Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
tree: 661b68b129
Fetching contributors…

Cannot retrieve contributors at this time

247 lines (221 sloc) 8.463 kB
####################################################################
# SEC ruleset for Cisco PIX 6.x, 7.x
#
# Copyright (C) 2003-2009 Chris Sawall
# This is free software. You may redistribute copies of it under the terms of
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
####################################################################
# Process various events from PIX syslog output
#
# Submitted by Chris Sawall
# email: sawall -[at]- gmail -[dot]- com
# Last Updated: 5/20/05
# ------------------------------------------------------------------
# Watch for weird failures - possible trojan/worm
# ------------------------------------------------------------------
# Watch for 10 denies within 10 seconds. Especially useful to monitor
# for certain trojans and mass mailers
#
type=SingleWithThreshold
ptype=RegExp
pattern=\s*.*Deny\s+(\w+)\s+src.*:(.*)/.*:(.*)/(\b2\d\b).*$
desc=Unusual Failures:$1 $4/$2 -> $3
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
window=10
thresh=10
# Monitor for occurrances of certain variant of PHEL trojan destined
# for two different class C networks
#
type=Single
continue=dontcont
ptype=RegExp
pattern=(212\.147\.14[12]\.)
desc=Possible PHEL Trojan (1)
action=create phel_$1; add phel_$1 Local Time = %t; add phel_$1 $0; report phel_$1 /bin/mail -s "%s" email01@example.com; delete phel_$1
# ------------------------------------------------------------------
# Watch for firewall failovers
# ------------------------------------------------------------------
# Firewall failures/failovers
# Works for PIX 7.x
# Failure of secondary (standby) firewall while primary is active
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=takenext
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Primary\).*$
desc=Secondary firewall for $1 - failure/reload
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
# Failure of secondary (standby) firewall while primary is active
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=takenext
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Secondary\).*$
desc=Primary firewall for $1 - failure/reload
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
# Failure of secondary (active), primary assumes active
# Works for PIX 7.x
#
# The first "desc" and "action" don't really do anything here. But SEC requires them to be present.
# $1 is the IP address of the primary firewall
#
type=Pair
continue=dontcont
ptype=RegExp
pattern=PIX-1-102001:\s+\(Primary\).*$
desc=$0
action=logonly
ptype2=RegExp
pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Primary\).*Peer state Standby Ready
desc2=Secondary (was active) firewall ($1) has failed. Primary is now active.
action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
window=5
# Failure of primary (active), secondary assumes active
# Works for PIX 7.x
#
# The first "desc" and "action" don't really do anything here. But SEC requires them to be present.
# $1 is the IP address of the primary firewall
#
type=Pair
continue=dontcont
ptype=RegExp
pattern=PIX-1-102001:\s+\(Secondary\).*$
desc=$0
action=logonly
ptype2=RegExp
pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Secondary\).*Peer state Standby Ready
desc2=Primary firewall ($1) has failed. Secondary is now active.
action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
window=5
# ------------------------------------------------------------------
# Watch for firewall reloads
# ------------------------------------------------------------------
# Manual reload of PIX
# Works for PIX 6.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX reload.*$
desc=$1 has been manually rebooted
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com ; delete ffo_$1
# Manual reload of PIX
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Orderly reload.*Reload reason:\s(\S+)
desc=$1 has been manually rebooted, reason: $2
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
# ------------------------------------------------------------------
# Watch for SSH logins/failures on firewalls
# ------------------------------------------------------------------
# Suppress emails concerning pixbkup account
# In this case, the pixbkup acct is used to backup the PIX firewalls
# Keeping email alerts to a minimum, this skips past these alerts
#
type=Suppress
continue=dontcont
ptype=RegExp
pattern=pixbkup
# Successful Admin SSH session
# Works for PIX 6.x
#
# Monitor for successful SSH connections to the PIX firewall
# $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'.*to\s(\d+\.\d+\.\d+\.\d+)\/0.*SSH
desc=Admin Auth to $1.$2 -> $3 from $4
action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# Successful Admin SSH session
# Works for PIX 7.x
#
# Monitor for successful SSH connections to the PIX firewall
# $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'\sfrom\s(\d+\.\d+\.\d+\.\d+)\/0.*/22.*$
desc=Admin Auth to $1.$2 -> $3 from $4
action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# Failed Admin SSH session
# Works for PIX 6.x
#
# Monitor for failed SSH attempts to the PIX firewalls
# $1 is the user acct
#
type=Single
continue=takenext
ptype=RegExp
pattern=Authentication failed.*\'(\S+)\'.*SSH
desc=Admin Auth FAILED -> $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# Failed Admin SSH session
# Works for PIX 7.x
#
# Monitor for failed SSH attempts to the PIX firewalls
# $1 is the user acct
#
type=Single
continue=takenext
ptype=RegExp
pattern=Authentication failed.*\'(\S+)\'.*/22.*$
desc=Admin Auth FAILED -> $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# Normal SSH termination
# Works for both PIX 6.x and 7.x
#
# $1 is the IP of the firewall and $2 is the user acct
#
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*\"(\S+)\".*terminated normally
desc=ADMIN END $1 -> $2
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# SSH session timeout or abnormal termination
# Works for PIX 6.x
# May work for PIX 7.x - not tested but PIX-6-315011 is the same for 6 and 7.
#
# $1 is the IP of the firewall
#
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*disconnected by SSH server
desc=Firewall session END - timeout $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
# ------------------------------------------------------------------
# Watch for firewall commands
# ------------------------------------------------------------------
# Admin executed "write mem"
# Works for both PIX 6.x and 7.x
#
# $1 is the IP of the firewall
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*write\sm.*
desc=User wrote config to memory -> $1
action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01@example.com; delete fwcmd_$1
# Watch for HIGH CPU Utilization
# Works for PIX 6.x
#
type=Single
ptype=RegExp
pattern=PIX-.-211003
desc=HIGH CPU Utilization
action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01@example.com; delete fwcmd_$1
Jump to Line
Something went wrong with that request. Please try again.