#################################################################### # SEC ruleset for Cisco PIX 6.x, 7.x #################################################################### # Process various events from PIX syslog output # # Submitted by Chris Sawall # email: sawall -[at]- gmail -[dot]- com # Last Updated: 5/20/05 # ------------------------------------------------------------------ # Watch for weird failures - possible trojan/worm # ------------------------------------------------------------------ # Watch for 10 denies within 10 seconds. Especially useful to monitor # for certain trojans and mass mailers # type=SingleWithThreshold ptype=RegExp pattern=\s*.*Deny\s+(\w+)\s+src.*:(.*)/.*:(.*)/(\b2\d\b).*$ desc=Unusual Failures:$1 $4/$2 -> $3 action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1 window=10 thresh=10 # Monitor for occurrances of certain variant of PHEL trojan destined # for two different class C networks # type=Single continue=dontcont ptype=RegExp pattern=(212\.147\.14[12]\.) desc=Possible PHEL Trojan (1) action=create phel_$1; add phel_$1 Local Time = %t; add phel_$1 $0; report phel_$1 /bin/mail -s "%s" email01@domain.com; delete phel_$1 # ------------------------------------------------------------------ # Watch for firewall failovers # ------------------------------------------------------------------ # Firewall failures/failovers # Works for PIX 7.x # Failure of secondary (standby) firewall while primary is active # Works for PIX 7.x # # $1 is the IP address of the primary firewall # type=Single continue=takenext ptype=RegExp pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Primary\).*$ desc=Secondary firewall for $1 - failure/reload action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1 # Failure of secondary (standby) firewall while primary is active # Works for PIX 7.x # # $1 is the IP address of the primary firewall # type=Single continue=takenext ptype=RegExp pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Secondary\).*$ desc=Primary firewall for $1 - failure/reload action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1 # Failure of secondary (active), primary assumes active # Works for PIX 7.x # # The first "desc" and "action" don't really do anything here. But SEC requires them to be present. # $1 is the IP address of the primary firewall # type=Pair continue=dontcont ptype=RegExp pattern=PIX-1-102001:\s+\(Primary\).*$ desc=$0 action=logonly ptype2=RegExp pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Primary\).*Peer state Standby Ready desc2=Secondary (was active) firewall ($1) has failed. Primary is now active. action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1 window=5 # Failure of primary (active), secondary assumes active # Works for PIX 7.x # # The first "desc" and "action" don't really do anything here. But SEC requires them to be present. # $1 is the IP address of the primary firewall # type=Pair continue=dontcont ptype=RegExp pattern=PIX-1-102001:\s+\(Secondary\).*$ desc=$0 action=logonly ptype2=RegExp pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Secondary\).*Peer state Standby Ready desc2=Primary firewall ($1) has failed. Secondary is now active. action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1 window=5 # ------------------------------------------------------------------ # Watch for firewall reloads # ------------------------------------------------------------------ # Manual reload of PIX # Works for PIX 6.x # # $1 is the IP address of the primary firewall # type=Single continue=dontcont ptype=RegExp pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX reload.*$ desc=$1 has been manually rebooted action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com ; delete ffo_$1 # Manual reload of PIX # Works for PIX 7.x # # $1 is the IP address of the primary firewall # type=Single continue=dontcont ptype=RegExp pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Orderly reload.*Reload reason:\s(\S+) desc=$1 has been manually rebooted, reason: $2 action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1 # ------------------------------------------------------------------ # Watch for SSH logins/failures on firewalls # ------------------------------------------------------------------ # Suppress emails concerning pixbkup account # In this case, the pixbkup acct is used to backup the PIX firewalls # Keeping email alerts to a minimum, this skips past these alerts # type=Suppress continue=dontcont ptype=RegExp pattern=pixbkup # Successful Admin SSH session # Works for PIX 6.x # # Monitor for successful SSH connections to the PIX firewall # $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr # type=Single continue=dontcont ptype=RegExp pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'.*to\s(\d+\.\d+\.\d+\.\d+)\/0.*SSH desc=Admin Auth to $1.$2 -> $3 from $4 action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1 # Successful Admin SSH session # Works for PIX 7.x # # Monitor for successful SSH connections to the PIX firewall # $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr # type=Single continue=dontcont ptype=RegExp pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'\sfrom\s(\d+\.\d+\.\d+\.\d+)\/0.*/22.*$ desc=Admin Auth to $1.$2 -> $3 from $4 action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1 # Failed Admin SSH session # Works for PIX 6.x # # Monitor for failed SSH attempts to the PIX firewalls # $1 is the user acct # type=Single continue=takenext ptype=RegExp pattern=Authentication failed.*\'(\S+)\'.*SSH desc=Admin Auth FAILED -> $1 action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1 # Failed Admin SSH session # Works for PIX 7.x # # Monitor for failed SSH attempts to the PIX firewalls # $1 is the user acct # type=Single continue=takenext ptype=RegExp pattern=Authentication failed.*\'(\S+)\'.*/22.*$ desc=Admin Auth FAILED -> $1 action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1 # Normal SSH termination # Works for both PIX 6.x and 7.x # # $1 is the IP of the firewall and $2 is the user acct # type=Single ptype=RegExp pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*\"(\S+)\".*terminated normally desc=ADMIN END $1 -> $2 action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1 # SSH session timeout or abnormal termination # Works for PIX 6.x # May work for PIX 7.x - not tested but PIX-6-315011 is the same for 6 and 7. # # $1 is the IP of the firewall # type=Single ptype=RegExp pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*disconnected by SSH server desc=Firewall session END - timeout $1 action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1 # ------------------------------------------------------------------ # Watch for firewall commands # ------------------------------------------------------------------ # Admin executed "write mem" # Works for both PIX 6.x and 7.x # # $1 is the IP of the firewall type=Single ptype=RegExp pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*write\sm.* desc=User wrote config to memory -> $1 action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01@domain.com; delete fwcmd_$1 # Watch for HIGH CPU Utilization # Works for PIX 6.x # type=Single ptype=RegExp pattern=PIX-.-211003 desc=HIGH CPU Utilization action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01@domain.com; delete fwcmd_$1