Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

add sec to build list

  • Loading branch information...
commit d5ac9b3277b2dbd747c388cb478ed45e3ffb271b 1 parent 7a10dae
@ezuce-admin ezuce-admin authored
View
5 mak/modules.mk.in
@@ -48,11 +48,14 @@ lib_common = \
ruby-postgres \
cfengine
-$(foreach V,11 12 13 14 15 16 17 18 19 20,$(eval lib_fedora_$(V) = $(lib_common)))
+$(foreach V,11 12 13 14 15 16,$(eval lib_fedora_$(V) = $(lib_common) sec))
+
+$(foreach V,17 18 19 20,$(eval lib_fedora_$(V) = $(lib_common)))
lib_centos_6 = \
epel-release \
$(lib_common) \
+ sec \
nsis \
nsis-data
View
38 sec/.sipxecs.mk
@@ -0,0 +1,38 @@
+sec_VER = 2.6.2
+sec_SRPM = sec-$(sec_VER)-1$(RPM_DIST).src.rpm
+sec_RPM_DEFS = --define='_unitdir /lib/systemd/system'
+sec_SPEC = $(SRC)/$(PROJ)/sec.spec
+sec_FILES = \
+ amavisd.sec \
+ bsd-general.sec \
+ bsd-MONITOR.sec \
+ bsd-mpd.sec \
+ bsd-PHYSMOD.sec \
+ bsd-USERACT.sec \
+ cisco-syslog.sec \
+ conf.README \
+ cvs.sec \
+ dameware.sec \
+ hp-openview.sec \
+ labrea.sec \
+ pix-general.sec \
+ pix-security.sec \
+ pix-url.sec \
+ portscan.sec \
+ sec.logrotate\
+ sec.service\
+ sec.spec\
+ sec.spec.bak\
+ snortsam.sec\
+ snort.sec\
+ ssh-brute.sec\
+ ssh.sec\
+ vtund.sec\
+ windows.sec
+
+sec_SOURCES = \
+ $(addprefix $(SRC)/$(PROJ)/,$(sec_FILES)) \
+ sec-$(sec_VER).tar.gz
+
+# targets not defined, nothing to do
+sec.autoreconf sec.configure sec.dist:;
View
24 sec/amavisd.sec
@@ -0,0 +1,24 @@
+#############################################################################
+# Amavisd events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
+
+#Sep 4 15:43:02 xxxxx clamd[581]: /var/amavisd/amavis-20050904T153955-46858/parts/part-00001: HTML.Phishing.Bank-1 FOUND
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+clamd\[\d+\]: .*amavis-200\d+.*: (.*) FOUND
+desc=$0
+action=add GENERAL_REPORT CLAMD: $2 on $1
+
+#Sep 4 00:02:46 xxxxx amavis[57825]: (57825-12) TROUBLE in check_mail: creating_partsdir FAILED: DBD::mysql::st execute failed: L
+ost connection to MySQL server during query at (eval 53) line 238, <GEN7> line 1789.
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+amavis\[\d+\]: .* TROUBLE .*
+desc=$0
+action=add GENERAL_REPORT AMAVISD: $1: %s
+
View
59 sec/bsd-MONITOR.sec
@@ -0,0 +1,59 @@
+#
+# SEC rules to pick up disruptive monitoring
+# events.
+#
+# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
+#
+# Copyright (C) 2003-2009 Jim Brown
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#
+#Logs involving syslogd disabled or unusual promiscuous mode (MONITOR)
+#----------------------------------------------------------------------
+#Nov 15 20:02:48 foohost syslogd: exiting on signal 15
+#Nov 22 02:00:02 foohost syslogd: restart
+#Nov 11 15:58:55 foohost /kernel: de0: promiscuous mode enabled
+#Nov 11 15:58:57 foohost /kernel: de0: promiscuous mode disabled
+#
+
+#
+# Syslog Exit
+# -----------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: exiting on signal (\d+)
+desc=$0
+action=write - MONITOR: $1 syslog exit on signal $2 at %t
+
+#
+# Syslog Restart
+# ---------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: restart
+desc=$0
+action=write - MONITOR: $1 syslog restart at %t
+
+#
+# Syslog Exit
+# -----------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+) promiscuous mode (\S+)
+desc=$0
+action=write - MONITOR: $1 $2 promiscuous mode $3 at %t
+
+#
+# Swapspace failure
+#
+
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+kernel: swap_pager_getswapspace\(\S\): .*
+desc=$0
+action=pipe '$1 GET SWAP FAILURE: %s' /usr/bin/mail -s "SWAP SPACE FAIL on $1" alerts@example.com
+
View
50 sec/bsd-PHYSMOD.sec
@@ -0,0 +1,50 @@
+#
+# PHYSMOD.conf - Events concerning physical modifications
+# to the system.
+#
+# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
+#
+# Copyright (C) 2003-2009 Jim Brown
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#
+#Logs involving physical modifications (PHYSMOD)
+#------------------------------------------------
+#Nov 14 21:11:19 foohost /kernel: pccard: card inserted, slot 0
+#Nov 14 22:28:09 foohost /kernel: pccard: card removed, slot 0
+#Nov 12 19:46:31 foohost /kernel: de0: link down: cable problem?
+#Nov 12 19:46:42 foohost /kernel: de0: autosense failed: cable problem?
+#Oct 18 06:26:37 foohost pccardd[49]: ep0: 3Com Corporation (/3C589/) inserted.
+#Oct 18 06:26:42 foohost pccardd[49]: pccardd started
+#
+
+#
+# PCMCIA Card Insertion, Removal
+# --------------------------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: pccard: card (\S+), slot (\d+)
+desc=$0
+action=write - PHYSMOD: $1 pccard: card $2 in slot $3 at %t
+
+#
+# PCMCIA Card Daemon
+# --------------------------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+pccardd\[\d+\]: (.*)
+desc=$0
+action=write - PHYSMOD: $1 pccardd: $2 at %t
+
+#
+# Cabling Problem
+# ----------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+)\s+(.*?:) cable problem
+desc=$0
+action=write - PHYSMOD: $1 cable problem on $2, text: $3 at %t
View
81 sec/bsd-USERACT.sec
@@ -0,0 +1,81 @@
+#
+# Events concerning user activities.
+#
+# From http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
+#
+# Copyright (C) 2003-2009 Jim Brown
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#
+#Logs involving logins, change of UID and privilege escalations (USERACT)
+#-------------------------------------------------------------------------
+#Nov 14 12:14:58 foohost sshd[3388]: fatal: Timeout before authentication for 192.168.1.1
+#Nov 14 19:58:34 foohost sshd[6597]: Bad protocol version identification '^B^S^D^Q^L' from 192.168.1.100
+#Oct 18 06:16:53 foohost sshd[131]: Accepted keyboard-interactive/pam for jpb from 192.168.1.1 port 1077 ssh2
+#Nov 14 12:55:29 foohost sshd[3425]: Accepted keyboard-interactive/pam for jpb from fe80::2c0:4fff:fe18:13fd%ep0 port 27492 ssh2
+#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2
+#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2, mysql
+#Oct 18 03:20:46 foohost login: 2 LOGIN FAILURES ON ttyv0
+#Oct 18 02:52:04 foohost login: ROOT LOGIN (root) ON ttyv1
+#Oct 18 06:11:11 foohost login: login on ttyv0 as root
+#Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0
+#Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3
+#Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0
+#
+
+#
+# sshd Problems
+# --------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
+desc=$0
+action=write - USERACT: $1 sshd $2 problem, text: $3 at %t
+
+#
+# sshd Accepted
+# --------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: Accepted (.*)
+desc=$0
+action=write - USERACT: $1 sshd accepted login, text: $2 at %t
+
+#
+# login FAILURES
+# ---------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+login: (.*?FAILURE.)(.*?ON) (.*)
+desc=$0
+action=write - USERACT: $1 login $2 on $4 at %t
+
+#
+# su bad
+# -----------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (BAD SU) (\S+) to (\S+) on (\S+)
+desc=$0
+action=write - USERACT: $1 su: $2 $3 to $4 on $5 at %t
+
+#Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0
+#Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3
+#Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0
+#
+#
+# su good to root
+# -----------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (\S+) to root on (\S+)
+desc=$0
+action=write - USERACT: $1 su: $2 to ROOT on $4 at %t
+
+
View
307 sec/bsd-general.sec
@@ -0,0 +1,307 @@
+# General log events, unix systems. From various sources
+#
+# Copyright (C) 2003-2009 Jim Brown
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#
+# Bad su
+# -----------
+#
+type=Single
+ptype=RegExp
+desc=$0
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: BAD SU (\S+) to (\S+) on (\S+)
+action=pipe '$2 failed SU to $3 on $1 at %t' /usr/bin/mail -s "USER: $2 Failed SU on $1" alerts@example.com
+
+type=Single
+ptype=RegExp
+desc=$0
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: BAD SU (\S+) to (\S+) on (\S+)
+action=pipe '$2 failed SU to $3 on $1 at %t' /usr/bin/mail -s "USER: $2 Failed SU on $1" alerts@example.com
+
+
+# MONITOR.conf - SEC rules to pick up disruptive monitoring
+# events.
+#
+#Logs involving syslogd disabled or unusual promiscuous mode (MONITOR)
+#----------------------------------------------------------------------
+#Nov 15 20:02:48 foohost syslogd: exiting on signal 15
+#Nov 22 02:00:02 foohost syslogd: restart
+#Nov 11 15:58:55 foohost /kernel: de0: promiscuous mode enabled
+#Nov 11 15:58:57 foohost /kernel: de0: promiscuous mode disabled
+#
+
+#
+# Syslog Exit
+# -----------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: exiting on signal (\d+)
+desc=$0
+action=write - MONITOR: $1 syslog exit on signal $2 at %t
+
+#
+# Syslog Restart
+# ---------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: restart
+desc=$0
+action=write - MONITOR: $1 syslog restart at %t
+
+#
+# Syslog Exit
+# -----------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+) promiscuous mode (\S+)
+desc=$0
+action=write - MONITOR: $1 $2 promiscuous mode $3 at %t
+
+
+#
+# sshd Problems
+# --------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
+desc=$0
+action=write - USERACT: $1 sshd $2 problem, text: $3 at %t
+
+#
+# sshd Accepted
+# --------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: Accepted (.*)
+desc=$0
+action=write - USERACT: $1 sshd accepted login, text: $2 at %t
+
+#
+# login FAILURES
+# ---------------
+#
+#type=Single
+#ptype=RegExp
+#pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+login: (.*?FAILURE.)(.*?ON) (.*)
+#desc=$0
+#action=write - USERACT: $1 login $2 on $4 at %t
+
+
+#SSH Auth failure on bsd 5
+#type=Single
+#ptype=RegExp
+#pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: error: PAM: authentication error for (/S+) from (/S+)
+#desc=$0
+#action=pipe 'SSHD: 1 $1 2 $2 3 $3 to 4 $4 on 5 $5 at %t' /usr/bin/mail -s "SSHD: $1 $2 $3 to $4 on $5 at %t' alerts@example.com
+
+#
+# su bad
+# -----------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (BAD SU) (\S+) to (\S+) on (\S+)
+desc=$0
+action=pipe 'USER: $1 SU: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t' alerts@example.com
+
+#Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0
+#Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3
+#Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0
+#
+#
+# su good to root
+# -----------------
+#
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (\S+) to root on (\S+)
+desc=$0
+action=pipe 'USER: $1 GOOD SU: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t' alerts@example.com
+#action=write - USERACT: $1 su: $2 to ROOT on $4 at %t
+
+#
+# Cabling Problem
+# ----------------
+#
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+)\s+(.*?:) cable problem
+desc=$0
+action=event 0 $1 PHYSMOD:ORANGE cable problem on $2, text: $3 at %t
+
+
+
+# USERACT - Events concerning user activities.
+#
+# Sample BSD logs involving logins, change of UID and privilege escalations.
+#---------------------------------------------------------------------------
+#Nov 14 12:14:58 foohost sshd[3388]: fatal: Timeout before authentication for 192.168.1.1
+#Nov 14 19:58:34 foohost sshd[6597]: Bad protocol version identification '^B^S^D^Q^L' from 192.168.1.100
+#Oct 18 06:16:53 foohost sshd[131]: Accepted keyboard-interactive/pam for foouser from 192.168.1.1 port 1077 ssh2
+#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2
+#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2, mysql
+#Oct 18 03:20:46 foohost login: 2 LOGIN FAILURES ON ttyv0
+#Oct 18 02:52:04 foohost login: ROOT LOGIN (root) ON ttyv1
+#Oct 18 06:11:11 foohost login: login on ttyv0 as root
+#Nov 10 19:40:03 foohost su: foouser to root on /dev/ttyp0
+#Nov 18 09:37:38 foohost su: BAD SU foouser to root on /dev/ttyp3
+#Nov 22 12:26:44 foohost su: BAD SU goodboy to root on /dev/ttyp0
+#
+
+#
+# sshd Problems
+# --------------
+#
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
+desc=$0
+action=pipe 'USER: $1 su: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t' alerts@example.com
+#action=event 0 $1 USERACT:YELLOW sshd $2 problem, text: $3 at %t
+
+#
+# login FAILURES
+# ---------------
+# ORANGE
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+(sshd|login): (.*?FAILURE.)(.*?ON) (.*)
+desc=$0
+action=pipe 'USER: $1: Login Failure $2 on $4 at %t' /usr/bin/mail -s "USER: $1 su: $2 $3 to $4 on $5 at %t' alerts@example.com
+#action=event 0 $1 USERACT:YELLOW login $2 on $4 at %t
+
+
+# NETWACT - SEC rules to pick up suspicious network events.
+#
+# Sample BSD logs involving odd or suspicious network activity.
+#--------------------------------------------------------------
+#Jun 3 17:46:24 foohost named[38298]: client 10.12.127.176#3714: request has invalid signature: tsig verify failure
+#Apr 14 16:23:08 foohost /kernel: arp: 10.10.152.12 moved from 00:90:27:37:35:cf to 00:d0:59:aa:61:11 on de0
+#Apr 1 11:23:39 sixshooter /kernel: Limiting closed port RST response from 368 to 200 packets per second
+
+
+#
+# named Dynamic DNS Update rejection
+# ----------------------------------
+#
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+named\[\d+\]: client (\S+): request has invalid signature:(.*)
+desc=$0
+action=pipe 'NET: $1 dyndns attempt from $2' /usr/bin/mail -s "NET: $1 dyndns attempt from $2, text: $3 at %t" alerts@example.com
+
+#
+# MAC address moved
+# -----------------
+# ORANGE
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: arp: (\S+) moved from (\S+) to (\S+) on (\S+)
+desc=$0
+action=pipe 'NET: $1 arp moved on $2' /usr/bin/mail -s "NET: $1 arp moved on $2 from: $3 to $4 on $5 at %t" alerts@example.com
+
+#
+# DoS RST rate limit
+# ------------------
+#
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: Limiting closed port RST response from (\d+) to (\d+)
+desc=$0
+action=pipe 'NET: $1 RST limit enforced: $2 to $3 at %t' /usr/bin/mail =s "NET: $1 RST limit enforced: $2 to $3" alerts@example.com
+
+
+
+# COMPROM - SEC rules to pick up potential system compromise events.
+#
+# Sample BSD logs involving potential system compromise.
+#-------------------------------------------------------
+#May 25 18:09:55 foohost ntpd[1325]: ntpd exiting on signal 11
+#Jul 21 18:33:16 foohost /kernel: pid 55454 (ftpd), uid 1001: exited on signal 8
+#Apr 9 12:57:06 foohost /kernel: pid 28039 (telnet), uid 0: exited on signal 3 (core dumped)
+
+#
+# ntpd crash
+# ------------------
+#
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+ntpd\[\d+\]: ntpd exiting on signal (\d+)
+desc=$0
+action=pipe 'CRASH: $1 ntpd crashed on signal $2 at %t' /usr/bin/mail -s "CRASH: $1 ntpd crashed" alerts@example.com
+
+#
+# Process crash
+# ------------------
+#
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: pid \d+ \(\S+\), uid (\d+): exited on signal (\d+)
+desc=$0
+action=pipe 'CRASH: $1 $2 crashed on signal $4, uid $3 at %t' /usr/bin/mail -s "CRASH: $1 $2 crashed" alerts@example.com
+
+
+
+# PROCESS - SEC rules to pick up suspicious process events.
+#
+# Sample BSD logs involving unusual processes.
+#---------------------------------------------
+#Mar 23 08:05:52 foohost thttpd[126]: thttpd/2.25b 29dec2003 starting on port 8090
+
+#
+# Suspicious processes
+# --------------------
+#
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+(thttpd)\[(\d+)\]:(.*)
+desc=$0
+action=pipe 'SUSPROC: $1 suspicious process $2 pid $3, text: $4 at %t' /usr/bin/mail -s "SUSPROC: $1 suspicious process $2" alerts@example.com
+
+
+
+# SHUTRST - SEC rules to pick up system shutdown, restart events.
+#
+# Sample BSD logs involving system shutdown and reset.
+#-----------------------------------------------------
+#Mar 6 16:28:13 foohost reboot: rebooted by foouser
+#Jul 15 17:35:49 foohost halt: halted by root
+#Mar 6 16:29:17 foohost /kernel: Copyright (c) 1992-2003 The FreeBSD Project.
+
+#
+# Reboot message
+# --------------
+#
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+reboot: rebooted by (\S+)
+desc=$0
+action=pipe 'REBOOT: $1 rebooted by $2' /usr/bin/mail -s "REBOOT: $1 rebooted by $2" alerts@example.com
+
+#
+# Halt message
+# --------------
+#
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+halt: halted by (\S+)
+desc=$0
+action=pipe 'HALT: $1 halted by $2' /usr/bin/mail -s "HALT: $1 halted by $2" alerts@example.com
+
+#
+# Restart message
+# --------------
+#
+type=Single
+ptype=RegExp
+pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: Copyright \(c\) (\S+) The FreeBSD Project
+desc=$0
+action=pipe 'RESTART: $1 restart message at %t' /usr/bin/mail -s "RESTART: $1 restart message" alerts@example.com
+
View
26 sec/bsd-mpd.sec
@@ -0,0 +1,26 @@
+#############################################################################
+# BSD mpd events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
+
+type=single
+desc = mpd connection start
+ptype=regexp
+pattern=([A-z._0-9-]*) mpd: PPTP connection from (\d+\.\d+\.\d+\.\d+):\d+
+action=add GENERAL_REPORT MPD Start from $2 on $1
+
+type=single
+ptype=regexp
+pattern=([A-z._0-9-]*) mpd: Name: (.*)
+desc = mpd user auth
+action=add GENERAL_REPORT MPD User $2 Auth on $1
+
+type=Single
+ptype=RegExp
+pattern=([A-z._0-9-]*) mpd: pptp\d: killing connection with (\d+\.\d+\.\d+\.\d+):\d+
+desc=mpd connection end
+action=add GENERAL_REPORT MPD Connection end from $2 on $1
View
477 sec/cisco-syslog.sec
@@ -0,0 +1,477 @@
+#############################################################################
+# SEC rules for processing Cisco syslog messages
+#
+# Copyright (C) 2008-2009 Omer Ben-Shalom, Risto Vaarandi
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
+
+# ----- Process system configuration events -----
+
+# System configuration events
+# suppressed because we don't care about it
+#
+type=suppress
+ptype=substr
+pattern=%SYS-5-CONFIG_I:
+desc=device configuration
+
+# System configuration sync to standby router
+# suppressed because we don't care about it
+#
+type=suppress
+ptype=substr
+pattern=%PFINIT-SP-5-CONFIG_SYNC:
+desc=config sync
+
+# ----- Process reload and restart events -----
+
+# Looks for a reload
+#
+type=single
+continue=takeNext
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SYS-5-RELOAD: (.*)
+desc=(WARNING) reload requested for $1
+action=pipe '%s details:$2' mail -s 'cisco event' root@example.com
+
+# Looks for a reload followed by a restart event
+#
+type=pairWithWindow
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SYS-5-RELOAD:
+desc=(CRITICAL) $1 RELOAD_PROBLEM
+action=pipe '%s' mail -s 'cisco event' root@example.com
+ptype2=regexp
+pattern2=($1).*?%SYS-5-RESTART:
+desc2=(NOTICE) $1 RELOAD_OK
+action2=pipe '%s' mail -s 'cisco event' root@example.com
+window=300
+
+# Looks for a restart without reload command
+#
+type=single
+ptype=regexp
+pattern=(\S+) \d+:.*?%SYS-5-RESTART:
+desc=(CRITICAL) $1 restart without reload command
+action=pipe '%s' mail -s 'cisco event' root@example.com
+
+# ----- process SNMP authentication failure events -----
+
+# this rule handles the SNMP authentication failures
+# only one notification is sent for each source that is doing this per day
+#
+type=singleWithSuppress
+ptype=regexp
+pattern=(\S+) \d+:.*?%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host (\S+)
+desc=(WARNING) Auth fail coming from $2
+action=pipe '%s' mail -s 'cisco event' root@example.com
+window=86400
+
+# ----- process OSPF neighbor change events -----
+
+# This rule handles OSPF neighbor changes
+#
+type=single
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%OSPF-5-ADJCHG:.*?Nbr (\S+) on (\S+) from (\S+) to (\S+), (.*)
+desc=(MINOR) OSPF adjacency change: Router $1 reports that the neighbor on $3 ($2) changed from state $4 to state $5 detail:$6
+action=event %s; pipe '%s' mail -s 'cisco event' root@example.com
+
+# This rule escalates to CRITICAL if there are more than 5 neighbor changes
+# in 5 seconds
+#
+type=SingleWithThreshold
+ptype=substr
+pattern=(MINOR) OSPF adjacency change
+desc=(CRITICAL) More than 5 OSPF neighbor changes in 5 seconds
+action=pipe '%s' mail -s 'cisco event' root@example.com
+thresh=5
+window=5
+
+# ----- process HSRP events -----
+
+# This rule assembles together all HSRP events
+#
+type=single
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%STANDBY-6-STATECHANGE: (\S+).*?state (\S+) -> (\S+)
+desc=HSRP change for $1 interface $2 - changed from $3 to $4
+action=add HSRP_$1 %t: %s; set HSRP_$1 5 (report HSRP_$1 mail -s 'cisco events' root@example.com)
+
+# ----- process duplex mismatch events -----
+
+# this rule handles the duplex mismatch event
+# only one notification is sent for each port that has duplex mismatch
+# reported per day
+#
+type=singleWithSuppress
+ptype=regexp
+pattern=(\S+) \d+:.*?%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on (not \S+) \((.*?)\), with (\S+) (\S+) \((.*?)\)
+desc=(WARNING) Duplex mismatch between $1 port $2 ($3), other side is $4 port $5 ($6)
+action=pipe '%s' mail -s 'cisco event' root@example.com
+window=86400
+
+# ----- process link down and link up events -----
+
+# This rule deals with link down events
+#
+type=PairWithWindow
+ptype=RegExp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%LINK-3-UPDOWN: Interface (\S+), changed state to down
+desc=(MINOR) $1 INTERFACE $2 DOWN and not up in one minute
+action=pipe '%s' mail -s 'cisco event' root@example.com
+ptype2=RegExp
+pattern2=($1)\s+\d+:.*?%LINK-3-UPDOWN: Interface ($2), changed state to up
+desc2=(WARNING) %1 INTERFACE %2 BOUNCE
+action2=event %s
+window=60
+
+# when the first bounce event is seen, create a reporting trigger
+#
+type=Single
+continue=TakeNext
+ptype=regexp
+pattern=(\S+) INTERFACE \S+ BOUNCE
+context=!INTERFACE_BOUNCE_WAIT_$1
+desc=interface bounce summary event for router $1
+action=create INTERFACE_BOUNCE_WAIT_$1 10 (report INTERFACE_BOUNCE_$1 mail -s 'cisco events' root@example.com; delete INTERFACE_BOUNCE_$1)
+
+# accumulate all interface bounce events into a context
+#
+type=Single
+ptype=regexp
+pattern=(\S+) INTERFACE (\S+) BOUNCE
+desc=interface bounce for router $1 interface $2 detected
+action=add INTERFACE_BOUNCE_$1 %t: %s
+
+# ----- process line protocol down and line protocol up events -----
+
+# This rule deals with protocol up/down events
+#
+type=PairWithWindow
+ptype=RegExp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%LINEPROTO-5-UPDOWN: Line protocol on Interface (\S+), changed state to down
+desc=(MINOR) $1 INTERFACE $2 line protocol DOWN and not up in one minute
+action=pipe '%s' mail -s 'cisco event' root@example.com
+ptype2=RegExp
+pattern2=($1)\s+\d+:.*?%LINEPROTO-5-UPDOWN: Line protocol on Interface ($2), changed state to up
+desc2=(WARNING) %1 INTERFACE %2 line protocol BOUNCE
+action2=event %s
+window=60
+
+# when the first bounce event is seen, create a reporting trigger
+#
+type=Single
+continue=TakeNext
+ptype=regexp
+pattern=(\S+) INTERFACE \S+ line protocol BOUNCE
+context=!LINE_PROTOCOL_BOUNCE_WAIT_$1
+desc=line protocol bounce for router $1
+action=create LINE_PROTOCOL_BOUNCE_WAIT_$1 10 (report LINE_PROTOCOL_BOUNCE_$1 mail -s 'cisco events' root@example.com; delete LINE_PROTOCOL_BOUNCE_$1)
+
+# accumulate all line protocol bounce events into a context
+#
+type=Single
+ptype=regexp
+pattern=(\S+) INTERFACE (\S+) line protocol BOUNCE
+desc=line protocol bounce for router $1 interface $2 detected
+action=add LINE_PROTOCOL_BOUNCE_$1 %t: %s
+
+# ----- process late collision events -----
+
+# Late collision alerts
+#
+type=SingleWithThreshold
+ptype=RegExp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%PM_SCP-SP-4-LCP_FW_ABLC: Late collision message from module (\d+), port:(\d+)
+desc=(MINOR) Multiple late collision events on $1 module $2 port $3
+action=pipe '%s' mail -s 'cisco event' root@example.com
+window=3600
+thresh=5
+
+# ----- process host flap events -----
+
+# host flapping on single vlan
+#
+type=SingleWithThreshold
+continue=TakeNext
+ptype=RegExp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C4K_EBM-4-HOSTFLAPPING: Host (\S+) in vlan (\S+) is flapping between port (\S+) and port (\S+)
+desc=(MINOR) multiple hosts flapping between ports $4 and $5 in $1 vlan $3
+action=pipe '%s' mail -s 'cisco event' root@example.com
+window=300
+thresh=5
+
+# host flapping on multiple vlans
+#
+type=SingleWithThreshold
+continue=TakeNext
+ptype=RegExp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C4K_EBM-4-HOSTFLAPPING: Host (\S+) in vlan (\S+) is flapping between port (\S+) and port (\S+)
+desc=(MINOR) multiple hosts are flapping between ports $4 and $5 in $1 (potentially on multiple VLANs)
+action=pipe '%s' mail -s 'cisco event' root@example.com
+window=300
+thresh=20
+
+# ----- process misc hw events -----
+
+# %FILESYS-SP-STDBY-5-DEV:# flash disk removal
+#
+type=single
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%FILESYS-SP-STDBY-5-DEV:.*?PCMCIA flash card removed from (\S+)
+desc=(WARNING) Flash card removed from $1 $2
+action=pipe '%s' mail -s 'cisco event' root@example.com
+
+# %OIR-SP-STDBY-6-CONSOLE
+#
+type=suppress
+ptype=substr
+pattern=%OIR-SP-STDBY-6-CONSOLE
+desc=console access to route processor changed
+
+# %OIR-SP-6-INSCARD: - card inserted
+#
+type=single
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%OIR-SP-6-INSCARD: Card inserted in slot (\d+), (.*)
+desc=(HARMLESS) card inserted in $1 slot $2 status:$3
+action=pipe '%s' mail -s 'cisco event' root@example.com
+
+# ----- process module events -----
+
+# %DIAG-SP-3-TEST_FAIL - diagnostics failed on a module
+#
+type=single
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%DIAG-SP-3-TEST_FAIL: Module (\d+): (.*)
+desc=(WARNING) diagnostics failed for $1 module $2 detail:$3
+action=pipe '%s' mail -s 'cisco event' root@example.com
+
+# %SNMP-5-MODULETRAP
+# Looks for a module down followed by module up event
+#
+type=pairWithWindow
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-MODULETRAP: Module (\d+) [Down] Trap
+desc=(MINOR) $1 Module DOWN (not back up in a minute)
+action=pipe '%s' mail -s 'cisco event' root@example.com
+ptype2=regexp
+pattern2=($1) .*? %SNMP-5-MODULETRAP: Module ($2) [Up] Trap
+desc2=(WARNING) $1 Module $2 BOUNCE (down and back up within a minute)
+action2=pipe '%s' mail -s 'cisco event' root@example.com
+window=60
+
+# ----- process irrelevant events (by suppressing) -----
+
+# %SYS-SP-STDBY-5-RESTART - system restarted part of the boot - interesting?
+#
+type=suppress
+ptype=substr
+pattern=SYS-SP-STDBY-5-RESTART
+desc=system restarted
+
+# %DIAG-SP-6-TEST_RUNNING - Running system test
+#
+type=suppress
+ptype=substr
+pattern=%DIAG-SP-6-TEST_RUNNING
+desc=running diagnostics on a module
+
+# %FABRIC-SP-5-FABRIC_MODULE_BACKUP - module changed to backup state
+#
+type=suppress
+ptype=substr
+pattern=%FABRIC-SP-5-FABRIC_MODULE_BACKUP
+desc=module became backup
+
+# %DIAG-SP-6-RUN_MINIMUM - diagnostics are run
+#
+type=suppress
+ptype=substr
+pattern=%DIAG-SP-6-RUN_MINIMUM
+desc=diagnostics running on switch
+
+# %DIAG-SP-6-DIAG_OK - diagnostics results are OK
+#
+type=suppress
+ptype=substr
+pattern=%DIAG-SP-6-DIAG_OK
+desc=diagnostics results are OK
+
+# %PFREDUN-SP-STDBY-6-STANDBY - SSO events
+#
+type=suppress
+ptype=substr
+pattern=%PFREDUN-SP-STDBY-6-STANDBY
+desc=SSO event (startup)
+
+# %PFREDUN-SP-STDBY-6-STANDBY - SSO events
+#
+type=suppress
+ptype=substr
+pattern=%PFREDUN-SP-6-ACTIVE
+desc=SSO event (startup)
+
+# %FABRIC-SP-5-FABRIC_MODULE_BACKUP: - secondary sup is up and is secondary
+#
+type=suppress
+ptype=substr
+pattern=%FABRIC-SP-5-FABRIC_MODULE_BACKUP:
+desc=secondary sup is up and is secondary
+
+# %PFINIT-SP-5-CONFIG_SYNC - startup config on standby router sync
+#
+type=suppress
+ptype=substr
+pattern=%PFINIT-SP-5-CONFIG_SYNC
+desc=startup config on standby router sync
+
+# %C4K_REDUNDANCY - Cayt 4K configuration/vlan database succesful sync
+# the success match is to allow fails in sync to not be suppress
+#
+type=suppress
+ptype=regexp
+pattern=%C4K_REDUNDANCY.*?success
+desc=config sync with standby supervisor
+
+# %SCP-SP-5-ASYNC_WATERMARK: SCP long queue wait
+# the success match is to allow fails in sync to not be suppress
+#
+type=suppress
+ptype=substr
+pattern=%SCP-SP-5-ASYNC_WATERMARK:
+desc=SCP control protocol pending queue is longer than notification threshold
+
+# %MLS_RATE-4-DISABLING: - Layer2 Rate Limiters have been disabled. Is this interesting?
+#
+type=suppress
+ptype=substr
+pattern=%MLS_RATE-4-DISABLING:
+desc=Layer2 Rate Limiters have been disabled
+
+# ----- process native VLAN mismatch events -----
+
+# %CDP-4-NATIVE_VLAN_MISMATCH: - native VLAN mismatch between switches, will repeat every minute until fixed
+#
+type=singleWithSuppress
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on (\S+) \((\d+)\), with (\S+) (\S+) \((\d+)\)
+desc=(MINOR) A native VLAN mistmatch reported between $1 interface $2 (native VLAN $3) and host $4 interface $5 (native VLAN $6)
+action=pipe '%s' mail -s 'cisco event' root@example.com
+window=60
+
+# ----- process snmp trapblock messages -----
+
+# %SNMP-3-TRAPBLOCK - A process tried to create a trap it is not entitled to create
+# See Cisco http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&counter=0&paging=5&query=SNMP-3-TRAPBLOCK
+#
+type=suppress
+ptype=substr
+pattern=%SNMP-3-TRAPBLOCK
+desc=a process tried to create a trap it is not entitled to create
+
+# ----- process chassis alarm events -----
+
+# %SNMP-5-CHASSISALARM - this rule handles the tmpAlarm
+#
+type=pairWithWindow
+continue=takeNext
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: tmpAlarm\(ON\)
+desc=(MINOR) $1 temprature alarm signaled and not cleared in five minutes
+action=pipe '%s' mail -s 'cisco event' root@example.com
+continue2=takeNext
+ptype2=regexp
+pattern2=\d+:\d+:\d+.*?($1)\s+\d+:.*%SNMP-5-CHASSISALARM: Chassis Alarm Trap: tmpAlarm\(OFF\)
+desc2=(WARNING) $1 temprature alarm went on and was cleared in under five minutes
+action2=pipe '%s' mail -s 'cisco event' root@example.com
+window=300
+
+# %SNMP-5-CHASSISALARM - this rule handles the minorAlarm
+#
+type=pairWithWindow
+continue=takeNext
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? minorAlarm\(ON\)
+desc=(MINOR) $1 minor alarm reported and not cleared in three minutes
+action=pipe '%s' mail -s 'cisco event' root@example.com
+continue2=takeNext
+desc2=(WARNING) $1 minor alarm went on and was cleared in under three minutes
+ptype2=regexp
+pattern2=\d+:\d+:\d+.*?($1)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? minorAlarm\(OFF\)
+action2=pipe '%s' mail -s 'cisco event' root@example.com
+window=180
+
+# %SNMP-5-CHASSISALARM - this rule handles the majorAlarm
+#
+type=pairWithWindow
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? majorAlarm\(ON\)
+desc=(MINOR) $1 major alarm signaled and not cleared in two minutes
+action=pipe '%s' mail -s 'cisco event' root@example.com
+ptype2=regexp
+pattern2=\d+:\d+:\d+.*?($1)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? majorAlarm\(OFF\)
+desc2=(WARNING) $1 major alarm went on and was cleared in under two minutes
+action2=pipe '%s' mail -s 'cisco event' root@example.com
+window=120
+
+# ----- process power supply related events -----
+
+# %C4K_IOSMODPORTMAN events - this one is about power supplies only
+#
+type=pairWithWindow
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C4K_IOSMODPORTMAN-4-POWERSUPPLYBAD: Power Supply (\d+) has failed or been turned off
+desc=(MINOR) $1 power supply $2 reported bad and event not cleared in two minutes
+action=pipe '%s' mail -s 'cisco event' root@example.com
+ptype2=regexp
+pattern2=($1) .*? %C4K_IOSMODPORTMAN-6-POWERSUPPLYGOOD: Power Supply ($2) is Okay
+desc2=(WARNING) $1 power supply $2 alarm went on and was cleared in under two minutes
+action2=pipe '%s' mail -s 'cisco event' root@example.com
+window=120
+
+# ----- process neighbor down and neighbor up events -----
+
+# %DVMRP-5-NBRDOWN
+#
+type=pairWithWindow
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%DVMRP-5-NBRDOWN: Neighbor (\S+) went down on (\S+)
+desc=(MINOR) $1 lost DVMRP neighbor $2 on interface $3 and it did not come up in two minutes
+action=pipe '%s' mail -s 'cisco event' root@example.com
+ptype2=regexp
+pattern2=($1) .*? %DVMRP-5-NBRUP: Neighbor ($2) is up on ($3)
+desc2=(WARNING) $1 lost DVMRP neighbor $2 on interface $3 but id come up within two minutes
+action2=pipe '%s' mail -s 'cisco event' root@example.com
+window=120
+
+# ----- process fan power supply failure/ok events -----
+
+# %C6KENV-SP-4-PSFANF events - this one is about fan failures
+#
+type=pairWithWindow
+ptype=regexp
+pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C6KENV-SP-4-PSFANFAILED: the fan in power supply (\d+) has failed
+desc=(MINOR) $1 fan in power supply $2 was reported bad and event not cleared in two minutes
+action=pipe '%s' mail -s 'cisco event' root@example.com
+ptype2=regexp
+pattern2=($1) .*? %C6KENV-SP-4-PSFANOK: the fan in power supply (\d+) is OK
+desc2=(WARNING) $1 fan in power supply $2 alarm went on and was cleared in under two minutes
+action2=pipe '%s' mail -s 'cisco event' root@example.com
+window=120
+
+# ----- process events that have not been matched by any of above rules -----
+
+# Default match
+# this rule will match anything not previously matched but allows only
+# one notification per day for each new event class seen
+#
+type=singleWithSuppress
+ptype=regexp
+pattern=(%.*?:)
+desc=$1
+action=pipe '$0' mail -s 'cisco event' root@example.com
+window=86400
View
10 sec/conf.README
@@ -0,0 +1,10 @@
+This is the SEC configuration directory. Because SEC usage varies so widely
+from user to user, this package is configured by default to not run.
+
+The commented-out default settings in /etc/sysconfig/sec will load any file in
+this directory with a .sec suffix. Please look through the example files
+included in /usr/share/doc/sec-<version>/examples/ and install the ones you
+want here (taking into account that the examples are generic and some of them
+may need to be tweaked to work with your setup). You should also read the SEC
+man page so you have at least a basic understanding of the SEC configuration
+commands.
View
44 sec/cvs.sec
@@ -0,0 +1,44 @@
+#############################################################################
+# CVS events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
+
+#Jul 31 19:54:21 xxxx xinetd[2088]: START: cvspserver pid=16385 from=xx.xx.xx.xx
+
+type=single
+desc = cvsp server connection start
+ptype=regexp
+pattern=([A-z._0-9-]*) xinetd\[\d+\]: START: cvspserver pid=\d+ from=(\d+\.\d+\.\d+\.\d+)
+action=add GENERAL_REPORT CVS Connection from $2 on $1
+
+
+#Aug 5 10:38:29 xxxx cvs: password mismatch for username in /usr/local/cvsroot: PMOv/9hZsf6v. vs. PMMlzZLYrbthY
+
+type=single
+ptype=regexp
+pattern=([A-z._0-9-]*) cvs: password mismatch for (.*) in (.*)
+desc = cvs login failure
+action=pipe '$1 $2 CVS Login Failure: User $2 from $3' /usr/bin/mail -s '$1 $2 CVS Login Failure: $2 from $3' alerts@example.com
+
+
+#Aug 5 10:38:49 xxxx cvs: attempt to root from account: username
+
+type=single
+ptype=regexp
+pattern=([A-z._0-9-]*) cvs: attempt to root from account: (.*)
+desc = cvs login to root attempt
+action=pipe ' $1 $2 CVS Login to Root Attempt: User $2 ' /usr/bin/mail -s '$1 CVS Login to Root Failure: $2' alerts@example.com
+
+
+#Aug 5 10:42:37 xxxx cvs: login failure (for /usr/local/cvsroot)
+
+type=single
+ptype=regexp
+pattern=([A-z._0-9-]*) cvs: login failure \(for /usr/local/cvsroot\)
+desc = cvs login failure
+action=pipe '$1 $2 CVS Login Failure ' /usr/bin/mail -s '$1 CVS Login Failure' alerts@example.com
+
View
24 sec/dameware.sec
@@ -0,0 +1,24 @@
+#############################################################################
+# Dameware events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
+
+#Dameware Connect
+type=single
+ptype=regexp
+pattern=([A-z._0-9-]*) DMWRCS: (.*) Connect: (.*)
+desc = Dameware Connect
+action=add WINDOWS_REPORT DAMEWARE CONNECT: %s; \
+pipe 'DAMEWARE Connect -- : %s' /usr/bin/mail -s 'DAMEWARE CONNECT' alerts@example.com
+
+
+#Dameware Disconnect
+type=single
+ptype=regexp
+pattern=([A-z._0-9-]*) DMWRCS: (.*) Disconnect: (.*)
+desc = Dameware Disconnect
+action=add WINDOWS_REPORT DAMEWARE DISCONNECT: %s
View
114 sec/hp-openview.sec
@@ -0,0 +1,114 @@
+################################################################
+# Sample SEC ruleset for HP OpenView ITO
+#
+# Copyright (C) 2003-2010 Risto Vaarandi
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+################################################################
+
+# process Cisco linkDown/linkUp trap events received from
+# HP OpenView ITO trap template through itostream plugin
+
+type=PairWithWindow
+ptype=RegExp
+pattern=node=([\w.-]+) .*msg_text=cisco linkdown trap on interface ([\w-]+)\b
+desc=CISCO $1 INTERFACE $2 DOWN
+action=event %s;
+continue2=TakeNext
+ptype2=RegExp
+pattern2=node=$1 .*msg_text=cisco linkup trap on interface $2\b
+desc2=CISCO %1 INTERFACE %2 BOUNCE
+action2=event %s;
+window=20
+
+type=SingleWithSuppress
+continue=TakeNext
+ptype=RegExp
+pattern=CISCO ([\w.-]+) INTERFACE ([\w-]+) DOWN
+desc=cisco $1 interface $2 down
+action=reset +1 %s
+window=60
+
+type=Pair
+ptype=RegExp
+pattern=CISCO ([\w.-]+) INTERFACE ([\w-]+) DOWN
+desc=cisco $1 interface $2 down
+action=shellcmd /home/opc_op/cisco_msg.sh $1 $2 major down
+ptype2=RegExp
+pattern2=node=$1 .*msg_text=cisco linkup trap on interface $2\b
+desc2=cisco %1 interface %2 up
+action2=shellcmd /home/opc_op/cisco_msg.sh %1 %2 normal up
+window=86400
+
+type=SingleWith2Thresholds
+ptype=RegExp
+pattern=CISCO ([\w.-]+) INTERFACE ([\w-]+) BOUNCE
+desc=cisco $1 interface $2 is unstable
+action=shellcmd /home/opc_op/cisco_msg.sh $1 $2 major unstable
+window=3600
+thresh=10
+desc2=cisco $1 interface $2 is stable again
+action2=shellcmd /home/opc_op/cisco_msg.sh $1 $2 normal stable
+window2=10800
+thresh2=0
+
+#
+# the cisco_msg.sh script:
+#
+##!/bin/sh
+#
+#NODE=$1
+#IF=$2
+#SEV=$3
+#TEXT=$4
+#
+## use snmpget utility from Net-SNMP package
+#IFNAME=`/usr/bin/snmpget -c public -OQv $NODE .1.3.6.1.2.1.2.2.1.2.$IF`
+#DESCR=`/usr/bin/snmpget -c public -OQv $NODE .1.3.6.1.4.1.9.2.2.1.1.28.$IF`
+#
+#MSG=`echo "Interface $IFNAME ($DESCR) $TEXT" | sed s/\"/\'/g`
+#
+#/opt/OV/bin/OpC/opcmsg node=$NODE app=cisco obj=if \
+# sev=$SEV msg_grp=Network msg_text="$MSG"
+#
+
+
+# process APC ups "not online" trap events received from
+# HP OpenView ITO trap template through itostream plugin
+
+type=SingleWithScript
+ptype=RegExp
+pattern=node=([\w.-]+) .*msg_text=APC ups not online
+script=/home/opc_op/check_apc.sh $1
+desc=APC ups is not online!
+action=shellcmd /opt/OV/bin/OpC/opcmsg node=$1 app=APC obj=state \
+ msg_grp=UPS sev=critical msg_text='%s'
+
+#
+# the check_apc.sh script
+#
+##!/bin/sh
+#
+## sleep for a few seconds and check if the UPS error is still present;
+## if it is, exit with 0, otherwise exit with 1
+#
+#UPS=$1
+#sleep 5
+#
+## use snmpget utility from Net-SNMP package
+#STATUS=`/usr/bin/snmpget -c public -OQve $UPS .1.3.6.1.4.1.318.1.1.1.4.1.1.0`
+#
+## According to the APC Powernet MIB the variable .1.3.6.1.4.1.318.1.1.1.4.1.1
+## takes the the following values: unknown(1), onLine(2), onBattery(3),
+## onSmartBoost(4), timedSleeping(5), softwareBypass(6), off(7), rebooting(8),
+## switchedBypass(9), hardwareFailureBypass(10), sleepingUntilPowerReturn(11),
+## and onSmartTrim(12), where onLine(2) is the normal state for the UPS
+#
+#if [ $STATUS -eq 2 ]
+#then
+# exit 1
+#else
+# exit 0
+#fi
+#
View
36 sec/labrea.sec
@@ -0,0 +1,36 @@
+#############################################################################
+# Labrea tarpit events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
+
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Initial Connect \(tarpitting\): (\d+\.\d+\.\d+\.\d+\s\d+) \-> \d+\.\d+\.\d+\.\d+\s(.*)
+desc=$0
+action=add TARPIT_REPORT %t: $1 New Tarpitted Connect from $2 on port $3
+
+#type=Single
+#ptype=RegExp
+#pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Additional Activity: (\d+\.\d+\.\d+\.\d+) \d+ \-> \d+\.\d+\.\d+\.\d+ (\d+)*
+#desc=$0
+#action=add TARPIT_REPORT %t: %s;
+#
+
+type=Single
+ptype=RegExp
+pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Responded to a PING: (d+\.\d+\.\d+\.\d+) \d+ \-> \d+\.\d+\.\d+\.\d+
+desc=$0
+action=add TARPIT_REPORT %t: PING Sweep from $@ on $3
+
+#Send hourly tarpit report
+
+type=Calendar
+time=0 8,12,20 * * *
+desc=Sending tarpit report...
+action=report TARPIT_REPORT \
+ /usr/bin/mail -s 'Tarpits: Tarpit Victim report' alerts@example.com; \
+ delete TARPIT_REPORT
View
1,046 sec/pix-general.sec
@@ -0,0 +1,1046 @@
+####################################################################
+# SEC ruleset for Cisco PIX 6.x, 7.x, FWSM 2.x
+#
+# Copyright (C) 2003-2009 Colin Hudler
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+####################################################################
+
+# Process various events from PIX syslog output
+#
+# TODO -- A few FWSM log lines will not match.
+
+# Setup our variables -- not the right way to do this? Needs tweaking for your log lines
+type=Single
+ptype=RegExp
+pattern=^(.* [0-9].:[0-9].:[0-9].) (.*)\.yourdomain\.edu.*?%(PIX|FWSM)-[0-9]-.*?:(.*)
+desc=PIXLOG $2^ $1 $4
+action=event %s
+
+# 106001
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Inbound TCP connection denied from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+).*
+desc=PIX $1 TCP connection denid HAMMER $2 to $3
+action=create ham1_$1; add ham1_$1 %t; add ham1_$1 %s;add ham1_$1 %s; add ham1_$1 $0; report ham1_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ham1_$1
+window=10
+thresh=6
+
+# 106006
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Connection denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+)
+desc=PIX $1 denied by list HAMMER $2 to $3
+action=create ham2_$1; add ham2_$1 %t; add ham2_$1 %s; add ham2_$1 $0; report ham2_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ham2_$1
+window=10
+thresh=6
+
+# 106007
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny inbound UDP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) due to DNS.*
+desc=PIX $1 Denied inbound UDP HAMMER $2 to $3
+action=create ham3_$1; add ham3_$1 %t; add ham3_$1 %s; add ham3_$1 $0; report ham3_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ham3_$1
+window=10
+thresh=6
+
+# 106010
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny inbound.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+).*
+desc=PIX $1 Denied inbound HAMMER $2 to $3
+action=create ham4_$1; add ham4_$1 %t; add ham4_$1 %s; add ham4_$1 $0; report ham4_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ham4_$1
+window=10
+thresh=6
+
+# 106012
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny IP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+), IP options.*
+desc=PIX $1 Denied IP Options HAMMER $2 to $3
+action=create ham5_$1; add ham5_$1 %t; add ham5_$1 %s; add ham5_$1 $0; report ham5_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ham5_$1
+window=10
+thresh=6
+
+# 106013
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Dropping echo request from (\d+.\d+.\d+.\d+) to PAT address
+desc=PIX $1 Echo HAMMER $2 to PAT Address
+action=create ham6_$1; add ham6_$1 %t; add ham6_$1 %s; add ham6_$1 $0; report ham7_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ham8_$1
+window=10
+thresh=6
+
+# 106014
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny inbound icmp src.*: (\d+.\d+.\d+.\d+) dst.*: (\d+.\d+.\d+.\d+)
+desc=PIX $1 Deny inbound ICMP HAMMER $2 to $3
+action=create ham9_$1; add ham9_$1 %t; add ham9_$1 %s; add ham9_$1 $0; report ham9_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ham9_$1
+window=10
+thresh=6
+
+# 106015
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny.*\(no connection\) from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+)
+desc=PIX $1 Deny (no connection) HAMMER $2 to $3
+action=create ham10_$1; add ham10_$1 %t; add ham10_$1 %s; add ham10_$1 $0; report ham10_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ham10_$1
+window=10
+thresh=30
+
+# 106016,106017,106020,106021,106022 is further down this list...
+
+# 106018
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*ICMP packet type.*denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+)
+desc=PIX $1 Deny ICMP type HAMMER $2 to $3
+action=create ham11_$1; add ham11_$1 %t; add ham11_$1 %s; add ham11_$1 $0; report ham11_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ham11_$1
+window=10
+thresh=6
+
+# 106023
+#Deny udp src outside:128.135.93.11/137 dst inside:128.135.211.65/137 by access-group "inward"
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+) by .*
+desc=PIX $1 Deny by ACL HAMMER $2 to $3
+action=create ham12_$1; add ham12_$1 %t; add ham12_$1 %s; add ham12_$1 $0; report ham12_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ham12_$1
+window=10
+thresh=32
+
+# This is broken... still fix? TODO
+# 106001 -- Report
+#type=SingleWithThreshold
+#continue=takenext
+#ptype=RegExp
+#pattern=^PIXLOG (\S+)\^ .*(Inbound TCP connection denied from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+).*)|\
+#(Connection denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+))|\
+#(Deny inbound UDP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) due to DNS)|\
+#(Deny inbound.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+))|\
+#(Deny IP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+), IP options)|\
+#(Dropping echo request from (\d+.\d+.\d+.\d+) to PAT address)|\
+#(Deny inbound icmp src.*: (\d+.\d+.\d+.\d+) dst.*: (\d+.\d+.\d+.\d+))|\
+#(Deny.*\(no connection\) from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+))|\
+#(ICMP packet type.*denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+))|\
+#(Deny.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+) by )
+#desc=PIX Conn Denied 10 times from $2
+#action=create rpt_$1; add rpt_$1 %t; add rpt_$1 %s;add rpt_$1 %s; add rpt_$1 $0; report rpt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rpt_$1
+#window=10
+#thresh=30
+
+# 101002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Bad failover cable.
+desc=PIX $1 Bad Failover Cable
+action=create bfc_$1; add bfc_$1 %t; add bfc_$1 %s; add bfc_$1 $0; report bfc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete bfc_$1
+
+# 101003/4
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Failover cable not connected
+desc=PIX $1 Failover cable gone
+action=create nfc_$1; add nfc_$1 %t; add nfc_$1 %s; add nfc_$1 $0; report nfc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete nfc_$1
+
+# 101005
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Error reading failover cable status
+desc=PIX $1 Failover cable ERROR
+action=create fce_$1; add fce_$1 %t; add fce_$1 %s; add fce_$1 $0; report fce_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fce_$1
+
+# 102001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Power failure/System reload
+desc=PIX $1 Peer Lost Power
+action=create fpp_$1; add fpp_$1 %t; add fpp_$1 %s; add fpp_$1 $0; report fpp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fpp_$1
+
+# 103001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*No response from other firewall
+desc=PIX $1 Peer Gone Away
+action=create fnp_$1; add fnp_$1 %t; add fnp_$1 %s; add fnp_$1 $0; report fnp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fnp_$1
+
+# 103003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Other firewall network interface (\S+) failed
+desc=PIX $1 Peer interface $2 died
+action=create fpi_$1; add fpi_$1 %t; add fpi_$1 %s; add fpi_$1 $0; report fpi_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fpi_$1
+
+# 103004
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Other firewall reports this firewall failed
+desc=PIX $1 Peer says I failed
+action=create fif_$1; add fif_$1 %t; add fif_$1 %s; add fif_$1 $0; report fif_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fif_$1
+
+# 103005
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Other firewall reporting failure
+desc=PIX $1 Peer reports failure
+action=create fpf_$1; add fpf_$1 %t; add fpf_$1 %s; add fpf_$1 $0; report fpf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fpf_$1
+
+# 104001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*(Primary|Secondary) Switching to ACTIVE \(cause: (.*)\)
+desc=PIX $1 FAILOVER! Becoming ACTIVE because $2
+action=create fba_$1; add fba_$1 %t; add fba_$1 %s; add fba_$1 $0; report fba_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fba_$1
+
+# 104002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*(Primary|Secondary) Switching to STNDBY \(cause: (.*)\)
+desc=PIX $1 FAILOVER! Becoming STNDBY because $2
+action=create fbs_$1; add fbs_$1 %t; add fbs_$1 %s; add fsb_$1 $0; report fbs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fbs_$1
+
+# 104003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Switching to FAILED
+desc=PIX $1 IN FAILED STATE!
+action=create ffs_$1; add ffs_$1 %t; add ffs_$1 %s; add ffs_$1 $0; report ffs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ffs_$1
+
+# 104004
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Switching to OK.
+desc=PIX $1 Failed Unit is ok
+action=create ffs_$1; add ffs_$1 %t; add ffs_$1 %s; add ffs_$1 $0; report ffs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ffs_$1
+
+# 105005
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Lost Failover communications with mate on interface
+desc=PIX $1 Peer Gone Away
+action=create fnp_$1; add fnp_$1 %t; add fnp_$1 %s; add fnp_$1 $0; report fnp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fnp_$1
+
+# 105007
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Link status \'Down\' on interface (\S+).*
+desc=PIX $1 interface $2 is DOWN
+action=create ind_$1; add ind_$1 %t; add ind_$1 %s; add ind_$1 $0; report ind_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ind_$1
+
+# 105011
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Failover cable communication failure
+desc=PIX $1 Failver cable failed
+action=create fcf_$1; add fcf_$1 %t; add fcf_$1 %s; add fcf_$1 $0; report fcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fcf_$1
+
+# 105021
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Standby unit failed to sync due to a locked (\S+) config. Lock held by (\S+)
+desc=PIX $1 Failover Sync failed because $2 is locked by $3
+action=create lck_$1; add fcf_$1 %t; add fcf_$1 %s; add lck_$1 $0; report lck_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete lck_$1
+
+# 10532
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*LAN Failover interface is down
+desc=PIX $1 Failover interface is down
+action=create fin_$1; add fin_$1 %t; add fin_$1 %s; add fin_$1 $0; report fin_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fin_$1
+
+# 10535
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Receive a LAN failover interface down msg from peer.
+desc=PIX $1 Failover Peer reports LAN interface down
+action=create fin_$1; add fin_$1 %t; add fin_$1 %s; add fin_$1 $0; report fin_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fin_$1
+
+# 10536
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*dropped a LAN Failover command message.
+desc=PIX $1 Failover Dropped a LAN packet
+action=create fdr_$1; add fdr_$1 %t; add fdr_$1 %s; add fdr_$1 $0; report fdr_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fdr_$1
+
+# 10537
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*The primary and standby units are switching back
+desc=PIX $1 Failover: primary and standby units are switching back
+action=create fsw_$1; add fsw_$1 %t; add fsw_$1 %s; add fsw_$1 $0; report fsw_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fsw_$1
+
+# 10543
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Failover interface failed
+desc=PIX $1 Failover LAN Interface is down!
+action=create fin_$1; add fin_$1 %t; add fin_$1 %s; add fin_$1 $0; report fin_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fin_$1
+
+# messages from 106001 moved to top
+
+# 106011
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny inbound (No xlate).*
+desc=PIX $1 Same-Side Traffic Attack
+action=create sst_$1; add sst_$1 %t; add sst_$1 %s; add sst_$1 $0; report sst_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete sst_$1
+
+# 106016
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny IP spoof from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) on interface
+desc=PIX $1 IP Spoof from $2 to $3
+action=create spf_$1; add spf_$1 %t; add spf_$1 %s; add spf_$1 $0; report spf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete spf_$1
+
+# 106017
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny IP due to Land Attack from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+)
+desc=PIX $1 IP LAND Attack
+action=create lnd_$1; add lnd_$1 %t; add lnd_$1 %s; add lnd_$1 $0; report lnd_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete lnd_$1
+
+# 106020
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny IP teardrop fragment.*from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+)
+desc=PIX $1 Teardrop Attack
+action=create tdr_$1; add tdr_$1 %t; add tdr_$1 %s; add tdr_$1 $0; report tdr_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete tdr_$1
+
+# 106021
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny.*reverse path check from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+).*
+desc=PIX $1 Reverse Path Check Attack from $2 to $3
+action=create rpc_$1; add rpc_$1 %t; add rpc_$1 %s; add rpc_$1 $0; report rpc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rpc_$1
+
+# 106022
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Deny.*connection spoof from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+).*
+desc=PIX $1 Connection Spoof Attack from $2 to $3
+action=create spf_$1; add spf_$1 %t; add spf_$1 %s; add spf_$1 $0; report spf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete spf_$1
+
+# 106024
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Access rules memory exhausted
+desc=PIX $1 Out of ACL Memory!
+action=create ame_$1; add ame_$1 %t; add ame_$1 %s; add ame_$1 $0; report ame_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ame_$1
+
+# 106025/6
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Failed to determine the security context for the packet:(\S+):(\d+.\d+.\d+.\d+) (\d+.\d+.\d+.\d+) (\d+) (\d+).*
+desc=PIX $1 failed getting context for vlan $2 $3:$4 to $5:$6
+action=create ctx_$1; add ctx_$1 %t; add ctx_$1 %s; add ctx_$1 $0; report ctx_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ctx_$1
+
+# 107001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*RIP auth failed from (\d+.\d+.\d+.\d+).*
+desc=PIX $1 RIP Auth Attack from $2
+action=create rip_$1; add rip_$1 %t; add rip_$1 %s; add rip_$1 $0; report rip_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rip_$1
+
+# 107002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*RIP pkt failed from (\d+.\d+.\d+.\d+).*
+desc=PIX $1 Invalid RIP Packet from $2
+action=create rpk_$1; add rpk_$1 %t; add rpk_$1 %s; add rpk_$1 $0; report rpk_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rpk_$1
+
+# 109003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Auth from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+\/\d+) failed \(all servers failed\).*
+desc=PIX $1 All AAA Failed from $2 to $3
+action=create aaa_$1; add aaa_$1 %t; add aaa_$1 %s; add aaa_$1 $0; report aaa_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete aaa_$1
+
+# 109006/8
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*(Authentication|Authorization) (failed|denied) for user \'(\S+)\' from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+)
+desc=PIX $1 Auth Guessing Attack by $2 from $3 to $4
+action=create brt_$1; add brt_$1 %t; add brt_$1 %s; add brt_$1 $0; report brt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete brt_$1
+window=10
+thresh=6
+
+# 109010
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Auth from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+) failed \(too many pending auths\).*
+desc=PIX $1 Max Auths Reached for $2 to $3
+action=create mth_$1; add mth_$1 %t; add mth_$1 %s; add mth_$1 $0; report mth_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete mth_$1
+
+# 109017
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*User at (\d+.\d+.\d+.\d+) exceeded auth proxy connection
+desc=PIX $1 $2 has opened to many proxy conns
+action=create pcn_$1; add pcn_$1 %t; add pcn_$1 %s; add pcn_$1 $0; report pcn_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete pcn_$1
+
+# 109024
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Authorization denied.*for user \'(\S+)\' from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+)
+desc=PIX $1 Authorization Denied HAMMER $2 from $3 to $4
+action=create uhm_$1; add uhm_$1 %t; add uhm_$1 %s; add uhm_$1 $0; report uhm_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete uhm_$1
+window=10
+thresh=6
+
+# 109025
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Authorization denied \(acl=.*\) for user \'(\S+)\' from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+) on interface.*
+desc=PIX $1 Authorization Denied HAMMER $2 from $3 to $4
+action=create uhm_$1; add uhm_$1 %t; add uhm_$1 %s; add uhm_$1 $0; report uhm_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete uhm_$1
+window=10
+thresh=6
+
+# 111001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Begin configuration: (\d+.\d+.\d+.\d+) writing to (\S+)
+desc=PIX $1 Config saved to $3 by $2
+action=create sav_$1; add sav_$1 %t; add sav_$1 %s; add sav_$1 $0; report sav_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete sav_$1
+
+# 111002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Begin configuration: (\d+.\d+.\d+.\d+) reading from (\S+)
+desc=PIX $1 Config read from $3 by $2
+action=create sav_$1; add sav_$1 %t; add sav_$1 %s; add sav_$1 $0; report sav_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete sav_$1
+
+# 111003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*(\d+.\d+.\d+.\d+) Erase configuration
+desc=PIX $1 WRITE ERASE WAS ISSUED $2
+action=create ers_$1; add ers_$1 %t; add ers_$1 %s; add ers_$1 $0; report ers_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ers_$1
+
+# 111004
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*(\d+.\d+.\d+.\d+) end configuration: \[FAILED\]
+desc=PIX $1 FAILED CONFIGURING $2
+action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete cff_$1
+
+# 111008
+type=Single
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*User \'(\S+)\' executed the command (.*)
+desc=PIX $1 $2 executed: $3
+action=add CMD_REPORT $2 : $3
+#create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete cff_$1
+
+# FIXME -- Add syslog number
+# FSWM Style
+type=Single
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*User \'(\S+)\' executed the \'(.*)\' command.*
+desc=PIX $1 $2 executed: $3
+action=add CMD_REPORT $2 : $3
+#action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete cff_$1
+
+
+# 111008
+type=Single
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*User (\S+) executed cmd:(.*)
+desc=PIX $1 $2 executed: $3
+action=add CMD_REPORT $2 : $3
+#action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete cff_$1
+#action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete cff_$1
+
+# 113001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Unable to open AAA session. Session limit
+desc=PIX $1 AAA Reached session limit
+action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete cff_$1
+
+# 113005
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*AAA user authentication Rejected: reason = (.*) server = .* User = (\S+).*
+desc=PIX $1 IPSEC: User Auth Attack: $2 for $3
+action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete cff_$1
+window=10
+thresh=6
+
+# 113006
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*User (\S+) locked out on exceeding number successive failed authentication attempts
+desc=PIX $1 User Locked out: $2
+action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete cff_$1
+
+# 113020
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Kerberos error : Clock skew with server (\d+.\d+.\d+.\d+).*
+desc=PIX $1 User Locked out: $2
+action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete cff_$1
+
+# Might be only 6.x
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Console Login from user at (\d+.\d+.\d+.\d+)
+desc=PIX $1 Console Login from $2
+action=create con_$1; add con_$1 %t; add con_$1 %s; add con_$1 $0; report con_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete con_$1
+
+# 112001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*clear (finished|complete)\.
+desc=PIX $1 Clear Command Executed
+action=create clr_$1; add clr_$1 %t; add clr_$1 %s; add clr_$1 $0; report clr_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete clr_$1
+
+# 199002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*[rR]eload command executed from.*(\d+.\d+.\d+.\d+)
+desc=PIX $1 Reloaded by $2
+action=create rld_$1; add rld_$1 %t; add rld_$1 %s; add rld_$1 $0; report rld_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rld_$1
+
+# 199002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Orderly reload started at.*by (\S+). Reload.*
+desc=PIX $1 Reloaded by $2
+action=create rld_$1; add rld_$1 %t; add rld_$1 %s; add rld_$1 $0; report rld_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rld_$1
+
+# 201002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+).*Too many.*connections on (static|xlate) (\d+.\d+.\d+.\d+)
+desc=PIX $1 Max Embryonics to $3 (not attack)
+action=create max_$1; add max_$1 %t; add max_$1 %s; add max_$1 $0; report max_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete max_$1
+
+# 201003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Embryonic limit exceeded.*for (\d+.\d+.\d+.\d+\/\d+) \((\d+.\d+.\d+.\d+)\) (\d+.\d+.\d+.\d+\/\d+)
+desc=PIX $1 Max Embryonics from $2 to $3 ($4) Attack
+action=create emb_$1; add emb_$1 %t; add emb_$1 %s; add emb_$1 $0; report emb_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete emb_$1
+
+# 201008
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*The PIX is disallowing new connections.
+desc=PIX $1 No longer allowing connections!
+action=create stp_$1; add stp_$1 %t; add stp_$1 %s; add stp_$1 $0; report stp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete stp_$1
+
+# 202001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Out of address translation slots!
+desc=PIX $1 Out of NAT Slots
+action=create nnt_$1; add nnt_$1 %t; add nnt_$1 %s; add nnt_$1 $0; report nnt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete nnt_$1
+
+# 209003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Fragment database limit of.*exceeded: src = (\d+.\d+.\d+.\d+), dest = (\d+.\d+.\d+.\d+).*
+desc=PIX $1 No room to assemble more frags from $2 to $3
+action=create frg_$1; add frg_$1 %t; add frg_$1 %s; add frg_$1 $0; report frg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete frg_$1
+
+# 209004
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Invalid IP fragment, size =.*exceeds maximum size =.*src = (\d+.\d+.\d+.\d+), dest = (\d+.\d+.\d+.\d+).*
+desc=PIX $1 Frag is invalid from $2 to $3
+action=create lrg_$1; add lrg_$1 %t; add lrg_$1 %s; add lrg_$1 $0; report lrg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete lrg_$1
+
+# 209005
+# FIXME -- Cisco log message doesnt match this
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Discard IP fragment set with more than.*elements:src = (\d+.\d+.\d+.\d+), dest = (\d+.\d+.\d+.\d+).*
+desc=PIX $1 To many frags from $2 to $3
+action=create _$1; add _$1 %t; add _$1 %s; add _$1 $0; report _$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete _$1
+
+# 210002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*LU allocate block .* failed.
+desc=PIX $1 Failover Block Alocation Failed
+action=create fba_$1; add fba_$1 %t; add fba_$1 %s; add fba_$1 $0; report fba_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fba_$1
+
+# 210005
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*LU allocate connection failed
+desc=PIX $1 Failover Connection Failed
+action=create fcf_$1; add fcf_$1 %t; add fcf_$1 %s; add fcf_$1 $0; report fcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fcf_$1
+
+# 210003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Unknown LU Object.*
+desc=PIX $1 Failover: Unknown LU Object
+action=create ulu_$1; add ulu_$1 %t; add ulu_$1 %s; add ulu_$1 $0; report ulu_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ulu_$1
+
+# 210006
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*LU look NAT for (\d+.\d+.\d+.\d+) failed
+desc=PIX $1 Failover NAT Sync failed for $2
+action=create fns_$1; add fns_$1 %t; add fns_$1 %s; add fns_$1 $0; report fns_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fns_$1
+
+# 210007
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*LU allocate xlate failed
+desc=PIX $1 Failover xlate Sync Failed
+action=create fxs_$1; add fxs_$1 %t; add fxs_$1 %s; add fxs_$1 $0; report fxs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fxs_$1
+
+# 210008
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*LU no xlate for (\d+.\d+.\d+.\d+\/\d+) (\d+.\d+.\d+.\d+\/\d+)
+desc=PIX $1 Failover xlate Sync Failure for $2 to $3
+action=create fxs_$1; add fxs_$1 %t; add fxs_$1 %s; add fxs_$1 $0; report fxs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fxs_$1
+
+# 210010
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*LU make UDP connection for (\d+.\d+.\d+.\d+:\d+) (\d+.\d+.\d+.\d+:\d+) failed
+desc=PIX $1 Failover UDP Conn sync failure for $2 to $3
+action=create fus_$1; add fus_$1 %t; add fus_$1 %s; add fus_$1 $0; report fus_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fus_$1
+
+# 210020
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*LU PAT port (\d+) reserve failed
+desc=PIX $1 Failover PAT Sync for $2 failed
+action=create fps_$1; add fps_$1 %t; add fps_$1 %s; add fps_$1 $0; report fps_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fps_$1
+
+# 210021
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*LU create static xlate (\d+.\d+.\d+.\d+).*failed
+desc=PIX $1 Failover Static xlate failed for $2
+action=create fxf_$1; add fxf_$1 %t; add fxf_$1 %s; add fxf_$1 $0; report fxf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fxf_$1
+
+# 210022
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*LU missed (\d+) updates
+desc=PIX $1 Failover Sync failed for $2 updates
+action=create fsf_$1; add fsf_$1 %t; add fsf_$1 %s; add fsf_$1 $0; report fsf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fsf_$1
+
+# 211001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Memory allocation Error
+desc=PIX $1 Memory allocation Error!
+action=create mae_$1; add mae_$1 %t; add mae_$1 %s; add mae_$1 $0; report mae_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete mae_$1
+
+# 211003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*CPU utilization for (\d+) seconds = (.*)
+desc=PIX $1 CPU high ($2) for $3 secs
+action=create cpu_$1; add cpu_$1 %t; add cpu_$1 %s; add cpu_$1 $0; report cpu_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete cpu_$1
+
+# 211003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Dropping SNMP request from (\d+.\d+.\d+.\d+\/\d+) to.*:(\d+.\d+.\d+.\d+\/\d+).*
+desc=PIX $1 SNMP Attempt from $2 to $3
+action=create snp_$1; add snp_$1 %t; add snp_$1 %s; add snp_$1 $0; report snp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete snp_$1
+
+# 213001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*PPTP control daemon socket io.*errno = (\d+)
+desc=PIX $1 PPTP Error $2
+action=create ppt_$1; add ppt_$1 %t; add ppt_$1 %s; add ppt_$1 $0; report ppt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ppt_$1
+
+# 213002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*PPTP tunnel hashtable insert failed, peer = (\d+.\d+.\d+.\d+)
+desc=PIX $1 PPTP hash table insert failed for $2
+action=create pht_$1; add pht_$1 %t; add pht_$1 %s; add pht_$1 $0; report pht_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete pht_$1
+
+# 213003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*PPP virtual interface (\S+) isn't opened.
+desc=PIX $1 PPP Virtual Int $2 failed to close
+action=create ppp_$1; add ppp_$1 %t; add ppp_$1 %s; add ppp_$1 $0; report ppp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ppp_$1
+
+# 213004
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*PPP virtual interface (\S+) client ip allocation failed.
+desc=PIX $1 PPP Virutal interface $2 failure (pool depleted)
+action=create ppl_$1; add ppl_$1 %t; add ppl_$1 %s; add ppl_$1 $0; report ppl_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ppl_$1
+
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Denied Telnet login session from (\d+.\d+.\d+.\d+) on interface (int_name).
+desc=PIX $1 Denid Telnet from $2 ($3) !!
+action=create tel_$1; add tel_$1 %t; add tel_$1 %s; add tel_$1 $0; report tel_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete tel_$1
+
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Permitted Telnet login session from (\d+.\d+.\d+.\d+)
+desc=PIX $1 Permitted Telnet from $2 !
+action=create tel_$1; add tel_$1 %t; add tel_$1 %s; add tel_$1 $0; report tel_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete tel_$1
+
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*telnet login session failed from (\d+.\d+.\d+.\d+).*
+desc=PIX $1 Telnet login guessing attack
+action=create tel_$1; add tel_$1 %t; add tel_$1 %s; add tel_$1 $0; report tel_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete tel_$1
+
+# 308001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*PIX console enable password incorrect for (num) tries \(from (\d+.\d+.\d+.\d+)\).
+desc=PIX $1 Many Enable Password failures for $3
+action=create enb_$1; add enb_$1 %t; add enb_$1 %s; add enb_$1 $0; report enb_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete enb_$1
+
+# 315011
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*SSH session from (\d+.\d+.\d+.\d+) on interface.*for user (\S+) disconnected by SSH server, reason:.*
+desc=PIX $1 SSH Auth Attach from $2 ($3)
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 %s; add ssh_$1 $0; report ssh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ssh_$1
+window=10
+thresh=6
+
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Denied manager connection from (\d+.\d+.\d+.\d+).
+desc=PIX $1 Denied Manager from $2
+action=create nmg_$1; add nmg_$1 %t; add nmg_$1 %s; add nmg_$1 $0; report nmg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete nmg_$1
+
+# FIXME -- Add log code FWSM
+type=Single
+continue=takenext
+ptype=RegExp
+pattern==^PIXLOG (\S+)\^ .*Denied SSH session from (\d+.\d+.\d+.\d+) on interface.*
+desc=PIX $1 Denied SSH from $2
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 %s; add ssh_$1 $0; report ssh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ssh_$1
+
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Permitted manager connection from (IP_addar).
+desc=PIX $1 Allowed Manager from $2
+action=create ymg_$1; add ymg_$1 %t; add ymg_$1 %s; add ymg_$1 $0; report ymg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ymg_$1
+
+# FIXME
+# SET \d+.\d+.\d+.\d+ TO ! 128.135.0.x
+#type=Single
+#continue=takenext
+#ptype=RegExp
+#pattern=^PIXLOG (\S+)\^ .*Permitted SSH session from (\d+.\d+.\d+.\d+) on interface.*for user "user_id"
+#desc=PIX $1 Permitted ssh $3 from $2
+#action=create fsh_$1; add fsh_$1 %t; add fsh_$1 %s; add fsh_$1 $0; report fsh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete fsh_$1
+
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*SSH login session failed from (\d+.\d+.\d+.\d+) on \((num) attempts\) on interface.*by user "(\S+)"
+desc=PIX $1 SSH $3 Failures from $2 by $4
+action=create lsh_$1; add lsh_$1 %t; add lsh_$1 %s; add lsh_$1 $0; report lsh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete lsh_$1
+
+# 402101
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*decaps: rec\'d IPSEC packet has invalid spi for destaddr=(\d+.\d+.\d+.\d+).*
+desc=PIX $1 IPSEC: Invalid SPI in packet from $2 (possible attack)
+action=create spi_$1; add spi_$1 %t; add spi_$1 %s; add spi_$1 $0; report spi_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete spi_$1
+
+# 402101
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*decapsulate: packet missing (.*), destadr=(\d+.\d+.\d+.\d+)
+desc=PIX $1 IPSEC: Packet to $3 did not have type $2 (possible attack)
+action=create itp_$1; add itp_$1 %t; add itp_$1 %s; add itp_$1 $0; report itp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete itp_$1
+
+# 402103
+# FIXME -- This is messy
+#type=Single
+#continue=takenext
+#ptype=RegExp
+#pattern=^PIXLOG (\S+)\^ .*dentity doesn't match negotiated identity \((ip)\) dest_addr= (\d+.\d+.\d+.\d+), src_addr= (\d+.\d+.\d+.\d+), prot= protocol, \((ident)\) local=(\d+.\d+.\d+.\d+), remote=(\d+.\d+.\d+.\d+), local_proxy=(\d+.\d+.\d+.\d+/\d+.\d+.\d+.\d+/port/port), remote_proxy=(\d+.\d+.\d+.\d+/\d+.\d+.\d+.\d+/port/port)
+#desc=PIX $1 IPSEC: Peer $2 is attempting to send other packets through us $3 $4 $5 $6 $7
+#action=create per_$1; add per_$1 %t; add per_$1 %s; add per_$1 $0; report per_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete per_$1
+
+# 402115
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Received a packet from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) containing.*data instead of.*data.
+desc=PIX $1 IPSEC: packet from $2 to $3 doesn't match negotiated proto
+action=create ipx_$1; add ipx_$1 %t; add ipx_$1 %s; add ipx_$1 $0; report ipx_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ipx_$1
+
+# 402115
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Received an.*packet.*from (\d+.\d+.\d+.\d+).*to (\d+.\d+.\d+.\d+).*The decapsulated inner packet doesn't match the negotiated policy in the SA
+desc=PIX $1 IPSEC: packet from $2 to $3 is encapsulated with unexpected data.
+action=create enc_$1; add enc_$1 %t; add enc_$1 %s; add enc_$1 $0; report enc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete enc_$1
+
+# 402118
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Received an.*packet.*from (\d+.\d+.\d+.\d+).*to (\d+.\d+.\d+.\d+) containing an illegal IP fragment.*
+desc=PIX $1 IPSEC: packet from $2 to $3 has invalid fragment
+action=create enc_$1; add enc_$1 %t; add enc_$1 %s; add enc_$1 $0; report enc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete enc_$1
+
+# 403103
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*PPP virtual interface max connections reached.
+desc=PIX $1 PPP interfaces exhausted
+action=create pie_$1; add pie_$1 %t; add pie_$1 %s; add pie_$1 $0; report pie_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete pie_$1
+
+# 403109
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Rec\'d packet not an PPTP packet. \(.*\) dest_addr= (\d+.\d+.\d+.\d+), src_addr= (\d+.\d+.\d+.\d+).*
+desc=PIX $1 Spoofed PPTP Packet from $3 to $2
+action=create spp_$1; add spp_$1 %t; add spp_$1 %s; add spp_$1 $0; report spp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete spp_$1
+
+# 404101
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*ISAKMP: Failed to allocate address for client from pool (\S+)
+desc=PIX $1 IPSEC: Failed to allocate addr from $2
+action=create faa_$1; add faa_$1 %t; add faa_$1 %s; add faa_$1 $0; report faa_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete faa_$1
+
+# 405001
+#type=Single
+#continue=takenext
+#ptype=RegExp
+#pattern=PIXLOG (\S+)\^ .*Received ARP.*collision from (\d+.\d+.\d+.\d+\/....\.....\.....) on.*
+#desc=PIX $1 ARP Collision: $2
+#action=create mac_$1; add mac_$1 %t; add mac_$1 %s;add mac_$1 %s; add mac_$1 $0; report mac_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete mac_$1
+
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Configuration replication failed for command (\S+)
+desc=PIX $1 Failover replication command $2 failed
+action=create rcf_$1; add rcf_$1 %t; add rcf_$1 %s; add rcf_$1 $0; report rcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rcf_$1
+
+# 709001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*FO replication failed: cmd=(.*) returned=.*
+desc=PIX $1 Failover: Command replication failed for Peer: $2
+action=create rcf_$1; add rcf_$1 %t; add rcf_$1 %s; add rcf_$1 $0; report rcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rcf_$1
+
+# 316001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Denied new tunnel to (\d+.\d+.\d+.\d+). VPN peer limit.*exceeded.*
+desc=PIX $1 VPN Peer limit exceeded for $2
+action=create plm_$1; add plm_$1 %t; add plm_$1 %s; add plm_$1 $0; report plm_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete plm_$1
+
+# 317003
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*IP routing table creation failure - (.*)
+desc=PIX $1 Route table Error: $2
+action=create rte_$1; add rte_$1 %t; add rte_$1 %s; add rte_$1 $0; report rte_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rte_$1
+
+# 317004
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*IP routing table limit warning
+desc=PIX $1 Routing table limit reached
+action=create rtl_$1; add rtl_$1 %t; add rtl_$1 %s; add rtl_$1 $0; report rtl_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rtl_$1
+
+# 317005
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*IP routing table limit exceeded - (.*), (\d+.\d+.\d+.\d+).*
+desc=PIX $1 Route table limit breached by $3: $2
+action=create rtb_$1; add rtb_$1 %t; add rtb_$1 %s; add rtb_$1 $0; report rtb_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rtb_$1
+
+# 323005
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Module in slot (\S+) can not be powered on completely
+desc=PIX $1 Slot $2 will not power on
+action=create slp_$1; add slp_$1 %t; add slp_$1 %s; add slp_$1 $0; report slp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete slp_$1
+
+# 411002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Line protocol on interface (\S+) changed state to down
+desc=PIX $1 Interface $2 is DOWN!
+action=create lpd_$1; add ldp_$1 %t; add ldp_$1 %s; add lpd_$1 $0; report lpd_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete lpd_$1
+
+# 412002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Detected bridge table full while inserting MAC (....\.....\.....) on interface .*
+desc=PIX $1 MAC Address table is FULL!
+action=create brf_$1; add brf_$1 %t; add brf_$1 %s; add brf_$1 $0; report brf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete brf_$1
+
+# 505001
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Module in slot (\S+) is shutting down. Please.*
+desc=PIX $1 Slot $2 is shutting down!
+action=create sht_$1; add sht_$1 %t; add sht_$1 %s; add sht_$1 $0; report sht_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete sht_$1
+
+# 505002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Module in slot (\S+) is reloading. Please.*
+desc=PIX $1 Slot $2 is reloading!
+action=create rld_$1; add rld_$1 %t; add rld_$1 %s; add rld_$1 $0; report rld_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete rld_$1
+
+# 605004
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*Login denied from (.*) to (.*) for user "(\S+)"
+desc=PIX $1 Auth Attack from $2 to $3 ($4)
+action=create ath_$1; add ath_$1 %t; add ath_$1 %s; add ath_$1 $0; report ath_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ath_$1
+window=10
+thresh=6
+
+# 611102
+type=SingleWithThreshold
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*User authentication failed: Uname: (\S+)
+desc=PIX $1 Auth Attach from $2
+action=create ath_$1; add ath_$1 %t; add ath_$1 %s; add ath_$1 $0; report ath_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete ath_$1
+window=10
+thresh=6
+
+# 615002
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=^PIXLOG (\S+)\^ .*vlan number not available for firewall interface
+desc=PIX $1 VLAN Error for FWSM
+action=create vln_$1; add vln_$1 %t; add vln_$1 %s; add vln_$1 $0; report vln_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user@example.com; delete vln_$1
+
+#
View
246 sec/pix-security.sec
@@ -0,0 +1,246 @@
+####################################################################
+# SEC ruleset for Cisco PIX 6.x, 7.x
+#
+# Copyright (C) 2003-2009 Chris Sawall
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+####################################################################
+
+# Process various events from PIX syslog output
+#
+# Submitted by Chris Sawall
+# email: sawall -[at]- gmail -[dot]- com
+# Last Updated: 5/20/05
+
+# ------------------------------------------------------------------
+# Watch for weird failures - possible trojan/worm
+# ------------------------------------------------------------------
+
+# Watch for 10 denies within 10 seconds. Especially useful to monitor
+# for certain trojans and mass mailers
+#
+type=SingleWithThreshold
+ptype=RegExp
+pattern=\s*.*Deny\s+(\w+)\s+src.*:(.*)/.*:(.*)/(\b2\d\b).*$
+desc=Unusual Failures:$1 $4/$2 -> $3
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
+window=10
+thresh=10
+
+# Monitor for occurrances of certain variant of PHEL trojan destined
+# for two different class C networks
+#
+type=Single
+continue=dontcont
+ptype=RegExp
+pattern=(212\.147\.14[12]\.)
+desc=Possible PHEL Trojan (1)
+action=create phel_$1; add phel_$1 Local Time = %t; add phel_$1 $0; report phel_$1 /bin/mail -s "%s" email01@example.com; delete phel_$1
+
+# ------------------------------------------------------------------
+# Watch for firewall failovers
+# ------------------------------------------------------------------
+
+# Firewall failures/failovers
+# Works for PIX 7.x
+
+# Failure of secondary (standby) firewall while primary is active
+# Works for PIX 7.x
+#
+# $1 is the IP address of the primary firewall
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Primary\).*$
+desc=Secondary firewall for $1 - failure/reload
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
+
+# Failure of secondary (standby) firewall while primary is active
+# Works for PIX 7.x
+#
+# $1 is the IP address of the primary firewall
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Secondary\).*$
+desc=Primary firewall for $1 - failure/reload
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
+
+# Failure of secondary (active), primary assumes active
+# Works for PIX 7.x
+#
+# The first "desc" and "action" don't really do anything here. But SEC requires them to be present.
+# $1 is the IP address of the primary firewall
+#
+type=Pair
+continue=dontcont
+ptype=RegExp
+pattern=PIX-1-102001:\s+\(Primary\).*$
+desc=$0
+action=logonly
+ptype2=RegExp
+pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Primary\).*Peer state Standby Ready
+desc2=Secondary (was active) firewall ($1) has failed. Primary is now active.
+action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
+window=5
+
+# Failure of primary (active), secondary assumes active
+# Works for PIX 7.x
+#
+# The first "desc" and "action" don't really do anything here. But SEC requires them to be present.
+# $1 is the IP address of the primary firewall
+#
+type=Pair
+continue=dontcont
+ptype=RegExp
+pattern=PIX-1-102001:\s+\(Secondary\).*$
+desc=$0
+action=logonly
+ptype2=RegExp
+pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Secondary\).*Peer state Standby Ready
+desc2=Primary firewall ($1) has failed. Secondary is now active.
+action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
+window=5
+
+# ------------------------------------------------------------------
+# Watch for firewall reloads
+# ------------------------------------------------------------------
+
+# Manual reload of PIX
+# Works for PIX 6.x
+#
+# $1 is the IP address of the primary firewall
+#
+type=Single
+continue=dontcont
+ptype=RegExp
+pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX reload.*$
+desc=$1 has been manually rebooted
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com ; delete ffo_$1
+
+# Manual reload of PIX
+# Works for PIX 7.x
+#
+# $1 is the IP address of the primary firewall
+#
+type=Single
+continue=dontcont
+ptype=RegExp
+pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Orderly reload.*Reload reason:\s(\S+)
+desc=$1 has been manually rebooted, reason: $2
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01@example.com; delete ffo_$1
+
+# ------------------------------------------------------------------
+# Watch for SSH logins/failures on firewalls
+# ------------------------------------------------------------------
+
+# Suppress emails concerning pixbkup account
+# In this case, the pixbkup acct is used to backup the PIX firewalls
+# Keeping email alerts to a minimum, this skips past these alerts
+#
+type=Suppress
+continue=dontcont
+ptype=RegExp
+pattern=pixbkup
+
+# Successful Admin SSH session
+# Works for PIX 6.x
+#
+# Monitor for successful SSH connections to the PIX firewall
+# $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr
+#
+type=Single
+continue=dontcont
+ptype=RegExp
+pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'.*to\s(\d+\.\d+\.\d+\.\d+)\/0.*SSH
+desc=Admin Auth to $1.$2 -> $3 from $4
+action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
+
+# Successful Admin SSH session
+# Works for PIX 7.x
+#
+# Monitor for successful SSH connections to the PIX firewall
+# $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr
+#
+type=Single
+continue=dontcont
+ptype=RegExp
+pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'\sfrom\s(\d+\.\d+\.\d+\.\d+)\/0.*/22.*$
+desc=Admin Auth to $1.$2 -> $3 from $4
+action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
+
+# Failed Admin SSH session
+# Works for PIX 6.x
+#
+# Monitor for failed SSH attempts to the PIX firewalls
+# $1 is the user acct
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=Authentication failed.*\'(\S+)\'.*SSH
+desc=Admin Auth FAILED -> $1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
+
+# Failed Admin SSH session
+# Works for PIX 7.x
+#
+# Monitor for failed SSH attempts to the PIX firewalls
+# $1 is the user acct
+#
+type=Single
+continue=takenext
+ptype=RegExp
+pattern=Authentication failed.*\'(\S+)\'.*/22.*$
+desc=Admin Auth FAILED -> $1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
+
+# Normal SSH termination
+# Works for both PIX 6.x and 7.x
+#
+# $1 is the IP of the firewall and $2 is the user acct
+#
+type=Single
+ptype=RegExp
+pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*\"(\S+)\".*terminated normally
+desc=ADMIN END $1 -> $2
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
+
+# SSH session timeout or abnormal termination
+# Works for PIX 6.x
+# May work for PIX 7.x - not tested but PIX-6-315011 is the same for 6 and 7.
+#
+# $1 is the IP of the firewall
+#
+type=Single
+ptype=RegExp
+pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*disconnected by SSH server
+desc=Firewall session END - timeout $1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
+
+# ------------------------------------------------------------------
+# Watch for firewall commands
+# ------------------------------------------------------------------
+
+# Admin executed "write mem"
+# Works for both PIX 6.x and 7.x
+#
+# $1 is the IP of the firewall
+type=Single
+ptype=RegExp
+pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*write\sm.*
+desc=User wrote config to memory -> $1
+action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01@example.com; delete fwcmd_$1
+
+# Watch for HIGH CPU Utilization
+# Works for PIX 6.x
+#
+type=Single
+ptype=RegExp
+pattern=PIX-.-211003
+desc=HIGH CPU Utilization
+action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01@example.com; delete fwcmd_$1
+
View
80 sec/pix-url.sec
@@ -0,0 +1,80 @@
+####################################################################
+# SEC ruleset for Monitoring Keywords
+#
+# Copyright (C) 2003-2009 Chris Sawall
+# This is free software. You may redistribute copies of it under the terms of
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+####################################################################
+
+# This particular ruleset was designed to monitor PIX syslog traffic
+# and watch for keywords in URL traffic. Starting SEC must include
+# the -intevents option.
+#
+# Currently tested for PIX 6.x
+#
+# Submitted by Chris Sawall
+# email: sawall -[at]- gmail -[dot]- com
+# Last Updated: 5/20/05
+
+# Wait for SEC to start up or be restarted and then read in two lists
+# of words. The first being a list of words to watch for and alert on,
+# the second list being a list of exclusions for a suppression rule.
+#
+type=Single
+ptype=PerlFunc
+pattern=sub { if(($_[0] eq "SEC_STARTUP") || ($_[0] eq "SEC_RESTART")) { @words=`cat /root/watch4badwords`; chomp(@words); $list=join('|', @words); @ewords=`cat /root/watch4excludes`; chomp(@ewords); $excludes=join('|', @ewords);} }
+desc=$0
+context=SEC_INTERNAL_EVENT
+action=write - Set word list variable;
+
+# ------------------------------------------------------------------
+# Scan for certain URLs
+# ------------------------------------------------------------------
+
+# Monitor and match on keywords from the exclusions file and
+# suppress reporting on them.
+#
+type=Suppress
+continue=dontcont
+ptype=PerlFunc
+pattern=sub {($_[0] =~ /($excludes)/) }
+
+# Monitor for keywords and send an email alert
+#
+type=Single
+ptype=PerlFunc
+pattern=sub {($_[0] =~ /($list)/) }
+desc=Inappropriate word in URL
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01@example.com; delete ssh_$1
+
+#
+# Examples of "watch4badwords" and "watch4excludes"
+#
+# File should be a return delimited file. The
+# script read the file in literally and creates
+# an OR statement by putting a pipe (|) between
+# all of the keywords.
+#
+# Be careful on what words are being monitored.
+# The word virgin also finds virginia and alerts
+# on it.
+#