail coming from $2
action=pipe '%s' mail -s 'cisco event' root at example.com
window=86400
# ----- process OSPF neighbor change events -----
# This rule handles OSPF neighbor changes
#
type=single
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%OSPF-5-ADJCHG:.*?Nbr (\S+) on (\S+) from (\S+) to (\S+), (.*)
desc=(MINOR) OSPF adjacency change: Router $1 reports that the neighbor on $3 ($2) changed from state $4 to state $5 detail:$6
action=event %s; pipe '%s' mail -s 'cisco event' root at example.com
# This rule escalates to CRITICAL if there are more than 5 neighbor changes
# in 5 seconds
#
type=SingleWithThreshold
ptype=substr
pattern=(MINOR) OSPF adjacency change
desc=(CRITICAL) More than 5 OSPF neighbor changes in 5 seconds
action=pipe '%s' mail -s 'cisco event' root at example.com
thresh=5
window=5
# ----- process HSRP events -----
# This rule assembles together all HSRP events
#
type=single
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%STANDBY-6-STATECHANGE: (\S+).*?state (\S+) -> (\S+)
desc=HSRP change for $1 interface $2 - changed from $3 to $4
action=add HSRP_$1 %t: %s; set HSRP_$1 5 (report HSRP_$1 mail -s 'cisco events' root at example.com)
# ----- process duplex mismatch events -----
# this rule handles the duplex mismatch event
# only one notification is sent for each port that has duplex mismatch
# reported per day
#
type=singleWithSuppress
ptype=regexp
pattern=(\S+) \d+:.*?%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on (not \S+) \((.*?)\), with (\S+) (\S+) \((.*?)\)
desc=(WARNING) Duplex mismatch between $1 port $2 ($3), other side is $4 port $5 ($6)
action=pipe '%s' mail -s 'cisco event' root at example.com
window=86400
# ----- process link down and link up events -----
# This rule deals with link down events
#
type=PairWithWindow
ptype=RegExp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%LINK-3-UPDOWN: Interface (\S+), changed state to down
desc=(MINOR) $1 INTERFACE $2 DOWN and not up in one minute
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=RegExp
pattern2=($1)\s+\d+:.*?%LINK-3-UPDOWN: Interface ($2), changed state to up
desc2=(WARNING) %1 INTERFACE %2 BOUNCE
action2=event %s
window=60
# when the first bounce event is seen, create a reporting trigger
#
type=Single
continue=TakeNext
ptype=regexp
pattern=(\S+) INTERFACE \S+ BOUNCE
context=!INTERFACE_BOUNCE_WAIT_$1
desc=interface bounce summary event for router $1
action=create INTERFACE_BOUNCE_WAIT_$1 10 (report INTERFACE_BOUNCE_$1 mail -s 'cisco events' root at example.com; delete INTERFACE_BOUNCE_$1)
# accumulate all interface bounce events into a context
#
type=Single
ptype=regexp
pattern=(\S+) INTERFACE (\S+) BOUNCE
desc=interface bounce for router $1 interface $2 detected
action=add INTERFACE_BOUNCE_$1 %t: %s
# ----- process line protocol down and line protocol up events -----
# This rule deals with protocol up/down events
#
type=PairWithWindow
ptype=RegExp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%LINEPROTO-5-UPDOWN: Line protocol on Interface (\S+), changed state to down
desc=(MINOR) $1 INTERFACE $2 line protocol DOWN and not up in one minute
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=RegExp
pattern2=($1)\s+\d+:.*?%LINEPROTO-5-UPDOWN: Line protocol on Interface ($2), changed state to up
desc2=(WARNING) %1 INTERFACE %2 line protocol BOUNCE
action2=event %s
window=60
# when the first bounce event is seen, create a reporting trigger
#
type=Single
continue=TakeNext
ptype=regexp
pattern=(\S+) INTERFACE \S+ line protocol BOUNCE
context=!LINE_PROTOCOL_BOUNCE_WAIT_$1
desc=line protocol bounce for router $1
action=create LINE_PROTOCOL_BOUNCE_WAIT_$1 10 (report LINE_PROTOCOL_BOUNCE_$1 mail -s 'cisco events' root at example.com; delete LINE_PROTOCOL_BOUNCE_$1)
# accumulate all line protocol bounce events into a context
#
type=Single
ptype=regexp
pattern=(\S+) INTERFACE (\S+) line protocol BOUNCE
desc=line protocol bounce for router $1 interface $2 detected
action=add LINE_PROTOCOL_BOUNCE_$1 %t: %s
# ----- process late collision events -----
# Late collision alerts
#
type=SingleWithThreshold
ptype=RegExp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%PM_SCP-SP-4-LCP_FW_ABLC: Late collision message from module (\d+), port:(\d+)
desc=(MINOR) Multiple late collision events on $1 module $2 port $3
action=pipe '%s' mail -s 'cisco event' root at example.com
window=3600
thresh=5
# ----- process host flap events -----
# host flapping on single vlan
#
type=SingleWithThreshold
continue=TakeNext
ptype=RegExp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C4K_EBM-4-HOSTFLAPPING: Host (\S+) in vlan (\S+) is flapping between port (\S+) and port (\S+)
desc=(MINOR) multiple hosts flapping between ports $4 and $5 in $1 vlan $3
action=pipe '%s' mail -s 'cisco event' root at example.com
window=300
thresh=5
# host flapping on multiple vlans
#
type=SingleWithThreshold
continue=TakeNext
ptype=RegExp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C4K_EBM-4-HOSTFLAPPING: Host (\S+) in vlan (\S+) is flapping between port (\S+) and port (\S+)
desc=(MINOR) multiple hosts are flapping between ports $4 and $5 in $1 (potentially on multiple VLANs)
action=pipe '%s' mail -s 'cisco event' root at example.com
window=300
thresh=20
# ----- process misc hw events -----
# %FILESYS-SP-STDBY-5-DEV:# flash disk removal
#
type=single
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%FILESYS-SP-STDBY-5-DEV:.*?PCMCIA flash card removed from (\S+)
desc=(WARNING) Flash card removed from $1 $2
action=pipe '%s' mail -s 'cisco event' root at example.com
# %OIR-SP-STDBY-6-CONSOLE
#
type=suppress
ptype=substr
pattern=%OIR-SP-STDBY-6-CONSOLE
desc=console access to route processor changed
# %OIR-SP-6-INSCARD: - card inserted
#
type=single
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%OIR-SP-6-INSCARD: Card inserted in slot (\d+), (.*)
desc=(HARMLESS) card inserted in $1 slot $2 status:$3
action=pipe '%s' mail -s 'cisco event' root at example.com
# ----- process module events -----
# %DIAG-SP-3-TEST_FAIL - diagnostics failed on a module
#
type=single
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%DIAG-SP-3-TEST_FAIL: Module (\d+): (.*)
desc=(WARNING) diagnostics failed for $1 module $2 detail:$3
action=pipe '%s' mail -s 'cisco event' root at example.com
# %SNMP-5-MODULETRAP
# Looks for a module down followed by module up event
#
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-MODULETRAP: Module (\d+) [Down] Trap
desc=(MINOR) $1 Module DOWN (not back up in a minute)
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=($1) .*? %SNMP-5-MODULETRAP: Module ($2) [Up] Trap
desc2=(WARNING) $1 Module $2 BOUNCE (down and back up within a minute)
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=60
# ----- process irrelevant events (by suppressing) -----
# %SYS-SP-STDBY-5-RESTART - system restarted part of the boot - interesting?
#
type=suppress
ptype=substr
pattern=SYS-SP-STDBY-5-RESTART
desc=system restarted
# %DIAG-SP-6-TEST_RUNNING - Running system test
#
type=suppress
ptype=substr
pattern=%DIAG-SP-6-TEST_RUNNING
desc=running diagnostics on a module
# %FABRIC-SP-5-FABRIC_MODULE_BACKUP - module changed to backup state
#
type=suppress
ptype=substr
pattern=%FABRIC-SP-5-FABRIC_MODULE_BACKUP
desc=module became backup
# %DIAG-SP-6-RUN_MINIMUM - diagnostics are run
#
type=suppress
ptype=substr
pattern=%DIAG-SP-6-RUN_MINIMUM
desc=diagnostics running on switch
# %DIAG-SP-6-DIAG_OK - diagnostics results are OK
#
type=suppress
ptype=substr
pattern=%DIAG-SP-6-DIAG_OK
desc=diagnostics results are OK
# %PFREDUN-SP-STDBY-6-STANDBY - SSO events
#
type=suppress
ptype=substr
pattern=%PFREDUN-SP-STDBY-6-STANDBY
desc=SSO event (startup)
# %PFREDUN-SP-STDBY-6-STANDBY - SSO events
#
type=suppress
ptype=substr
pattern=%PFREDUN-SP-6-ACTIVE
desc=SSO event (startup)
# %FABRIC-SP-5-FABRIC_MODULE_BACKUP: - secondary sup is up and is secondary
#
type=suppress
ptype=substr
pattern=%FABRIC-SP-5-FABRIC_MODULE_BACKUP:
desc=secondary sup is up and is secondary
# %PFINIT-SP-5-CONFIG_SYNC - startup config on standby router sync
#
type=suppress
ptype=substr
pattern=%PFINIT-SP-5-CONFIG_SYNC
desc=startup config on standby router sync
# %C4K_REDUNDANCY - Cayt 4K configuration/vlan database succesful sync
# the success match is to allow fails in sync to not be suppress
#
type=suppress
ptype=regexp
pattern=%C4K_REDUNDANCY.*?success
desc=config sync with standby supervisor
# %SCP-SP-5-ASYNC_WATERMARK: SCP long queue wait
# the success match is to allow fails in sync to not be suppress
#
type=suppress
ptype=substr
pattern=%SCP-SP-5-ASYNC_WATERMARK:
desc=SCP control protocol pending queue is longer than notification threshold
# %MLS_RATE-4-DISABLING: - Layer2 Rate Limiters have been disabled. Is this interesting?
#
type=suppress
ptype=substr
pattern=%MLS_RATE-4-DISABLING:
desc=Layer2 Rate Limiters have been disabled
# ----- process native VLAN mismatch events -----
# %CDP-4-NATIVE_VLAN_MISMATCH: - native VLAN mismatch between switches, will repeat every minute until fixed
#
type=singleWithSuppress
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on (\S+) \((\d+)\), with (\S+) (\S+) \((\d+)\)
desc=(MINOR) A native VLAN mistmatch reported between $1 interface $2 (native VLAN $3) and host $4 interface $5 (native VLAN $6)
action=pipe '%s' mail -s 'cisco event' root at example.com
window=60
# ----- process snmp trapblock messages -----
# %SNMP-3-TRAPBLOCK - A process tried to create a trap it is not entitled to create
# See Cisco http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&counter=0&paging=5&query=SNMP-3-TRAPBLOCK
#
type=suppress
ptype=substr
pattern=%SNMP-3-TRAPBLOCK
desc=a process tried to create a trap it is not entitled to create
# ----- process chassis alarm events -----
# %SNMP-5-CHASSISALARM - this rule handles the tmpAlarm
#
type=pairWithWindow
continue=takeNext
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: tmpAlarm\(ON\)
desc=(MINOR) $1 temprature alarm signaled and not cleared in five minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
continue2=takeNext
ptype2=regexp
pattern2=\d+:\d+:\d+.*?($1)\s+\d+:.*%SNMP-5-CHASSISALARM: Chassis Alarm Trap: tmpAlarm\(OFF\)
desc2=(WARNING) $1 temprature alarm went on and was cleared in under five minutes
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=300
# %SNMP-5-CHASSISALARM - this rule handles the minorAlarm
#
type=pairWithWindow
continue=takeNext
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? minorAlarm\(ON\)
desc=(MINOR) $1 minor alarm reported and not cleared in three minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
continue2=takeNext
desc2=(WARNING) $1 minor alarm went on and was cleared in under three minutes
ptype2=regexp
pattern2=\d+:\d+:\d+.*?($1)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? minorAlarm\(OFF\)
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=180
# %SNMP-5-CHASSISALARM - this rule handles the majorAlarm
#
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? majorAlarm\(ON\)
desc=(MINOR) $1 major alarm signaled and not cleared in two minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=\d+:\d+:\d+.*?($1)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? majorAlarm\(OFF\)
desc2=(WARNING) $1 major alarm went on and was cleared in under two minutes
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=120
# ----- process power supply related events -----
# %C4K_IOSMODPORTMAN events - this one is about power supplies only
#
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C4K_IOSMODPORTMAN-4-POWERSUPPLYBAD: Power Supply (\d+) has failed or been turned off
desc=(MINOR) $1 power supply $2 reported bad and event not cleared in two minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=($1) .*? %C4K_IOSMODPORTMAN-6-POWERSUPPLYGOOD: Power Supply ($2) is Okay
desc2=(WARNING) $1 power supply $2 alarm went on and was cleared in under two minutes
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=120
# ----- process neighbor down and neighbor up events -----
# %DVMRP-5-NBRDOWN
#
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%DVMRP-5-NBRDOWN: Neighbor (\S+) went down on (\S+)
desc=(MINOR) $1 lost DVMRP neighbor $2 on interface $3 and it did not come up in two minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=($1) .*? %DVMRP-5-NBRUP: Neighbor ($2) is up on ($3)
desc2=(WARNING) $1 lost DVMRP neighbor $2 on interface $3 but id come up within two minutes
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=120
# ----- process fan power supply failure/ok events -----
# %C6KENV-SP-4-PSFANF events - this one is about fan failures
#
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C6KENV-SP-4-PSFANFAILED: the fan in power supply (\d+) has failed
desc=(MINOR) $1 fan in power supply $2 was reported bad and event not cleared in two minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=($1) .*? %C6KENV-SP-4-PSFANOK: the fan in power supply (\d+) is OK
desc2=(WARNING) $1 fan in power supply $2 alarm went on and was cleared in under two minutes
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=120
# ----- process events that have not been matched by any of above rules -----
# Default match
# this rule will match anything not previously matched but allows only
# one notification per day for each new event class seen
#
type=singleWithSuppress
ptype=regexp
pattern=(%.*?:)
desc=$1
action=pipe '$0' mail -s 'cisco event' root at example.com
window=86400
--- NEW FILE import.log ---
sec-2_5_2-1_fc11:HEAD:sec-2.5.2-1.fc11.src.rpm:1254555264
--- NEW FILE pix-general.sec ---
####################################################################
# SEC ruleset for Cisco PIX 6.x, 7.x, FWSM 2.x
#
# Copyright (C) 2003-2009 Colin Hudler
# This is free software. You may redistribute copies of it under the terms of
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
####################################################################
# Process various events from PIX syslog output
#
# TODO -- A few FWSM log lines will not match.
# Setup our variables -- not the right way to do this? Needs tweaking for your log lines
type=Single
ptype=RegExp
pattern=^(.* [0-9].:[0-9].:[0-9].) (.*)\.yourdomain\.edu.*?%(PIX|FWSM)-[0-9]-.*?:(.*)
desc=PIXLOG $2^ $1 $4
action=event %s
# 106001
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Inbound TCP connection denied from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+).*
desc=PIX $1 TCP connection denid HAMMER $2 to $3
action=create ham1_$1; add ham1_$1 %t; add ham1_$1 %s;add ham1_$1 %s; add ham1_$1 $0; report ham1_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham1_$1
window=10
thresh=6
# 106006
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Connection denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+)
desc=PIX $1 denied by list HAMMER $2 to $3
action=create ham2_$1; add ham2_$1 %t; add ham2_$1 %s; add ham2_$1 $0; report ham2_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham2_$1
window=10
thresh=6
# 106007
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny inbound UDP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) due to DNS.*
desc=PIX $1 Denied inbound UDP HAMMER $2 to $3
action=create ham3_$1; add ham3_$1 %t; add ham3_$1 %s; add ham3_$1 $0; report ham3_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham3_$1
window=10
thresh=6
# 106010
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny inbound.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+).*
desc=PIX $1 Denied inbound HAMMER $2 to $3
action=create ham4_$1; add ham4_$1 %t; add ham4_$1 %s; add ham4_$1 $0; report ham4_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham4_$1
window=10
thresh=6
# 106012
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny IP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+), IP options.*
desc=PIX $1 Denied IP Options HAMMER $2 to $3
action=create ham5_$1; add ham5_$1 %t; add ham5_$1 %s; add ham5_$1 $0; report ham5_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham5_$1
window=10
thresh=6
# 106013
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Dropping echo request from (\d+.\d+.\d+.\d+) to PAT address
desc=PIX $1 Echo HAMMER $2 to PAT Address
action=create ham6_$1; add ham6_$1 %t; add ham6_$1 %s; add ham6_$1 $0; report ham7_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham8_$1
window=10
thresh=6
# 106014
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny inbound icmp src.*: (\d+.\d+.\d+.\d+) dst.*: (\d+.\d+.\d+.\d+)
desc=PIX $1 Deny inbound ICMP HAMMER $2 to $3
action=create ham9_$1; add ham9_$1 %t; add ham9_$1 %s; add ham9_$1 $0; report ham9_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham9_$1
window=10
thresh=6
# 106015
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny.*\(no connection\) from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+)
desc=PIX $1 Deny (no connection) HAMMER $2 to $3
action=create ham10_$1; add ham10_$1 %t; add ham10_$1 %s; add ham10_$1 $0; report ham10_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham10_$1
window=10
thresh=30
# 106016,106017,106020,106021,106022 is further down this list...
# 106018
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*ICMP packet type.*denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+)
desc=PIX $1 Deny ICMP type HAMMER $2 to $3
action=create ham11_$1; add ham11_$1 %t; add ham11_$1 %s; add ham11_$1 $0; report ham11_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham11_$1
window=10
thresh=6
# 106023
#Deny udp src outside:128.135.93.11/137 dst inside:128.135.211.65/137 by access-group "inward"
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+) by .*
desc=PIX $1 Deny by ACL HAMMER $2 to $3
action=create ham12_$1; add ham12_$1 %t; add ham12_$1 %s; add ham12_$1 $0; report ham12_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham12_$1
window=10
thresh=32
# This is broken... still fix? TODO
# 106001 -- Report
#type=SingleWithThreshold
#continue=takenext
#ptype=RegExp
#pattern=^PIXLOG (\S+)\^ .*(Inbound TCP connection denied from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+).*)|\
#(Connection denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+))|\
#(Deny inbound UDP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) due to DNS)|\
#(Deny inbound.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+))|\
#(Deny IP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+), IP options)|\
#(Dropping echo request from (\d+.\d+.\d+.\d+) to PAT address)|\
#(Deny inbound icmp src.*: (\d+.\d+.\d+.\d+) dst.*: (\d+.\d+.\d+.\d+))|\
#(Deny.*\(no connection\) from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+))|\
#(ICMP packet type.*denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+))|\
#(Deny.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+) by )
#desc=PIX Conn Denied 10 times from $2
#action=create rpt_$1; add rpt_$1 %t; add rpt_$1 %s;add rpt_$1 %s; add rpt_$1 $0; report rpt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rpt_$1
#window=10
#thresh=30
# 101002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Bad failover cable.
desc=PIX $1 Bad Failover Cable
action=create bfc_$1; add bfc_$1 %t; add bfc_$1 %s; add bfc_$1 $0; report bfc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete bfc_$1
# 101003/4
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Failover cable not connected
desc=PIX $1 Failover cable gone
action=create nfc_$1; add nfc_$1 %t; add nfc_$1 %s; add nfc_$1 $0; report nfc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete nfc_$1
# 101005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Error reading failover cable status
desc=PIX $1 Failover cable ERROR
action=create fce_$1; add fce_$1 %t; add fce_$1 %s; add fce_$1 $0; report fce_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fce_$1
# 102001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Power failure/System reload
desc=PIX $1 Peer Lost Power
action=create fpp_$1; add fpp_$1 %t; add fpp_$1 %s; add fpp_$1 $0; report fpp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fpp_$1
# 103001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*No response from other firewall
desc=PIX $1 Peer Gone Away
action=create fnp_$1; add fnp_$1 %t; add fnp_$1 %s; add fnp_$1 $0; report fnp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fnp_$1
# 103003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Other firewall network interface (\S+) failed
desc=PIX $1 Peer interface $2 died
action=create fpi_$1; add fpi_$1 %t; add fpi_$1 %s; add fpi_$1 $0; report fpi_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fpi_$1
# 103004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Other firewall reports this firewall failed
desc=PIX $1 Peer says I failed
action=create fif_$1; add fif_$1 %t; add fif_$1 %s; add fif_$1 $0; report fif_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fif_$1
# 103005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Other firewall reporting failure
desc=PIX $1 Peer reports failure
action=create fpf_$1; add fpf_$1 %t; add fpf_$1 %s; add fpf_$1 $0; report fpf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fpf_$1
# 104001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*(Primary|Secondary) Switching to ACTIVE \(cause: (.*)\)
desc=PIX $1 FAILOVER! Becoming ACTIVE because $2
action=create fba_$1; add fba_$1 %t; add fba_$1 %s; add fba_$1 $0; report fba_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fba_$1
# 104002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*(Primary|Secondary) Switching to STNDBY \(cause: (.*)\)
desc=PIX $1 FAILOVER! Becoming STNDBY because $2
action=create fbs_$1; add fbs_$1 %t; add fbs_$1 %s; add fsb_$1 $0; report fbs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fbs_$1
# 104003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Switching to FAILED
desc=PIX $1 IN FAILED STATE!
action=create ffs_$1; add ffs_$1 %t; add ffs_$1 %s; add ffs_$1 $0; report ffs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ffs_$1
# 104004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Switching to OK.
desc=PIX $1 Failed Unit is ok
action=create ffs_$1; add ffs_$1 %t; add ffs_$1 %s; add ffs_$1 $0; report ffs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ffs_$1
# 105005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Lost Failover communications with mate on interface
desc=PIX $1 Peer Gone Away
action=create fnp_$1; add fnp_$1 %t; add fnp_$1 %s; add fnp_$1 $0; report fnp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fnp_$1
# 105007
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Link status \'Down\' on interface (\S+).*
desc=PIX $1 interface $2 is DOWN
action=create ind_$1; add ind_$1 %t; add ind_$1 %s; add ind_$1 $0; report ind_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ind_$1
# 105011
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Failover cable communication failure
desc=PIX $1 Failver cable failed
action=create fcf_$1; add fcf_$1 %t; add fcf_$1 %s; add fcf_$1 $0; report fcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fcf_$1
# 105021
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Standby unit failed to sync due to a locked (\S+) config. Lock held by (\S+)
desc=PIX $1 Failover Sync failed because $2 is locked by $3
action=create lck_$1; add fcf_$1 %t; add fcf_$1 %s; add lck_$1 $0; report lck_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete lck_$1
# 10532
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LAN Failover interface is down
desc=PIX $1 Failover interface is down
action=create fin_$1; add fin_$1 %t; add fin_$1 %s; add fin_$1 $0; report fin_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fin_$1
# 10535
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Receive a LAN failover interface down msg from peer.
desc=PIX $1 Failover Peer reports LAN interface down
action=create fin_$1; add fin_$1 %t; add fin_$1 %s; add fin_$1 $0; report fin_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fin_$1
# 10536
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*dropped a LAN Failover command message.
desc=PIX $1 Failover Dropped a LAN packet
action=create fdr_$1; add fdr_$1 %t; add fdr_$1 %s; add fdr_$1 $0; report fdr_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fdr_$1
# 10537
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*The primary and standby units are switching back
desc=PIX $1 Failover: primary and standby units are switching back
action=create fsw_$1; add fsw_$1 %t; add fsw_$1 %s; add fsw_$1 $0; report fsw_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fsw_$1
# 10543
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Failover interface failed
desc=PIX $1 Failover LAN Interface is down!
action=create fin_$1; add fin_$1 %t; add fin_$1 %s; add fin_$1 $0; report fin_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fin_$1
# messages from 106001 moved to top
# 106011
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny inbound (No xlate).*
desc=PIX $1 Same-Side Traffic Attack
action=create sst_$1; add sst_$1 %t; add sst_$1 %s; add sst_$1 $0; report sst_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete sst_$1
# 106016
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny IP spoof from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) on interface
desc=PIX $1 IP Spoof from $2 to $3
action=create spf_$1; add spf_$1 %t; add spf_$1 %s; add spf_$1 $0; report spf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete spf_$1
# 106017
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny IP due to Land Attack from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+)
desc=PIX $1 IP LAND Attack
action=create lnd_$1; add lnd_$1 %t; add lnd_$1 %s; add lnd_$1 $0; report lnd_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete lnd_$1
# 106020
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny IP teardrop fragment.*from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+)
desc=PIX $1 Teardrop Attack
action=create tdr_$1; add tdr_$1 %t; add tdr_$1 %s; add tdr_$1 $0; report tdr_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete tdr_$1
# 106021
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny.*reverse path check from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+).*
desc=PIX $1 Reverse Path Check Attack from $2 to $3
action=create rpc_$1; add rpc_$1 %t; add rpc_$1 %s; add rpc_$1 $0; report rpc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rpc_$1
# 106022
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny.*connection spoof from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+).*
desc=PIX $1 Connection Spoof Attack from $2 to $3
action=create spf_$1; add spf_$1 %t; add spf_$1 %s; add spf_$1 $0; report spf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete spf_$1
# 106024
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Access rules memory exhausted
desc=PIX $1 Out of ACL Memory!
action=create ame_$1; add ame_$1 %t; add ame_$1 %s; add ame_$1 $0; report ame_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ame_$1
# 106025/6
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Failed to determine the security context for the packet:(\S+):(\d+.\d+.\d+.\d+) (\d+.\d+.\d+.\d+) (\d+) (\d+).*
desc=PIX $1 failed getting context for vlan $2 $3:$4 to $5:$6
action=create ctx_$1; add ctx_$1 %t; add ctx_$1 %s; add ctx_$1 $0; report ctx_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ctx_$1
# 107001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*RIP auth failed from (\d+.\d+.\d+.\d+).*
desc=PIX $1 RIP Auth Attack from $2
action=create rip_$1; add rip_$1 %t; add rip_$1 %s; add rip_$1 $0; report rip_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rip_$1
# 107002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*RIP pkt failed from (\d+.\d+.\d+.\d+).*
desc=PIX $1 Invalid RIP Packet from $2
action=create rpk_$1; add rpk_$1 %t; add rpk_$1 %s; add rpk_$1 $0; report rpk_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rpk_$1
# 109003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Auth from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+\/\d+) failed \(all servers failed\).*
desc=PIX $1 All AAA Failed from $2 to $3
action=create aaa_$1; add aaa_$1 %t; add aaa_$1 %s; add aaa_$1 $0; report aaa_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete aaa_$1
# 109006/8
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*(Authentication|Authorization) (failed|denied) for user \'(\S+)\' from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+)
desc=PIX $1 Auth Guessing Attack by $2 from $3 to $4
action=create brt_$1; add brt_$1 %t; add brt_$1 %s; add brt_$1 $0; report brt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete brt_$1
window=10
thresh=6
# 109010
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Auth from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+) failed \(too many pending auths\).*
desc=PIX $1 Max Auths Reached for $2 to $3
action=create mth_$1; add mth_$1 %t; add mth_$1 %s; add mth_$1 $0; report mth_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete mth_$1
# 109017
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User at (\d+.\d+.\d+.\d+) exceeded auth proxy connection
desc=PIX $1 $2 has opened to many proxy conns
action=create pcn_$1; add pcn_$1 %t; add pcn_$1 %s; add pcn_$1 $0; report pcn_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete pcn_$1
# 109024
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Authorization denied.*for user \'(\S+)\' from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+)
desc=PIX $1 Authorization Denied HAMMER $2 from $3 to $4
action=create uhm_$1; add uhm_$1 %t; add uhm_$1 %s; add uhm_$1 $0; report uhm_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete uhm_$1
window=10
thresh=6
# 109025
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Authorization denied \(acl=.*\) for user \'(\S+)\' from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+) on interface.*
desc=PIX $1 Authorization Denied HAMMER $2 from $3 to $4
action=create uhm_$1; add uhm_$1 %t; add uhm_$1 %s; add uhm_$1 $0; report uhm_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete uhm_$1
window=10
thresh=6
# 111001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Begin configuration: (\d+.\d+.\d+.\d+) writing to (\S+)
desc=PIX $1 Config saved to $3 by $2
action=create sav_$1; add sav_$1 %t; add sav_$1 %s; add sav_$1 $0; report sav_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete sav_$1
# 111002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Begin configuration: (\d+.\d+.\d+.\d+) reading from (\S+)
desc=PIX $1 Config read from $3 by $2
action=create sav_$1; add sav_$1 %t; add sav_$1 %s; add sav_$1 $0; report sav_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete sav_$1
# 111003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*(\d+.\d+.\d+.\d+) Erase configuration
desc=PIX $1 WRITE ERASE WAS ISSUED $2
action=create ers_$1; add ers_$1 %t; add ers_$1 %s; add ers_$1 $0; report ers_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ers_$1
# 111004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*(\d+.\d+.\d+.\d+) end configuration: \[FAILED\]
desc=PIX $1 FAILED CONFIGURING $2
action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
# 111008
type=Single
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User \'(\S+)\' executed the command (.*)
desc=PIX $1 $2 executed: $3
action=add CMD_REPORT $2 : $3
#create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
# FIXME -- Add syslog number
# FSWM Style
type=Single
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User \'(\S+)\' executed the \'(.*)\' command.*
desc=PIX $1 $2 executed: $3
action=add CMD_REPORT $2 : $3
#action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
# 111008
type=Single
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User (\S+) executed cmd:(.*)
desc=PIX $1 $2 executed: $3
action=add CMD_REPORT $2 : $3
#action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
#action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
# 113001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Unable to open AAA session. Session limit
desc=PIX $1 AAA Reached session limit
action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
# 113005
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*AAA user authentication Rejected: reason = (.*) server = .* User = (\S+).*
desc=PIX $1 IPSEC: User Auth Attack: $2 for $3
action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
window=10
thresh=6
# 113006
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User (\S+) locked out on exceeding number successive failed authentication attempts
desc=PIX $1 User Locked out: $2
action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
# 113020
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Kerberos error : Clock skew with server (\d+.\d+.\d+.\d+).*
desc=PIX $1 User Locked out: $2
action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
# Might be only 6.x
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Console Login from user at (\d+.\d+.\d+.\d+)
desc=PIX $1 Console Login from $2
action=create con_$1; add con_$1 %t; add con_$1 %s; add con_$1 $0; report con_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete con_$1
# 112001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*clear (finished|complete)\.
desc=PIX $1 Clear Command Executed
action=create clr_$1; add clr_$1 %t; add clr_$1 %s; add clr_$1 $0; report clr_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete clr_$1
# 199002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*[rR]eload command executed from.*(\d+.\d+.\d+.\d+)
desc=PIX $1 Reloaded by $2
action=create rld_$1; add rld_$1 %t; add rld_$1 %s; add rld_$1 $0; report rld_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rld_$1
# 199002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Orderly reload started at.*by (\S+). Reload.*
desc=PIX $1 Reloaded by $2
action=create rld_$1; add rld_$1 %t; add rld_$1 %s; add rld_$1 $0; report rld_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rld_$1
# 201002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+).*Too many.*connections on (static|xlate) (\d+.\d+.\d+.\d+)
desc=PIX $1 Max Embryonics to $3 (not attack)
action=create max_$1; add max_$1 %t; add max_$1 %s; add max_$1 $0; report max_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete max_$1
# 201003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Embryonic limit exceeded.*for (\d+.\d+.\d+.\d+\/\d+) \((\d+.\d+.\d+.\d+)\) (\d+.\d+.\d+.\d+\/\d+)
desc=PIX $1 Max Embryonics from $2 to $3 ($4) Attack
action=create emb_$1; add emb_$1 %t; add emb_$1 %s; add emb_$1 $0; report emb_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete emb_$1
# 201008
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*The PIX is disallowing new connections.
desc=PIX $1 No longer allowing connections!
action=create stp_$1; add stp_$1 %t; add stp_$1 %s; add stp_$1 $0; report stp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete stp_$1
# 202001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Out of address translation slots!
desc=PIX $1 Out of NAT Slots
action=create nnt_$1; add nnt_$1 %t; add nnt_$1 %s; add nnt_$1 $0; report nnt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete nnt_$1
# 209003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Fragment database limit of.*exceeded: src = (\d+.\d+.\d+.\d+), dest = (\d+.\d+.\d+.\d+).*
desc=PIX $1 No room to assemble more frags from $2 to $3
action=create frg_$1; add frg_$1 %t; add frg_$1 %s; add frg_$1 $0; report frg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete frg_$1
# 209004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Invalid IP fragment, size =.*exceeds maximum size =.*src = (\d+.\d+.\d+.\d+), dest = (\d+.\d+.\d+.\d+).*
desc=PIX $1 Frag is invalid from $2 to $3
action=create lrg_$1; add lrg_$1 %t; add lrg_$1 %s; add lrg_$1 $0; report lrg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete lrg_$1
# 209005
# FIXME -- Cisco log message doesnt match this
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Discard IP fragment set with more than.*elements:src = (\d+.\d+.\d+.\d+), dest = (\d+.\d+.\d+.\d+).*
desc=PIX $1 To many frags from $2 to $3
action=create _$1; add _$1 %t; add _$1 %s; add _$1 $0; report _$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete _$1
# 210002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU allocate block .* failed.
desc=PIX $1 Failover Block Alocation Failed
action=create fba_$1; add fba_$1 %t; add fba_$1 %s; add fba_$1 $0; report fba_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fba_$1
# 210005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU allocate connection failed
desc=PIX $1 Failover Connection Failed
action=create fcf_$1; add fcf_$1 %t; add fcf_$1 %s; add fcf_$1 $0; report fcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fcf_$1
# 210003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Unknown LU Object.*
desc=PIX $1 Failover: Unknown LU Object
action=create ulu_$1; add ulu_$1 %t; add ulu_$1 %s; add ulu_$1 $0; report ulu_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ulu_$1
# 210006
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU look NAT for (\d+.\d+.\d+.\d+) failed
desc=PIX $1 Failover NAT Sync failed for $2
action=create fns_$1; add fns_$1 %t; add fns_$1 %s; add fns_$1 $0; report fns_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fns_$1
# 210007
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU allocate xlate failed
desc=PIX $1 Failover xlate Sync Failed
action=create fxs_$1; add fxs_$1 %t; add fxs_$1 %s; add fxs_$1 $0; report fxs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fxs_$1
# 210008
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU no xlate for (\d+.\d+.\d+.\d+\/\d+) (\d+.\d+.\d+.\d+\/\d+)
desc=PIX $1 Failover xlate Sync Failure for $2 to $3
action=create fxs_$1; add fxs_$1 %t; add fxs_$1 %s; add fxs_$1 $0; report fxs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fxs_$1
# 210010
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU make UDP connection for (\d+.\d+.\d+.\d+:\d+) (\d+.\d+.\d+.\d+:\d+) failed
desc=PIX $1 Failover UDP Conn sync failure for $2 to $3
action=create fus_$1; add fus_$1 %t; add fus_$1 %s; add fus_$1 $0; report fus_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fus_$1
# 210020
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU PAT port (\d+) reserve failed
desc=PIX $1 Failover PAT Sync for $2 failed
action=create fps_$1; add fps_$1 %t; add fps_$1 %s; add fps_$1 $0; report fps_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fps_$1
# 210021
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU create static xlate (\d+.\d+.\d+.\d+).*failed
desc=PIX $1 Failover Static xlate failed for $2
action=create fxf_$1; add fxf_$1 %t; add fxf_$1 %s; add fxf_$1 $0; report fxf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fxf_$1
# 210022
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU missed (\d+) updates
desc=PIX $1 Failover Sync failed for $2 updates
action=create fsf_$1; add fsf_$1 %t; add fsf_$1 %s; add fsf_$1 $0; report fsf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fsf_$1
# 211001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Memory allocation Error
desc=PIX $1 Memory allocation Error!
action=create mae_$1; add mae_$1 %t; add mae_$1 %s; add mae_$1 $0; report mae_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete mae_$1
# 211003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*CPU utilization for (\d+) seconds = (.*)
desc=PIX $1 CPU high ($2) for $3 secs
action=create cpu_$1; add cpu_$1 %t; add cpu_$1 %s; add cpu_$1 $0; report cpu_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cpu_$1
# 211003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Dropping SNMP request from (\d+.\d+.\d+.\d+\/\d+) to.*:(\d+.\d+.\d+.\d+\/\d+).*
desc=PIX $1 SNMP Attempt from $2 to $3
action=create snp_$1; add snp_$1 %t; add snp_$1 %s; add snp_$1 $0; report snp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete snp_$1
# 213001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PPTP control daemon socket io.*errno = (\d+)
desc=PIX $1 PPTP Error $2
action=create ppt_$1; add ppt_$1 %t; add ppt_$1 %s; add ppt_$1 $0; report ppt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ppt_$1
# 213002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PPTP tunnel hashtable insert failed, peer = (\d+.\d+.\d+.\d+)
desc=PIX $1 PPTP hash table insert failed for $2
action=create pht_$1; add pht_$1 %t; add pht_$1 %s; add pht_$1 $0; report pht_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete pht_$1
# 213003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PPP virtual interface (\S+) isn't opened.
desc=PIX $1 PPP Virtual Int $2 failed to close
action=create ppp_$1; add ppp_$1 %t; add ppp_$1 %s; add ppp_$1 $0; report ppp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ppp_$1
# 213004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PPP virtual interface (\S+) client ip allocation failed.
desc=PIX $1 PPP Virutal interface $2 failure (pool depleted)
action=create ppl_$1; add ppl_$1 %t; add ppl_$1 %s; add ppl_$1 $0; report ppl_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ppl_$1
#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Denied Telnet login session from (\d+.\d+.\d+.\d+) on interface (int_name).
desc=PIX $1 Denid Telnet from $2 ($3) !!
action=create tel_$1; add tel_$1 %t; add tel_$1 %s; add tel_$1 $0; report tel_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete tel_$1
#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Permitted Telnet login session from (\d+.\d+.\d+.\d+)
desc=PIX $1 Permitted Telnet from $2 !
action=create tel_$1; add tel_$1 %t; add tel_$1 %s; add tel_$1 $0; report tel_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete tel_$1
#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*telnet login session failed from (\d+.\d+.\d+.\d+).*
desc=PIX $1 Telnet login guessing attack
action=create tel_$1; add tel_$1 %t; add tel_$1 %s; add tel_$1 $0; report tel_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete tel_$1
# 308001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PIX console enable password incorrect for (num) tries \(from (\d+.\d+.\d+.\d+)\).
desc=PIX $1 Many Enable Password failures for $3
action=create enb_$1; add enb_$1 %t; add enb_$1 %s; add enb_$1 $0; report enb_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete enb_$1
# 315011
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*SSH session from (\d+.\d+.\d+.\d+) on interface.*for user (\S+) disconnected by SSH server, reason:.*
desc=PIX $1 SSH Auth Attach from $2 ($3)
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 %s; add ssh_$1 $0; report ssh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ssh_$1
window=10
thresh=6
#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Denied manager connection from (\d+.\d+.\d+.\d+).
desc=PIX $1 Denied Manager from $2
action=create nmg_$1; add nmg_$1 %t; add nmg_$1 %s; add nmg_$1 $0; report nmg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete nmg_$1
# FIXME -- Add log code FWSM
type=Single
continue=takenext
ptype=RegExp
pattern==^PIXLOG (\S+)\^ .*Denied SSH session from (\d+.\d+.\d+.\d+) on interface.*
desc=PIX $1 Denied SSH from $2
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 %s; add ssh_$1 $0; report ssh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ssh_$1
#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Permitted manager connection from (IP_addar).
desc=PIX $1 Allowed Manager from $2
action=create ymg_$1; add ymg_$1 %t; add ymg_$1 %s; add ymg_$1 $0; report ymg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ymg_$1
# FIXME
# SET \d+.\d+.\d+.\d+ TO ! 128.135.0.x
#type=Single
#continue=takenext
#ptype=RegExp
#pattern=^PIXLOG (\S+)\^ .*Permitted SSH session from (\d+.\d+.\d+.\d+) on interface.*for user "user_id"
#desc=PIX $1 Permitted ssh $3 from $2
#action=create fsh_$1; add fsh_$1 %t; add fsh_$1 %s; add fsh_$1 $0; report fsh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fsh_$1
#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*SSH login session failed from (\d+.\d+.\d+.\d+) on \((num) attempts\) on interface.*by user "(\S+)"
desc=PIX $1 SSH $3 Failures from $2 by $4
action=create lsh_$1; add lsh_$1 %t; add lsh_$1 %s; add lsh_$1 $0; report lsh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete lsh_$1
# 402101
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*decaps: rec\'d IPSEC packet has invalid spi for destaddr=(\d+.\d+.\d+.\d+).*
desc=PIX $1 IPSEC: Invalid SPI in packet from $2 (possible attack)
action=create spi_$1; add spi_$1 %t; add spi_$1 %s; add spi_$1 $0; report spi_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete spi_$1
# 402101
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*decapsulate: packet missing (.*), destadr=(\d+.\d+.\d+.\d+)
desc=PIX $1 IPSEC: Packet to $3 did not have type $2 (possible attack)
action=create itp_$1; add itp_$1 %t; add itp_$1 %s; add itp_$1 $0; report itp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete itp_$1
# 402103
# FIXME -- This is messy
#type=Single
#continue=takenext
#ptype=RegExp
#pattern=^PIXLOG (\S+)\^ .*dentity doesn't match negotiated identity \((ip)\) dest_addr= (\d+.\d+.\d+.\d+), src_addr= (\d+.\d+.\d+.\d+), prot= protocol, \((ident)\) local=(\d+.\d+.\d+.\d+), remote=(\d+.\d+.\d+.\d+), local_proxy=(\d+.\d+.\d+.\d+/\d+.\d+.\d+.\d+/port/port), remote_proxy=(\d+.\d+.\d+.\d+/\d+.\d+.\d+.\d+/port/port)
#desc=PIX $1 IPSEC: Peer $2 is attempting to send other packets through us $3 $4 $5 $6 $7
#action=create per_$1; add per_$1 %t; add per_$1 %s; add per_$1 $0; report per_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete per_$1
# 402115
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Received a packet from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) containing.*data instead of.*data.
desc=PIX $1 IPSEC: packet from $2 to $3 doesn't match negotiated proto
action=create ipx_$1; add ipx_$1 %t; add ipx_$1 %s; add ipx_$1 $0; report ipx_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ipx_$1
# 402115
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Received an.*packet.*from (\d+.\d+.\d+.\d+).*to (\d+.\d+.\d+.\d+).*The decapsulated inner packet doesn't match the negotiated policy in the SA
desc=PIX $1 IPSEC: packet from $2 to $3 is encapsulated with unexpected data.
action=create enc_$1; add enc_$1 %t; add enc_$1 %s; add enc_$1 $0; report enc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete enc_$1
# 402118
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Received an.*packet.*from (\d+.\d+.\d+.\d+).*to (\d+.\d+.\d+.\d+) containing an illegal IP fragment.*
desc=PIX $1 IPSEC: packet from $2 to $3 has invalid fragment
action=create enc_$1; add enc_$1 %t; add enc_$1 %s; add enc_$1 $0; report enc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete enc_$1
# 403103
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PPP virtual interface max connections reached.
desc=PIX $1 PPP interfaces exhausted
action=create pie_$1; add pie_$1 %t; add pie_$1 %s; add pie_$1 $0; report pie_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete pie_$1
# 403109
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Rec\'d packet not an PPTP packet. \(.*\) dest_addr= (\d+.\d+.\d+.\d+), src_addr= (\d+.\d+.\d+.\d+).*
desc=PIX $1 Spoofed PPTP Packet from $3 to $2
action=create spp_$1; add spp_$1 %t; add spp_$1 %s; add spp_$1 $0; report spp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete spp_$1
# 404101
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*ISAKMP: Failed to allocate address for client from pool (\S+)
desc=PIX $1 IPSEC: Failed to allocate addr from $2
action=create faa_$1; add faa_$1 %t; add faa_$1 %s; add faa_$1 $0; report faa_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete faa_$1
# 405001
#type=Single
#continue=takenext
#ptype=RegExp
#pattern=PIXLOG (\S+)\^ .*Received ARP.*collision from (\d+.\d+.\d+.\d+\/....\.....\.....) on.*
#desc=PIX $1 ARP Collision: $2
#action=create mac_$1; add mac_$1 %t; add mac_$1 %s;add mac_$1 %s; add mac_$1 $0; report mac_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete mac_$1
#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Configuration replication failed for command (\S+)
desc=PIX $1 Failover replication command $2 failed
action=create rcf_$1; add rcf_$1 %t; add rcf_$1 %s; add rcf_$1 $0; report rcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rcf_$1
# 709001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*FO replication failed: cmd=(.*) returned=.*
desc=PIX $1 Failover: Command replication failed for Peer: $2
action=create rcf_$1; add rcf_$1 %t; add rcf_$1 %s; add rcf_$1 $0; report rcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rcf_$1
# 316001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Denied new tunnel to (\d+.\d+.\d+.\d+). VPN peer limit.*exceeded.*
desc=PIX $1 VPN Peer limit exceeded for $2
action=create plm_$1; add plm_$1 %t; add plm_$1 %s; add plm_$1 $0; report plm_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete plm_$1
# 317003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*IP routing table creation failure - (.*)
desc=PIX $1 Route table Error: $2
action=create rte_$1; add rte_$1 %t; add rte_$1 %s; add rte_$1 $0; report rte_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rte_$1
# 317004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*IP routing table limit warning
desc=PIX $1 Routing table limit reached
action=create rtl_$1; add rtl_$1 %t; add rtl_$1 %s; add rtl_$1 $0; report rtl_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rtl_$1
# 317005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*IP routing table limit exceeded - (.*), (\d+.\d+.\d+.\d+).*
desc=PIX $1 Route table limit breached by $3: $2
action=create rtb_$1; add rtb_$1 %t; add rtb_$1 %s; add rtb_$1 $0; report rtb_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rtb_$1
# 323005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Module in slot (\S+) can not be powered on completely
desc=PIX $1 Slot $2 will not power on
action=create slp_$1; add slp_$1 %t; add slp_$1 %s; add slp_$1 $0; report slp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete slp_$1
# 411002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Line protocol on interface (\S+) changed state to down
desc=PIX $1 Interface $2 is DOWN!
action=create lpd_$1; add ldp_$1 %t; add ldp_$1 %s; add lpd_$1 $0; report lpd_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete lpd_$1
# 412002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Detected bridge table full while inserting MAC (....\.....\.....) on interface .*
desc=PIX $1 MAC Address table is FULL!
action=create brf_$1; add brf_$1 %t; add brf_$1 %s; add brf_$1 $0; report brf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete brf_$1
# 505001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Module in slot (\S+) is shutting down. Please.*
desc=PIX $1 Slot $2 is shutting down!
action=create sht_$1; add sht_$1 %t; add sht_$1 %s; add sht_$1 $0; report sht_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete sht_$1
# 505002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Module in slot (\S+) is reloading. Please.*
desc=PIX $1 Slot $2 is reloading!
action=create rld_$1; add rld_$1 %t; add rld_$1 %s; add rld_$1 $0; report rld_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rld_$1
# 605004
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Login denied from (.*) to (.*) for user "(\S+)"
desc=PIX $1 Auth Attack from $2 to $3 ($4)
action=create ath_$1; add ath_$1 %t; add ath_$1 %s; add ath_$1 $0; report ath_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ath_$1
window=10
thresh=6
# 611102
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User authentication failed: Uname: (\S+)
desc=PIX $1 Auth Attach from $2
action=create ath_$1; add ath_$1 %t; add ath_$1 %s; add ath_$1 $0; report ath_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ath_$1
window=10
thresh=6
# 615002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*vlan number not available for firewall interface
desc=PIX $1 VLAN Error for FWSM
action=create vln_$1; add vln_$1 %t; add vln_$1 %s; add vln_$1 $0; report vln_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete vln_$1
#
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/.cvsignore,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- .cvsignore 28 May 2007 20:06:22 -0000 1.4
+++ .cvsignore 3 Oct 2009 07:35:39 -0000 1.5
@@ -1 +1 @@
-sec-2.4.1.tar.gz
+sec-2.5.2.tar.gz
Index: amavisd.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/amavisd.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- amavisd.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ amavisd.sec 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,5 +1,11 @@
-#Amavisd events
-
+#############################################################################
+# Amavisd events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
#Sep 4 15:43:02 xxxxx clamd[581]: /var/amavisd/amavis-20050904T153955-46858/parts/part-00001: HTML.Phishing.Bank-1 FOUND
type=Single
Index: bsd-MONITOR.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/bsd-MONITOR.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- bsd-MONITOR.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ bsd-MONITOR.sec 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,9 +1,14 @@
#
-# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
-#
# SEC rules to pick up disruptive monitoring
# events.
#
+# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
+#
+# Copyright (C) 2003-2009 Jim Brown
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#
#Logs involving syslogd disabled or unusual promiscuous mode (MONITOR)
#----------------------------------------------------------------------
#Nov 15 20:02:48 foohost syslogd: exiting on signal 15
@@ -50,5 +55,5 @@ type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+kernel: swap_pager_getswapspace\(\S\): .*
desc=$0
-action=pipe '$1 GET SWAP FAILURE: %s' /usr/bin/mail -s "SWAP SPACE FAIL on $1" alerts at yourdomain.com
+action=pipe '$1 GET SWAP FAILURE: %s' /usr/bin/mail -s "SWAP SPACE FAIL on $1" alerts at example.com
Index: bsd-PHYSMOD.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/bsd-PHYSMOD.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- bsd-PHYSMOD.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ bsd-PHYSMOD.sec 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,9 +1,13 @@
#
-# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
-#
# PHYSMOD.conf - Events concerning physical modifications
# to the system.
#
+# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
+#
+# Copyright (C) 2003-2009 Jim Brown
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
#
#Logs involving physical modifications (PHYSMOD)
#------------------------------------------------
Index: bsd-USERACT.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/bsd-USERACT.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- bsd-USERACT.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ bsd-USERACT.sec 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,7 +1,12 @@
#
+# Events concerning user activities.
+#
# From http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
#
-# Events concerning user activities.
+# Copyright (C) 2003-2009 Jim Brown
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
#
#Logs involving logins, change of UID and privilege escalations (USERACT)
#-------------------------------------------------------------------------
Index: conf.README
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/conf.README,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- conf.README 1 Sep 2006 20:54:01 -0000 1.1
+++ conf.README 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,10 +1,10 @@
-This is the SEC configuration directory. Because SEC usage varies so widely
-from user to user, this Fedora Extras package is configured by default to not
-run.
+This is the SEC configuration directory. Because SEC usage varies so widely
+from user to user, this package is configured by default to not run.
The commented-out default settings in /etc/sysconfig/sec will load any file in
-this directory with a .sec suffix. Please look through the example files
-included in /etc/sec/examples/ and install the ones you want here (taking into
-account that the examples are generic and some of them may need to be tweaked
-to work with your setup). You should also read the SEC man page so you have
-at least a basic understanding of the SEC configuration commands.
+this directory with a .sec suffix. Please look through the example files
+included in /usr/share/doc/sec-<version>/examples/ and install the ones you
+want here (taking into account that the examples are generic and some of them
+may need to be tweaked to work with your setup). You should also read the SEC
+man page so you have at least a basic understanding of the SEC configuration
+commands.
Index: cvs.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/cvs.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- cvs.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ cvs.sec 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,3 +1,11 @@
+#############################################################################
+# CVS events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
#Jul 31 19:54:21 xxxx xinetd[2088]: START: cvspserver pid=16385 from=xx.xx.xx.xx
@@ -14,7 +22,7 @@ type=single
ptype=regexp
pattern=([A-z._0-9-]*) cvs: password mismatch for (.*) in (.*)
desc = cvs login failure
-action=pipe '$1 $2 CVS Login Failure: User $2 from $3' /usr/bin/mail -s '$1 $2 CVS Login Failure: $2 from $3' alerts at yourdomain.com
+action=pipe '$1 $2 CVS Login Failure: User $2 from $3' /usr/bin/mail -s '$1 $2 CVS Login Failure: $2 from $3' alerts at example.com
#Aug 5 10:38:49 xxxx cvs: attempt to root from account: username
@@ -23,7 +31,7 @@ type=single
ptype=regexp
pattern=([A-z._0-9-]*) cvs: attempt to root from account: (.*)
desc = cvs login to root attempt
-action=pipe ' $1 $2 CVS Login to Root Attempt: User $2 ' /usr/bin/mail -s '$1 CVS Login to Root Failure: $2' alerts at yourdomain.com
+action=pipe ' $1 $2 CVS Login to Root Attempt: User $2 ' /usr/bin/mail -s '$1 CVS Login to Root Failure: $2' alerts at example.com
#Aug 5 10:42:37 xxxx cvs: login failure (for /usr/local/cvsroot)
@@ -32,5 +40,5 @@ type=single
ptype=regexp
pattern=([A-z._0-9-]*) cvs: login failure \(for /usr/local/cvsroot\)
desc = cvs login failure
-action=pipe '$1 $2 CVS Login Failure ' /usr/bin/mail -s '$1 CVS Login Failure' alerts at yourdomain.com
+action=pipe '$1 $2 CVS Login Failure ' /usr/bin/mail -s '$1 CVS Login Failure' alerts at example.com
Index: dameware.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/dameware.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- dameware.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ dameware.sec 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,10 +1,19 @@
+#############################################################################
+# Dameware events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
+
#Dameware Connect
type=single
ptype=regexp
pattern=([A-z._0-9-]*) DMWRCS: (.*) Connect: (.*)
desc = Dameware Connect
action=add WINDOWS_REPORT DAMEWARE CONNECT: %s; \
-pipe 'DAMEWARE Connect -- : %s' /usr/bin/mail -s 'DAMEWARE CONNECT' alerts at yourdomain.com
+pipe 'DAMEWARE Connect -- : %s' /usr/bin/mail -s 'DAMEWARE CONNECT' alerts at example.com
#Dameware Disconnect
Index: hp-openview.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/hp-openview.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- hp-openview.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ hp-openview.sec 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,10 +1,14 @@
################################################################
# Sample SEC ruleset for HP OpenView ITO
+#
+# Copyright (C) 2003-2009 Risto Vaarandi
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
################################################################
# process Cisco linkDown/linkUp trap events received from
# HP OpenView ITO trap template through itostream plugin
-# Submitted by Risto Vaarandi
type=PairWithWindow
ptype=RegExp
Index: labrea.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/labrea.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- labrea.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ labrea.sec 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,4 +1,11 @@
-#Labrea tarpit events
+#############################################################################
+# Labrea tarpit events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
type=Single
ptype=RegExp
@@ -25,5 +32,5 @@ type=Calendar
time=0 8,12,20 * * *
desc=Sending tarpit report...
action=report TARPIT_REPORT \
- /usr/bin/mail -s 'Tarpits: Tarpit Victim report' alerts at yourdomain.com; \
+ /usr/bin/mail -s 'Tarpits: Tarpit Victim report' alerts at example.com; \
delete TARPIT_REPORT
Index: pix-security.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/pix-security.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- pix-security.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ pix-security.sec 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,5 +1,10 @@
####################################################################
# SEC ruleset for Cisco PIX 6.x, 7.x
+#
+# Copyright (C) 2003-2009 Chris Sawall
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
####################################################################
# Process various events from PIX syslog output
@@ -19,7 +24,7 @@ type=SingleWithThreshold
ptype=RegExp
pattern=\s*.*Deny\s+(\w+)\s+src.*:(.*)/.*:(.*)/(\b2\d\b).*$
desc=Unusual Failures:$1 $4/$2 -> $3
-action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
window=10
thresh=10
@@ -31,7 +36,7 @@ continue=dontcont
ptype=RegExp
pattern=(212\.147\.14[12]\.)
desc=Possible PHEL Trojan (1)
-action=create phel_$1; add phel_$1 Local Time = %t; add phel_$1 $0; report phel_$1 /bin/mail -s "%s" email01 at domain.com; delete phel_$1
+action=create phel_$1; add phel_$1 Local Time = %t; add phel_$1 $0; report phel_$1 /bin/mail -s "%s" email01 at example.com; delete phel_$1
# ------------------------------------------------------------------
# Watch for firewall failovers
@@ -50,7 +55,7 @@ continue=takenext
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Primary\).*$
desc=Secondary firewall for $1 - failure/reload
-action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
# Failure of secondary (standby) firewall while primary is active
# Works for PIX 7.x
@@ -62,7 +67,7 @@ continue=takenext
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Secondary\).*$
desc=Primary firewall for $1 - failure/reload
-action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
# Failure of secondary (active), primary assumes active
# Works for PIX 7.x
@@ -79,7 +84,7 @@ action=logonly
ptype2=RegExp
pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Primary\).*Peer state Standby Ready
desc2=Secondary (was active) firewall ($1) has failed. Primary is now active.
-action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
window=5
# Failure of primary (active), secondary assumes active
@@ -97,7 +102,7 @@ action=logonly
ptype2=RegExp
pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Secondary\).*Peer state Standby Ready
desc2=Primary firewall ($1) has failed. Secondary is now active.
-action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
window=5
# ------------------------------------------------------------------
@@ -114,7 +119,7 @@ continue=dontcont
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX reload.*$
desc=$1 has been manually rebooted
-action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com ; delete ffo_$1
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com ; delete ffo_$1
# Manual reload of PIX
# Works for PIX 7.x
@@ -126,7 +131,7 @@ continue=dontcont
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Orderly reload.*Reload reason:\s(\S+)
desc=$1 has been manually rebooted, reason: $2
-action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
# ------------------------------------------------------------------
# Watch for SSH logins/failures on firewalls
@@ -152,7 +157,7 @@ continue=dontcont
ptype=RegExp
pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'.*to\s(\d+\.\d+\.\d+\.\d+)\/0.*SSH
desc=Admin Auth to $1.$2 -> $3 from $4
-action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
# Successful Admin SSH session
# Works for PIX 7.x
@@ -165,7 +170,7 @@ continue=dontcont
ptype=RegExp
pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'\sfrom\s(\d+\.\d+\.\d+\.\d+)\/0.*/22.*$
desc=Admin Auth to $1.$2 -> $3 from $4
-action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
# Failed Admin SSH session
# Works for PIX 6.x
@@ -178,7 +183,7 @@ continue=takenext
ptype=RegExp
pattern=Authentication failed.*\'(\S+)\'.*SSH
desc=Admin Auth FAILED -> $1
-action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
# Failed Admin SSH session
# Works for PIX 7.x
@@ -191,7 +196,7 @@ continue=takenext
ptype=RegExp
pattern=Authentication failed.*\'(\S+)\'.*/22.*$
desc=Admin Auth FAILED -> $1
-action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
# Normal SSH termination
# Works for both PIX 6.x and 7.x
@@ -202,7 +207,7 @@ type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*\"(\S+)\".*terminated normally
desc=ADMIN END $1 -> $2
-action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
# SSH session timeout or abnormal termination
# Works for PIX 6.x
@@ -214,7 +219,7 @@ type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*disconnected by SSH server
desc=Firewall session END - timeout $1
-action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
# ------------------------------------------------------------------
# Watch for firewall commands
@@ -228,7 +233,7 @@ type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*write\sm.*
desc=User wrote config to memory -> $1
-action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01 at domain.com; delete fwcmd_$1
+action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01 at example.com; delete fwcmd_$1
# Watch for HIGH CPU Utilization
# Works for PIX 6.x
@@ -237,5 +242,5 @@ type=Single
ptype=RegExp
pattern=PIX-.-211003
desc=HIGH CPU Utilization
-action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01 at domain.com; delete fwcmd_$1
+action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01 at example.com; delete fwcmd_$1
Index: pix-url.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/pix-url.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- pix-url.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ pix-url.sec 3 Oct 2009 07:35:40 -0000 1.2
@@ -1,5 +1,10 @@
####################################################################
# SEC ruleset for Monitoring Keywords
+#
+# Copyright (C) 2003-2009 Chris Sawall
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
####################################################################
# This particular ruleset was designed to monitor PIX syslog traffic
@@ -41,7 +46,7 @@ type=Single
ptype=PerlFunc
pattern=sub {($_[0] =~ /($list)/) }
desc=Inappropriate word in URL
-action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
#
# Examples of "watch4badwords" and "watch4excludes"
Index: portscan.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/portscan.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- portscan.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ portscan.sec 3 Oct 2009 07:35:41 -0000 1.2
@@ -1,5 +1,10 @@
################################################################
# Sample SEC ruleset for "PORTSCAN FROM ip1 TO ip2:port" events
+#
+# Copyright (C) 2003-2009 Risto Vaarandi
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
################################################################
# process "PORTSCAN FROM ip1 TO ip2:port" events, and if a certain
@@ -35,6 +40,6 @@ context=HORIZONTAL_PORTSWEEP_FROM_SOURCE
continue=DontCont
desc=$1 has scanned more than 10 destinations
action=report HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \
- mail -s 'Horizontal port sweep from $1 target port $3' root at localhost; \
+ mail -s 'Horizontal port sweep from $1 target port $3' root at example.com; \
delete HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3; \
eval %o ( delete $portscans{"$1:$3"} )
Index: sec.init
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/sec.init,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- sec.init 1 Sep 2006 20:54:01 -0000 1.1
+++ sec.init 3 Oct 2009 07:35:41 -0000 1.2
@@ -1,88 +1,102 @@
#!/bin/bash
#
-# sec This starts and stops SEC
+# sec Start and stop SEC.
#
-# chkconfig: - 26 74
+# chkconfig: - 20 80
# description: Simple Event Correlator script to filter log file entries
-# processname: /usr/bin/sec
-# config: /etc/sysconfig/sec
-# pidfile: /var/run/sec.pid
-#
-
-# Source function library.
- . /etc/rc.d/init.d/functions
-
-# Default to a clean return value
- RETVAL=0
-
-# Program we'll be executing
- EXEC='/usr/bin/sec'
- prog='sec'
- [ -f $EXEC ] || exit 0
+. /etc/rc.d/init.d/functions
-# Source the config
- [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
+prog="sec"
+exec="/usr/bin/sec"
+lockfile="/var/lock/subsys/sec"
-# No options defined means that sec can't run
- [ -z "$SEC_ARGS" ] && exit 0
-
-# And away we go...
+[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
start() {
- for n in `seq 0 $((${#SEC_ARGS[*]} - 1))`; do
- echo -n $"Starting $prog instance "$(($n + 1))": "
- daemon $EXEC ${SEC_ARGS[$n]}
- RETVAL=$?
- [ $RETVAL -ne 0 ] && return $RETVAL
- done
- touch /var/lock/subsys/$prog
- return $RETVAL
+ [ -x $exec ] || exit 5
+ for n in `seq 0 $((${#SEC_ARGS[*]} - 1))`; do
+ echo -n $"Starting $prog instance "$(($n + 1))": "
+ daemon $exec ${SEC_ARGS[$n]}
+ RETVAL=$?
+ echo
+ [ $RETVAL -ne 0 ] && return $RETVAL
+ done
+ touch $lockfile
+ return $RETVAL
}
stop() {
- echo -n $"Stopping $prog: "
- killproc $prog
- RETVAL=$?
- echo
- [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
- return $RETVAL
+ echo -n $"Stopping $prog: "
+ killproc $prog
+ RETVAL=$?
+ echo
+ [ $RETVAL -eq 0 ] && rm -f $lockfile
+ return $RETVAL
+}
+
+restart() {
+ stop
+ start
}
reload() {
- echo -n $"Reloading configuration: "
- killproc $prog -HUP
- RETVAL=$?
- echo
- return $RETVAL
+ echo -n $"Reloading $prog: "
+ killproc $prog -HUP
+ RETVAL=$?
+ echo
+ return $RETVAL
}
-restart() {
- stop
- start
+force_reload() {
+ restart
}
-dump() {
- echo -n $"Dumping state in /tmp/sec.dump: "
- killproc $prog -USR1
- RETVAL=$?
- echo
- return $RETVAL
+rh_status() {
+ status $prog
}
-sec_status() {
- status $prog
+rh_status_q() {
+ rh_status >/dev/null 2>&1
+}
+
+dump() {
+ echo -n $"Dumping state of $prog in /tmp/sec.dump: "
+ killproc $prog -USR1
+ RETVAL=$?
+ echo
+ return $RETVAL
}
case "$1" in
- start|stop|reload|restart|dump)
- $1
- ;;
- status)
- sec_status
- ;;
- *)
- echo $"Usage: $0 {start|stop|reload|restart|dump|status}"
- exit 2
+ start)
+ start
+ ;;
+ stop)
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ condrestart|try-restart)
+ rh_status_q || exit 0
+ restart
+ ;;
+ reload)
+ reload
+ ;;
+ force-reload)
+ force_reload
+ ;;
+ status)
+ rh_status
+ ;;
+ dump)
+ dump
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status|dump}"
+ exit 2
esac
+exit $?
Index: sec.logrotate
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/sec.logrotate,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- sec.logrotate 1 Sep 2006 20:54:01 -0000 1.1
+++ sec.logrotate 3 Oct 2009 07:35:41 -0000 1.2
@@ -3,6 +3,6 @@
notifempty
sharedscripts
postrotate
- /sbin/service sec reload 2> /dev/null > /dev/null || true
+ /sbin/service sec reload >/dev/null 2>&1 || true
endscript
}
Index: sec.spec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/sec.spec,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -p -r1.6 -r1.7
--- sec.spec 27 Jul 2009 04:07:02 -0000 1.6
+++ sec.spec 3 Oct 2009 07:35:41 -0000 1.7
@@ -1,198 +1,121 @@
-#
-# Specfile for SEC, the simple event correlator
-#
-# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169345
-#
-
Name: sec
-Version: 2.4.1
-Release: 4%{?dist}
-Summary: SEC (simple event correlator)
-
+Version: 2.5.2
+Release: 1%{?dist}
+Summary: Simple Event Correlator script to filter log file entries
Group: System Environment/Daemons
License: GPLv2+
-URL: http://www.estpak.ee/~risto/sec/
-
-################################################################################
-
+URL: http://simple-evcorr.sourceforge.net/
Source0: http://dl.sourceforge.net/simple-evcorr/%{name}-%{version}.tar.gz
Source1: sec.sysconfig
Source2: sec.init
Source3: sec.logrotate
-
# Example files and configuration info
-Source100: conf.README
-Source101: http://www.estpak.ee/~risto/sec/examples/syslog-ng.txt
-Source102: 001_init.sec
-Source103: http://www.bleedingsnort.com/sec/amavisd.sec
-Source104: http://www.bleedingsnort.com/sec/bsd-MONITOR.sec
-Source105: http://www.bleedingsnort.com/sec/bsd-PHYSMOD.sec
-Source106: http://www.bleedingsnort.com/sec/bsd-USERACT.sec
-Source107: http://www.bleedingsnort.com/sec/clamav.sec
-Source108: http://www.bleedingsnort.com/sec/cvs.sec
-Source109: http://www.bleedingsnort.com/sec/dameware.sec
-Source110: http://www.bleedingsnort.com/sec/dbi-example.sec
-Source111: http://www.bleedingsnort.com/sec/general.sec
-Source112: http://www.bleedingsnort.com/sec/hp-openview.sec
-Source113: http://www.bleedingsnort.com/sec/labrea.sec
-Source114: http://www.bleedingsnort.com/sec/mpd.sec
-Source115: http://www.bleedingsnort.com/sec/pix-security.sec
-Source116: http://www.bleedingsnort.com/sec/pix-url.sec
-Source117: http://www.bleedingsnort.com/sec/portscan.sec
-Source118: http://www.bleedingsnort.com/sec/snort.sec
-Source119: http://www.bleedingsnort.com/sec/snortsam.sec
-Source120: http://www.bleedingsnort.com/sec/ssh-brute.sec
-Source121: http://www.bleedingsnort.com/sec/ssh.sec
-Source122: http://www.bleedingsnort.com/sec/vtund.sec
-Source123: http://www.bleedingsnort.com/sec/windows.sec
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-
-BuildArch: noarch
+Source4: conf.README
+Source5: http://simple-evcorr.sourceforge.net/rulesets/amavisd.sec
+Source6: http://simple-evcorr.sourceforge.net/rulesets/bsd-MONITOR.sec
+Source7: http://simple-evcorr.sourceforge.net/rulesets/bsd-PHYSMOD.sec
+Source8: http://simple-evcorr.sourceforge.net/rulesets/bsd-USERACT.sec
+Source9: http://simple-evcorr.sourceforge.net/rulesets/bsd-general.sec
+Source10: http://simple-evcorr.sourceforge.net/rulesets/bsd-mpd.sec
+Source11: http://simple-evcorr.sourceforge.net/rulesets/cisco-syslog.sec
+Source12: http://simple-evcorr.sourceforge.net/rulesets/cvs.sec
+Source13: http://simple-evcorr.sourceforge.net/rulesets/dameware.sec
+Source14: http://simple-evcorr.sourceforge.net/rulesets/hp-openview.sec
+Source15: http://simple-evcorr.sourceforge.net/rulesets/labrea.sec
+Source16: http://simple-evcorr.sourceforge.net/rulesets/pix-general.sec
+Source17: http://simple-evcorr.sourceforge.net/rulesets/pix-security.sec
+Source18: http://simple-evcorr.sourceforge.net/rulesets/pix-url.sec
+Source19: http://simple-evcorr.sourceforge.net/rulesets/portscan.sec
+Source20: http://simple-evcorr.sourceforge.net/rulesets/snort.sec
+Source21: http://simple-evcorr.sourceforge.net/rulesets/snortsam.sec
+Source22: http://simple-evcorr.sourceforge.net/rulesets/ssh-brute.sec
+Source23: http://simple-evcorr.sourceforge.net/rulesets/ssh.sec
+Source24: http://simple-evcorr.sourceforge.net/rulesets/vtund.sec
+Source25: http://simple-evcorr.sourceforge.net/rulesets/windows.sec
+BuildArch: noarch
-################################################################################
+# The init script uses arrays, so we need bash
+Requires: bash
+Requires: logrotate
-Requires(post): chkconfig
+Requires(post): chkconfig
Requires(postun): initscripts
Requires(preun): initscripts, chkconfig
-# The init script uses arrays, so we need bash
-Requires: bash
-
-# Not required specifically by SEC, but our examples use it so we might as well
-# create a requirement for logrotate.
-Requires: logrotate
-
-# Some alternate names for the package that users might search for
-Provides: simple-evcorr
-Provides: sec.pl
-
-################################################################################
-
%description
-SEC is an open source and platform independent event correlation tool that
-was designed to fill the gap between commercial event correlation systems and
-homegrown solutions that usually comprise a few simple shell scripts.
-SEC accepts input from regular files, named pipes, and standard input, and can
-thus be employed as an event correlator for any application that is able to
-write its output events to a file stream.
-
-################################################################################
+SEC is a simple event correlation tool that reads lines from files, named
+pipes, or standard input, and matches the lines with regular expressions,
+Perl subroutines, and other patterns for recognizing input events.
+Events are then correlated according to the rules in configuration files,
+producing output events by executing user-specified shell commands, by
+writing messages to pipes or files, etc.
%prep
%setup -q
-# Replace some tags in the config files
- sed -i -e 's/@@NAME@@/%{name}/' \
- %{SOURCE1} \
- %{SOURCE2} \
- %{SOURCE3}
-
-# Fix the bindir in case a user wants it put in a different location
- sed -i -e 's#/usr/bin/sec#%{_bindir}/sec#' \
- %{SOURCE2}
-
-################################################################################
+%build
%install
-
-rm -rf $RPM_BUILD_ROOT
-
-# Create the directories we'll need
- install -d -m 755 $RPM_BUILD_ROOT%{_initrddir}
- install -d -m 755 $RPM_BUILD_ROOT%{_localstatedir}/log
- install -d -m 755 $RPM_BUILD_ROOT%{_localstatedir}/run
- install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
- install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
- install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/examples
-
# Install SEC and its associated files
- install -D -p -m 755 sec.pl $RPM_BUILD_ROOT%{_bindir}/sec
- install -D -p -m 644 sec.pl.man $RPM_BUILD_ROOT%{_mandir}/man1/sec.1
- install -p -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/sec
- install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/sec
- install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_initrddir}/sec
+install -D -m 0755 -p sec.pl %{buildroot}%{_bindir}/sec
+install -D -m 0644 -p sec.pl.man %{buildroot}%{_mandir}/man1/sec.1
+install -D -m 0644 -p %{SOURCE1} %{buildroot}%{_sysconfdir}/sysconfig/sec
+install -D -m 0644 -p %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/sec
+install -D -m 0755 -p %{SOURCE2} %{buildroot}%{_initrddir}/sec
# Install the example config files and readme
- install -p -m 644 %{SOURCE100} \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/README
- install -p -m 644 %{SOURCE101} \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/examples/syslog-ng.sec
- install -p -m 644 %{SOURCE102} \
- %{SOURCE103} \
- %{SOURCE104} \
- %{SOURCE105} \
- %{SOURCE106} \
- %{SOURCE107} \
- %{SOURCE108} \
- %{SOURCE109} \
- %{SOURCE110} \
- %{SOURCE111} \
- %{SOURCE112} \
- %{SOURCE113} \
- %{SOURCE114} \
- %{SOURCE115} \
- %{SOURCE116} \
- %{SOURCE117} \
- %{SOURCE118} \
- %{SOURCE119} \
- %{SOURCE120} \
- %{SOURCE121} \
- %{SOURCE122} \
- %{SOURCE123} \
- $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/examples/
-
-# Replace all "email.com" in sample scripts with an actual fake domain: example.com
- grep -rl 'email.com' $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/ \
- | xargs sed -i -e 's/email.com/example.com/g'
-
-# Create ghost files so rpm doesn't complain about them being gone
- touch $RPM_BUILD_ROOT%{_localstatedir}/log/sec
- touch $RPM_BUILD_ROOT%{_localstatedir}/run/sec.pid
+install -D -m 0644 -p %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}/README
+install -d -m 0755 examples
+install -m 0644 -p %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} \
+ %{SOURCE9} %{SOURCE10} %{SOURCE11} %{SOURCE12} \
+ %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} \
+ %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} \
+ %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} \
+ %{SOURCE25} examples/
-################################################################################
+# Remove executable bits because these files get packed as docs
+chmod 0644 contrib/convert.pl contrib/swatch2sec.pl
%post
-
-if [ $1 = 1 ]; then
- /sbin/chkconfig --add sec
+if [ $1 -eq 1 ]; then
+ /sbin/chkconfig --add sec
fi
%preun
-
-if [ $1 = 0 ]; then
- /sbin/service sec stop > /dev/null 2>&1 || :
- /sbin/chkconfig --del sec
+if [ $1 -eq 0 ]; then
+ /sbin/service sec stop >/dev/null 2>&1
+ /sbin/chkconfig --del sec
fi
%postun
-
-if [ $1 = 1 ]; then
- /sbin/service sec condrestart
+if [ $1 -eq 1 ]; then
+ /sbin/service sec condrestart >/dev/null 2>&1
fi
%clean
-
-rm -rf $RPM_BUILD_ROOT
-
-################################################################################
+rm -rf %{buildroot}
%files
-
%defattr(-,root,root,-)
-%doc ChangeLog COPYING README
+%doc ChangeLog COPYING README contrib/convert.pl contrib/itostream.c contrib/swatch2sec.pl examples
+%config(noreplace) %{_sysconfdir}/%{name}
%config(noreplace) %{_sysconfdir}/sysconfig/sec
-%config(noreplace) %verify (not md5 size mtime) %{_sysconfdir}/logrotate.d/sec
-%{_sysconfdir}/%{name}
-%{_bindir}/sec
+%config(noreplace) %{_sysconfdir}/logrotate.d/sec
%{_initrddir}/sec
-%{_mandir}/man1/*
-%ghost %verify (not md5 size mtime) %{_localstatedir}/log/sec
-%ghost %verify (not md5 size mtime) %{_localstatedir}/run/sec.pid
-
-################################################################################
+%{_bindir}/sec
+%{_mandir}/man1/sec.1*
%changelog
+* Tue Sep 29 2009 Stefan Schulze Frielinghaus <stefan at seekline.net> - 2.5.2-1
+- New upstream release
+- SPEC file cleanup
+- Init script cleanup
+- Removed some examples because of licensing issues. Upstream has clarified
+ and changed most of the license tags to GPLv2. Additionally, upstream
+ will include the examples in the next release.
+- Removed a provide statement since a period was in the name and no other
+ package required that special name.
+
* Sun Jul 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.4.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
Index: snort.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/snort.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- snort.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ snort.sec 3 Oct 2009 07:35:41 -0000 1.2
@@ -1,5 +1,10 @@
####################################################################
# Sample SEC ruleset for Snort IDS
+#
+# Copyright (C) 2003-2009 Risto Vaarandi
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
####################################################################
# ------------------------------------------------------------------
@@ -52,7 +57,8 @@ pattern=PRIORITY 1 INCIDENT FROM (\S+) T
context=ATTACK_FROM_$1
continue=TakeNext
desc=Priority 1 attack started from $1
-action=create ATTACK_FROM_$1; add ALERT_REPORT %t: %s; pipe '%t: %s'
+action=create ATTACK_FROM_$1; add ALERT_REPORT %t: %s; pipe '%t: %s' \
+ /usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1' alerts at example.com
# For every priority 1 incident, add an entry to the context by its IP;
@@ -66,7 +72,7 @@ continue=TakeNext
desc=Priority 1 incident from $1 to $2: $3
action=add ATTACK_FROM_$1 %t: %s; \
set ATTACK_FROM_$1 300 ( report ATTACK_FROM_$1 \
- /usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1 (report)' alerts at email.com )
+ /usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1 (report)' alerts at example.com )
# ------------------------------------------------------------------
@@ -116,7 +122,7 @@ continue=TakeNext
desc=Create activity contexts for $1
action=create ACTIVITY_LIST_FOR_$1_LIFETIME; \
create ACTIVITY_LIST_FOR_$1 7200 ( report ACTIVITY_LIST_FOR_$1 \
- /usr/bin/mail -s 'SNORT: $1 has been active for 2 hours' alerts at email.com; \
+ /usr/bin/mail -s 'SNORT: $1 has been active for 2 hours' alerts at example.com; \
delete ACTIVITY_LIST_FOR_$1_LIFETIME )
@@ -142,7 +148,7 @@ type=Calendar
time=0 12 * * *
desc=Sending alert report...
action=report ALERT_REPORT \
- /usr/bin/mail -s 'SNORT: Hourly alert report' alerts at email.com; \
+ /usr/bin/mail -s 'SNORT: Hourly alert report' alerts at example.com; \
delete ALERT_REPORT
@@ -152,6 +158,6 @@ type=Calendar
time=0 9 * * *
desc=Sending portscan report...
action=report PORTSCAN_REPORT \
- /usr/bin/mail -s 'SNORT: daily portscan report' alerts at email.com; \
+ /usr/bin/mail -s 'SNORT: daily portscan report' alerts at example.com; \
delete PORTSCAN_REPORT
Index: snortsam.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/snortsam.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- snortsam.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ snortsam.sec 3 Oct 2009 07:35:41 -0000 1.2
@@ -1,10 +1,17 @@
-
+#############################################################################
+# Snort SAM events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
type=single
ptype=regexp
pattern=([A-Za-z0-9._-]+) root: (.*) snortsam, Error: Could not bind socket.
desc = $0
-action=pipe '$1 Snortsam Bind Failed -- NEEDS ATTENTION!: %s' /usr/bin/mail -s "Snortsam Bind Failure: NEEDS ATTENTION on $1" alerts at yourdomain.com
+action=pipe '$1 Snortsam Bind Failed -- NEEDS ATTENTION!: %s' /usr/bin/mail -s "Snortsam Bind Failure: NEEDS ATTENTION on $1" alerts at example.com
type=single
@@ -24,7 +31,7 @@ action=add SNORTSAM_REPORT $1 Extending
#ptype=regexp
#pattern=([A-Za-z0-9._-]+)snortsam\[([0-9]+)\]: [*], [:0-9]+, -, ipf, (.*) Failed
#desc = Snortsam ipf error
-#action=pipe '$1 Snortsam IPF Command Failed' /usr/bin/mail -s "%s" alerts at yourdomain.com
+#action=pipe '$1 Snortsam IPF Command Failed' /usr/bin/mail -s "%s" alerts at example.com
##action=add SNORTSAM_REPORT ERROR $1 IPF Command Failure: $2
@@ -52,13 +59,13 @@ type=single
ptype=regexp
pattern=([A-Za-z0-9._-]+) root: (.*) ipf, Error: Command (.*) Failed
desc = $0
-action=pipe '$1 Snortsam IPF Command Failed: $1 $2 $3' /usr/bin/mail -s "Snortsam IPF Command Failed on $1" alerts at yourdomain.com
+action=pipe '$1 Snortsam IPF Command Failed: $1 $2 $3' /usr/bin/mail -s "Snortsam IPF Command Failed on $1" alerts at example.com
type=single
ptype=regexp
pattern=([A-Za-z0-9._-]+) root: (.*) snortsam, Snortsam Station .* using wrong password, trying to resync.
desc = $0
-action=pipe '$1 Snortsam Password Failure: $1' /usr/bin/mail -s "Snortsam Password Failure on $1" alerts at yourdomain.com
+action=pipe '$1 Snortsam Password Failure: $1' /usr/bin/mail -s "Snortsam Password Failure on $1" alerts at example.com
#Send hourly snortsam report
@@ -66,5 +73,5 @@ type=Calendar
time=0 * * * *
desc=Sending snortsam report...
action=report SNORTSAM_REPORT \
- /usr/bin/mail -s 'SNORTSAM report' alerts at yourdomain.com; \
+ /usr/bin/mail -s 'SNORTSAM report' alerts at example.com; \
delete SNORTSAM_REPORT
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/sources,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- sources 28 May 2007 20:06:22 -0000 1.4
+++ sources 3 Oct 2009 07:35:41 -0000 1.5
@@ -1 +1 @@
-f233b3acf7cebdb573f4ff1f441866c3 sec-2.4.1.tar.gz
+0e5e3c2e4e3ef6c21fc32a809c6263bb sec-2.5.2.tar.gz
Index: ssh-brute.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/ssh-brute.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- ssh-brute.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ ssh-brute.sec 3 Oct 2009 07:35:41 -0000 1.2
@@ -1,4 +1,10 @@
################## ssh brute force attack blocker
+# Copyright (C) 2003-2009 Mark Bergman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+##################
+#
# This sec ruleset monitors syslog messages for indications that an ssh brute-force
# login attack is underway. The trigger is an ssh login failure.
#
@@ -15,10 +21,6 @@
# 2 hours.
#
# Vulnerabilities of this ruleset are:
-# DoS attack: if the attacker is aware of this ruleset, they could
-# spoof a series of victim IP addresses (for example, the
-# AOL proxy address), thus causing the server running sec
-# to deny service to the victim.
#
# persistent firewall rules:
# if the sec daemon crashes or is restarted, any existing rules
Index: ssh.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/ssh.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- ssh.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ ssh.sec 3 Oct 2009 07:35:41 -0000 1.2
@@ -1,6 +1,13 @@
-# a ruleset to accumulate errors from a parent and child sshd process
+###########################################################################
+# SEC ruleset to accumulate errors from a parent and child sshd process
# into a single context. This allows reporting of the authenticated
# user information with the error's generated by the child sshd process.
+#
+# Copyright (C) 2003-2009 John P. Rouillard
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+###########################################################################
# note handling of deferred reporting until after tie events received
# is still in flux. My old rules hanlded it by resubmitting all the
@@ -38,7 +45,7 @@ action=create EVENT_PROCESSED
#ptype=regexp
#pattern=([A-Za-z0-9._-]+) sshd\[([0-9]+)\]: \[[^]]+\] Connection from ([0-9.]+) port [0-9]+
#action=pipe session_log_$1_$2 \
-# /usr/bin/mail -s "ssh failed to generate tie event for $1" alerts at email.com
+# /usr/bin/mail -s "ssh failed to generate tie event for $1" alerts at example.com
#desc2=Link parent and child contexts
#ptype2=regexp
#pattern2=$1 [A-z0-9]+\[[0-9]+\]: \[[^]]+\] SSHD child process +([0-9]+) spawned by $2
@@ -86,7 +93,7 @@ desc=Report immediate on request.
ptype=regexp
pattern=^sshd: Report (.*) if needed$
context = session_log_report_$1
-action= report session_log_$1 /usr/bin/mailx -s "sshd error on $1" alerts at email.com ;\
+action= report session_log_$1 /usr/bin/mailx -s "sshd error on $1" alerts at example.com ;\
delete session_log_report_$1
type=suppress
@@ -144,7 +151,7 @@ pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]:
context = $3 < 1025 && tie_event_received_$1_$2
action = add session_log_$1_$2 $0 ; \
report session_log_report_$1_$2 \
- /usr/bin/mailx -s "sshd bind < 1025 on $1" alerts at email.com
+ /usr/bin/mailx -s "sshd bind < 1025 on $1" alerts at example.com
# end immediate rules here
@@ -178,7 +185,7 @@ pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]:
context = ssh_port_forward_errors_$1_$2
desc = send report on ssh forward errors if pass threshold (bind)
action = report session_log_$1_$2 \
- /usr/bin/mailx -s "ssh port forward errors host $1" alerts at email.com; \
+ /usr/bin/mailx -s "ssh port forward errors host $1" alerts at example.com; \
delete ssh_port_forward_errors_$1_$2
thresh=5
window=600
@@ -211,7 +218,7 @@ pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]:
context = ssh_channel_setup_errors_$1_$2
desc = send report on ssh channel setup errors
action = report session_log_$1_$2 \
- /usr/bin/mailx -s "ssh port forward errors host $1" alerts at email.com ; \
+ /usr/bin/mailx -s "ssh port forward errors host $1" alerts at example.com ; \
delete ssh_channel_setup_errors_$1_$2
thresh=5
window=600
@@ -234,7 +241,7 @@ pattern=([A-Za-z0-9._-]+) sshd\[([0-9]+)
desc = create context to report ssh errors for host $1 pid $2 in 5 minutes
context = ! session_log_5min_timer_$1_$2
action = create session_log_5min_timer_$1_$2 300 report session_log_$1_$2 \
- /usr/bin/mailx -s "ssh errors for host $1 pid $2" alerts at email.com
+ /usr/bin/mailx -s "ssh errors for host $1 pid $2" alerts at example.com
type=single
continue = dontcont
Index: vtund.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/vtund.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- vtund.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ vtund.sec 3 Oct 2009 07:35:41 -0000 1.2
@@ -1,4 +1,11 @@
-#VTUN Events
+#############################################################################
+# VTUN events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
type=Single
ptype=RegExp
@@ -58,14 +65,3 @@ pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\
desc=$0
action=add GENERAL_REPORT %t: VTUN Session $2 Closed on $1
-
-
-#Send 12 hours vtun report
-
-type=Calendar
-time=0 0,12 * * *
-desc=Sending vtun report...
-action=report VTUN_REPORT \
- /usr/bin/mail -s 'VTUN: VTUN Report' alerts at yourdomain.com; \
- delete VTUN_REPORT0
-
Index: windows.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/devel/windows.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- windows.sec 1 Sep 2006 20:54:01 -0000 1.1
+++ windows.sec 3 Oct 2009 07:35:41 -0000 1.2
@@ -1,4 +1,11 @@
-#Windows events
+#############################################################################
+# Windows events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
type=Single
ptype=RegExp
@@ -17,21 +24,21 @@ type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+Security: \\Everyone: User Account Locked Out: Target Account Name: (\S+) .*
desc=$0
-action=pipe '$1 Windows Account Lockout: %s' /usr/bin/mail -s "Windows Account Locked on $1" alerts at yourdomain.com
+action=pipe '$1 Windows Account Lockout: %s' /usr/bin/mail -s "Windows Account Locked on $1" alerts at example.com
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+Security: \\Everyone: User Account Changed: (/S+)\. .*
desc=$0
-action=pipe '$1 Windows Account Change: %s' /usr/bin/mail -s "Windows Account Changed on $1: $2" alerts at yourdomain.com
+action=pipe '$1 Windows Account Change: %s' /usr/bin/mail -s "Windows Account Changed on $1: $2" alerts at example.com
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+NetBT: N\/A: A duplicate name has been detected on the TCP network\. .*
desc=$0
-action=pipe '$1 Duplicate Netbios Name Detected: %s' /usr/bin/mail -s "Duplicate Netbios Name on $1" alerts at yourdomain.com
+action=pipe '$1 Duplicate Netbios Name Detected: %s' /usr/bin/mail -s "Duplicate Netbios Name on $1" alerts at example.com
--- 001_init.sec DELETED ---
--- clamav.sec DELETED ---
--- dbi-example.sec DELETED ---
--- general.sec DELETED ---
--- mpd.sec DELETED ---
--- syslog-ng.txt DELETED ---
- Previous message (by thread): rpms/pyparted/F-12 .cvsignore, 1.36, 1.37 pyparted.spec, 1.66, 1.67 sources, 1.41, 1.42
- Next message (by thread): rpms/sec/F-12 bsd-general.sec, NONE, 1.1 bsd-mpd.sec, NONE, 1.1 cisco-syslog.sec, NONE, 1.1 import.log, NONE, 1.1 pix-general.sec, NONE, 1.1 .cvsignore, 1.4, 1.5 amavisd.sec, 1.1, 1.2 bsd-MONITOR.sec, 1.1, 1.2 bsd-PHYSMOD.sec, 1.1, 1.2 bsd-USERACT.sec, 1.1, 1.2 conf.README, 1.1, 1.2 cvs.sec, 1.1, 1.2 dameware.sec, 1.1, 1.2 hp-openview.sec, 1.1, 1.2 labrea.sec, 1.1, 1.2 pix-security.sec, 1.1, 1.2 pix-url.sec, 1.1, 1.2 portscan.sec, 1.1, 1.2 sec.init, 1.1, 1.2 sec.logrotate, 1.1, 1.2 sec.spec, 1.6, 1.7 snort.sec, 1.1, 1.2 snortsam.sec, 1.1, 1.2 sources, 1.4, 1.5 ssh-brute.sec, 1.1, 1.2 ssh.sec, 1.1, 1.2 vtund.sec, 1.1, 1.2 windows.sec, 1.1, 1.2 001_init.sec, 1.1, NONE clamav.sec, 1.1, NONE dbi-example.sec, 1.1, NONE general.sec, 1.1, NONE mpd.sec, 1.1, NONE syslog-ng.txt, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list