Sophie

Sophie

distrib > Mandriva > 2010.0 > i586 > media > contrib-release > by-pkgid > aabb1c6deea3aa570b1709afcf2ae273 > files > 24

sec-2.4.2-3mdv2010.0.noarch.rpm

####################################################################
#                SEC ruleset for Cisco PIX 6.x, 7.x
####################################################################

# Process various events from PIX syslog output
# 
# Submitted by Chris Sawall
# email: sawall -[at]- gmail -[dot]- com
# Last Updated: 5/20/05

# ------------------------------------------------------------------
# Watch for weird failures - possible trojan/worm
# ------------------------------------------------------------------

# Watch for 10 denies within 10 seconds.  Especially useful to monitor
# for certain trojans and mass mailers
#
type=SingleWithThreshold
ptype=RegExp
pattern=\s*.*Deny\s+(\w+)\s+src.*:(.*)/.*:(.*)/(\b2\d\b).*$
desc=Unusual Failures:$1 $4/$2 -> $3
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1
window=10
thresh=10

# Monitor for occurrances of certain variant of PHEL trojan destined
# for two different class C networks
#
type=Single
continue=dontcont
ptype=RegExp
pattern=(212\.147\.14[12]\.)
desc=Possible PHEL Trojan (1)
action=create phel_$1; add phel_$1 Local Time = %t; add phel_$1 $0; report phel_$1 /bin/mail -s "%s" email01@domain.com; delete phel_$1

# ------------------------------------------------------------------
# Watch for firewall failovers
# ------------------------------------------------------------------

# Firewall failures/failovers
# Works for PIX 7.x

# Failure of secondary (standby) firewall while primary is active
# Works for PIX 7.x
# 
# $1 is the IP address of the primary firewall
#
type=Single
continue=takenext
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Primary\).*$
desc=Secondary firewall for $1 - failure/reload
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1

# Failure of secondary (standby) firewall while primary is active
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=takenext
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Secondary\).*$
desc=Primary firewall for $1 - failure/reload
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1

# Failure of secondary (active), primary assumes active
# Works for PIX 7.x
#
# The first "desc" and "action" don't really do anything here.  But SEC requires them to be present.
# $1 is the IP address of the primary firewall
#
type=Pair
continue=dontcont
ptype=RegExp
pattern=PIX-1-102001:\s+\(Primary\).*$
desc=$0
action=logonly
ptype2=RegExp
pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Primary\).*Peer state Standby Ready
desc2=Secondary (was active) firewall ($1) has failed.  Primary is now active.
action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1
window=5

# Failure of primary (active), secondary assumes active
# Works for PIX 7.x
#
# The first "desc" and "action" don't really do anything here.  But SEC requires them to be present.
# $1 is the IP address of the primary firewall
#
type=Pair
continue=dontcont
ptype=RegExp
pattern=PIX-1-102001:\s+\(Secondary\).*$
desc=$0
action=logonly
ptype2=RegExp
pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Secondary\).*Peer state Standby Ready
desc2=Primary firewall ($1) has failed.  Secondary is now active.
action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1
window=5

# ------------------------------------------------------------------
# Watch for firewall reloads
# ------------------------------------------------------------------

# Manual reload of PIX
# Works for PIX 6.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX reload.*$
desc=$1 has been manually rebooted
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com ; delete ffo_$1

# Manual reload of PIX
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Orderly reload.*Reload reason:\s(\S+)
desc=$1 has been manually rebooted, reason: $2
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@domain.com; delete ffo_$1

# ------------------------------------------------------------------
# Watch for SSH logins/failures on firewalls
# ------------------------------------------------------------------

# Suppress emails concerning pixbkup account
# In this case, the pixbkup acct is used to backup the PIX firewalls
# Keeping email alerts to a minimum, this skips past these alerts
#
type=Suppress
continue=dontcont
ptype=RegExp
pattern=pixbkup

# Successful Admin SSH session
# Works for PIX 6.x
# 
# Monitor for successful SSH connections to the PIX firewall
# $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'.*to\s(\d+\.\d+\.\d+\.\d+)\/0.*SSH
desc=Admin Auth to $1.$2 -> $3 from $4
action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1

# Successful Admin SSH session
# Works for PIX 7.x
# 
# Monitor for successful SSH connections to the PIX firewall
# $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'\sfrom\s(\d+\.\d+\.\d+\.\d+)\/0.*/22.*$
desc=Admin Auth to $1.$2 -> $3 from $4
action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1

# Failed Admin SSH session
# Works for PIX 6.x
#
# Monitor for failed SSH attempts to the PIX firewalls
# $1 is the user acct
#
type=Single
continue=takenext
ptype=RegExp
pattern=Authentication failed.*\'(\S+)\'.*SSH
desc=Admin Auth FAILED -> $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1

# Failed Admin SSH session
# Works for PIX 7.x
#
# Monitor for failed SSH attempts to the PIX firewalls
# $1 is the user acct
#
type=Single
continue=takenext
ptype=RegExp
pattern=Authentication failed.*\'(\S+)\'.*/22.*$
desc=Admin Auth FAILED -> $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1

# Normal SSH termination
# Works for both PIX 6.x and 7.x
#
# $1 is the IP of the firewall and $2 is the user acct
#
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*\"(\S+)\".*terminated normally
desc=ADMIN END $1 -> $2
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1

# SSH session timeout or abnormal termination
# Works for PIX 6.x
# May work for PIX 7.x - not tested but PIX-6-315011 is the same for 6 and 7.
#
# $1 is the IP of the firewall
#
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*disconnected by SSH server
desc=Firewall session END - timeout $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@domain.com; delete ssh_$1

# ------------------------------------------------------------------
# Watch for firewall commands
# ------------------------------------------------------------------

# Admin executed "write mem"
# Works for both PIX 6.x and 7.x
#
# $1 is the IP of the firewall
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*write\sm.*
desc=User wrote config to memory -> $1
action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01@domain.com; delete fwcmd_$1

# Watch for HIGH CPU Utilization
# Works for PIX 6.x
#
type=Single
ptype=RegExp
pattern=PIX-.-211003
desc=HIGH CPU Utilization
action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01@domain.com; delete fwcmd_$1

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional