/
pix-security.sec
246 lines (221 loc) · 8.26 KB
/
pix-security.sec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
####################################################################
# SEC ruleset for Cisco PIX 6.x, 7.x
#
# Copyright (C) 2003-2009 Chris Sawall
# This is free software. You may redistribute copies of it under the terms of
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
####################################################################
# Process various events from PIX syslog output
#
# Submitted by Chris Sawall
# email: sawall -[at]- gmail -[dot]- com
# Last Updated: 5/20/05
# ------------------------------------------------------------------
# Watch for weird failures - possible trojan/worm
# ------------------------------------------------------------------
# Watch for 10 denies within 10 seconds. Especially useful to monitor
# for certain trojans and mass mailers
#
type=SingleWithThreshold
ptype=RegExp
pattern=\s*.*Deny\s+(\w+)\s+src.*:(.*)/.*:(.*)/(\b2\d\b).*$
desc=Unusual Failures:$1 $4/$2 -> $3
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
window=10
thresh=10
# Monitor for occurrances of certain variant of PHEL trojan destined
# for two different class C networks
#
type=Single
continue=dontcont
ptype=RegExp
pattern=(212\.147\.14[12]\.)
desc=Possible PHEL Trojan (1)
action=create phel_$1; add phel_$1 Local Time = %t; add phel_$1 $0; report phel_$1 /bin/mail -s "%s" email01@example.com; delete phel_$1
# ------------------------------------------------------------------
# Watch for firewall failovers
# ------------------------------------------------------------------
# Firewall failures/failovers
# Works for PIX 7.x
# Failure of secondary (standby) firewall while primary is active
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=takenext
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Primary\).*$
desc=Secondary firewall for $1 - failure/reload
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
# Failure of secondary (standby) firewall while primary is active
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=takenext
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Secondary\).*$
desc=Primary firewall for $1 - failure/reload
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
# Failure of secondary (active), primary assumes active
# Works for PIX 7.x
#
# The first "desc" and "action" don't really do anything here. But SEC requires them to be present.
# $1 is the IP address of the primary firewall
#
type=Pair
continue=dontcont
ptype=RegExp
pattern=PIX-1-102001:\s+\(Primary\).*$
desc=$0
action=logonly
ptype2=RegExp
pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Primary\).*Peer state Standby Ready
desc2=Secondary (was active) firewall ($1) has failed. Primary is now active.
action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
window=5
# Failure of primary (active), secondary assumes active
# Works for PIX 7.x
#
# The first "desc" and "action" don't really do anything here. But SEC requires them to be present.
# $1 is the IP address of the primary firewall
#
type=Pair
continue=dontcont
ptype=RegExp
pattern=PIX-1-102001:\s+\(Secondary\).*$
desc=$0
action=logonly
ptype2=RegExp
pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Secondary\).*Peer state Standby Ready
desc2=Primary firewall ($1) has failed. Secondary is now active.
action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
window=5
# ------------------------------------------------------------------
# Watch for firewall reloads
# ------------------------------------------------------------------
# Manual reload of PIX
# Works for PIX 6.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX reload.*$
desc=$1 has been manually rebooted
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com ; delete ffo_$1
# Manual reload of PIX
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Orderly reload.*Reload reason:\s(\S+)
desc=$1 has been manually rebooted, reason: $2
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
# ------------------------------------------------------------------
# Watch for SSH logins/failures on firewalls
# ------------------------------------------------------------------
# Suppress emails concerning pixbkup account
# In this case, the pixbkup acct is used to backup the PIX firewalls
# Keeping email alerts to a minimum, this skips past these alerts
#
type=Suppress
continue=dontcont
ptype=RegExp
pattern=pixbkup
# Successful Admin SSH session
# Works for PIX 6.x
#
# Monitor for successful SSH connections to the PIX firewall
# $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'.*to\s(\d+\.\d+\.\d+\.\d+)\/0.*SSH
desc=Admin Auth to $1.$2 -> $3 from $4
action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# Successful Admin SSH session
# Works for PIX 7.x
#
# Monitor for successful SSH connections to the PIX firewall
# $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'\sfrom\s(\d+\.\d+\.\d+\.\d+)\/0.*/22.*$
desc=Admin Auth to $1.$2 -> $3 from $4
action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# Failed Admin SSH session
# Works for PIX 6.x
#
# Monitor for failed SSH attempts to the PIX firewalls
# $1 is the user acct
#
type=Single
continue=takenext
ptype=RegExp
pattern=Authentication failed.*\'(\S+)\'.*SSH
desc=Admin Auth FAILED -> $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# Failed Admin SSH session
# Works for PIX 7.x
#
# Monitor for failed SSH attempts to the PIX firewalls
# $1 is the user acct
#
type=Single
continue=takenext
ptype=RegExp
pattern=Authentication failed.*\'(\S+)\'.*/22.*$
desc=Admin Auth FAILED -> $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# Normal SSH termination
# Works for both PIX 6.x and 7.x
#
# $1 is the IP of the firewall and $2 is the user acct
#
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*\"(\S+)\".*terminated normally
desc=ADMIN END $1 -> $2
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# SSH session timeout or abnormal termination
# Works for PIX 6.x
# May work for PIX 7.x - not tested but PIX-6-315011 is the same for 6 and 7.
#
# $1 is the IP of the firewall
#
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*disconnected by SSH server
desc=Firewall session END - timeout $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# ------------------------------------------------------------------
# Watch for firewall commands
# ------------------------------------------------------------------
# Admin executed "write mem"
# Works for both PIX 6.x and 7.x
#
# $1 is the IP of the firewall
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*write\sm.*
desc=User wrote config to memory -> $1
action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01@example.com; delete fwcmd_$1
# Watch for HIGH CPU Utilization
# Works for PIX 6.x
#
type=Single
ptype=RegExp
pattern=PIX-.-211003
desc=HIGH CPU Utilization
action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01@example.com; delete fwcmd_$1