Sophie

Sophie

distrib > * > cooker > x86_64 > by-pkgid > da2a89686a81980bc1060d2b1d9fea2f > files > 25

prelude-lml-1.0.1-1.x86_64.rpm

#####
#
# Copyright (C) 2003 Michael Boman <mboman at gentoo dot org>
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

# Rules for honeyd version 0.5 (and perhaps later, NOT TESTED with later!)

#LOG:Dec 30 20:09:03 hacklab honeyd[5711]: Killing attempted connection: tcp (127.0.0.1:46190 - 192.168.1.20:646)
regex=Killing attempted connection: (tcp|udp) \(([\d\.]+):(\d+) - ([\d\.]+):(\d+)\); \
 classification.text=Killing attempted connection; \
 id=2600; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).service.port=$3; \
 source(0).service.iana_protocol_name=$1; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$4; \
 target(0).service.port=$5; \
 target(0).service.iana_protocol_name=$1; \
 assessment.impact.completion=failed; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Someone tried to connect to a port on the honeypot; \
 last

#LOG:Dec 30 20:09:05 hacklab honeyd[5711]: Connection to closed port: udp (127.0.0.1:37806 - 192.168.1.20:1)
regex=Connection to closed port: (tcp|udp) \(([\d\.]+):(\d+) - ([\d\.]+):(\d+)\); \
 classification.text=Connection to closed port; \
 id=2601; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).service.port=$3; \
 source(0).service.iana_protocol_name=$1; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$4; \
 target(0).service.port=$5; \
 target(0).service.iana_protocol_name=$1; \
 assessment.impact.completion=failed; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Someone tried to connect to a closed port on the honeypot; \
 last

#LOG:Dec 30 20:09:08 hacklab honeyd[5711]: Killing unknown connection: tcp (127.0.0.1:37814 - 192.168.1.20:80)
regex=Killing unknown connection: (tcp|udp) \(([\d\.]+):(\d+) - ([\d\.]+):(\d+)\); \
 classification.text=Connection to closed port; \
 id=2602; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).service.port=$3; \
 source(0).service.iana_protocol_name=$1; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$4; \
 target(0).service.port=$5; \
 target(0).service.iana_protocol_name=$1; \
 assessment.impact.completion=failed; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Someone tried to connect to a port on the honeypot; \
 last

#LOG:Dec 30 20:09:01 hacklab honeyd[5711]: Sending ICMP Echo Reply: 192.168.1.20 -> 127.0.0.1
regex=Sending ICMP Echo Reply: ([\d\.]+) -> ([\d\.]+); \
 classification.text=Sending ICMP Echo Reply; \
 id=2603; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 source(0).service.iana_protocol_name=icmp; \
 source(0).service.iana_protocol_number=1; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$2; \
 target(0).service.iana_protocol_name=icmp; \
 target(0).service.iana_protocol_number=1; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Honeypot replied to a ICMP echo request; \
 last

# Entries created from scanning syslog() calls in the honeyd (0.7a) source(0).

# Connection established: %s -> proxy to %s:%s
# Connection established: <attacker ip> -> proxy to <target(0).ip>:<target(0).port>
regex=Connection established: ([\d\.]+) -> proxy to ([\d\.]+):(\d+); \
 classification.text=Proxy connection establised; \
 id=2604; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$2; \
 target(0).service.port=$3; \
 assessment.impact.completion=success; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Honeypot established a proxy connection; \
 last


# Connection established: %s -> subsystem \"%s\"
# Connection established: <attacker ip> -> subsystem "<script name>"
regex=Connection established: ([\d\.]+) -> subsystem "(.*)"; \
 classification.text=Subsystem connection establised; \
 id=2605; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 target(0).process=$2; \
 assessment.impact.completion=success; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Attacker accessed virtual service on honeypot; \
 last

# Connection established: subsystem \"%s\" -> %s
# Connection established: subsystem "<script name>" -> <attacker ip>
regex=Connection established: subsystem \"(.*)\" -> ([\d\.]+); \
 classification.text=Subsystem connection establised; \
 id=2606; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).process=$1; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$2; \
 assessment.impact.completion=success; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Honeypot virtual service responded to attacker; \
 last

# switching to polling mode
regex=switching to polling mode; \
 classification.text=Subsystem connection establised; \
 id=2607; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 assessment.impact.completion=success; \
 assessment.impact.type=recon; \
 assessment.impact.severity=low; \
 assessment.impact.description=Honeypot switched to polling mode; \
 last

# Subsystem \"%s\" died
# Subsystem "<script name>" died
regex=Subsystem \"(.*)\" died; \
 classification.text=Virtual service died; \
 id=2608; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 assessment.impact.completion=success; \
 assessment.impact.type=recon; \
 assessment.impact.severity=high; \
 assessment.impact.description=Honeypot virtual service died; \
 last

# Subsystem %s on %s attempts illegal bind %s:%d
# Subsystem <script name> on <honeyd template> attempts illegal bind <address(0).:<port>
regex=Subsystem (.*) on (.*) attempts illegal bind ([\d\.]+):(\d+); \
 classification.text=Virtual service attempts illegal bind; \
 id=2609; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 assessment.impact.completion=success; \
 assessment.impact.type=recon; \
 assessment.impact.severity=high; \
 assessment.impact.description=Honeypot virtual service attempted an illigal bind; \
 last

#LOG:Dec 30 20:08:24 hacklab honeyd[5711]: listening on eth0: ip  and not ether src 00:10:5a:7a:6c:47
#LOG:Dec 30 20:12:21 hacklab honeyd[5752]: listening on eth0: ip and (dst 192.168.1.20) and not ether src 00:10:5a:7a:6c:47
#LOG:Dec 30 20:15:53 hacklab honeyd[5779]: listening on lo: ip and (dst 192.168.1.20)
regex=listening on (\S+):; \
 classification.text=Honeypot starting; \
 id=2610; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=info; \
 assessment.impact.description=Honeypot started; \
 source(0).interface=$1; \
 last

# Copyright (C) 2006 Bjoern Weiland <bjoern-dot-weiland-at-web-dot-de>
# All Rights Reserved

# Rules for honeyd version 1.5 (and probably later, NOT TESTED with later!)
# The rules should apply since honeyd version 0.7 or 0.8

#LOG:2006-08-18-12:21:12.1239 honeyd log started ------
 regex=honeyd log (started|stopped) ------; \
 classification.text=Honeypot log $1; \
 id=2611; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=file; \
 assessment.impact.severity=info; \
 assessment.impact.description=Honeyd has $1 to write to its logfile; \
 last

#LOG:2006-08-18-12:21:12.1239 icmp(1) - 11.11.11.11 22.22.22.22: 8(0): 84 [SunOS 4.1 ]
 regex=icmp\(1\) - ([\d\.]+) ([\d\.]+): (\d+)\((\d+)\): (\d*) \[(.*)\]; \
 classification.text=ICMP connection; \
 id=2612; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 source(0).service.iana_protocol_name=ICMP; \
 source(0).service.iana_protocol_number=1; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$2; \
 target(0).service.iana_protocol_name=ICMP; \
 target(0).service.iana_protocol_number=1; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=recon; \
 assessment.impact.severity=low; \
 assessment.impact.description=Your honeypot *probably* replied to an echo request (PING), see additional data for details; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ICMP type; \
 additional_data(0).data=$3; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=ICMP code; \
 additional_data(1).data=$4; \
 additional_data(2).type=integer; \
 additional_data(2).meaning=Packet size; \
 additional_data(2).data=$5; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Target OS; \
 additional_data(2).data=$6; \
 last

#LOG:2006-08-18-12:21:12.1239 tcp(6) - 11.11.11.11 53952 22.22.22.22 10078: 44 S [Linux 2.6 ]
 regex=tcp\(6\) - ([\d\.]+) (\d+) ([\d\.]+) (\d+): (\d+) (\S*) \[(.*)\]; \
 classification.text=TCP connection to closed port; \
 id=2613; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 source(0).service.port=$2; \
 source(0).service.iana_protocol_name=TCP; \
 source(0).service.iana_protocol_number=6; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$3; \
 target(0).service.port=$4; \
 target(0).service.iana_protocol_name=TCP; \
 target(0).service.iana_protocol_number=6; \
 assessment.impact.completion=failed; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Someone tried to connect to a closed port on your honeypot; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Packet size; \
 additional_data(0).data=$5; \
 additional_data(1).type=string; \
 additional_data(1).meaning=TCP flags; \
 additional_data(1).data=$6; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Target OS; \
 additional_data(2).data=$7; \
 last

#LOG:2006-08-18-12:21:12.1239 udp(17) - 11.11.11.11 36722 22.22.22.22 545: 28 [Linux 2.6 ]
 regex=udp\(17\) - ([\d\.]+) (\d+) ([\d\.]+) (\d+): (\d+) \[(.*)\]; \
 classification.text=UDP connection to closed port; \
 id=2614; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 source(0).service.port=$2; \
 source(0).service.iana_protocol_name=UDP; \
 source(0).service.iana_protocol_number=17; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$3; \
 target(0).service.port=$4; \
 target(0).service.iana_protocol_name=UDP; \
 target(0).service.iana_protocol_number=17; \
 assessment.impact.completion=failed; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=Someone tried to connect to a closed port on your honeypot; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Packet size; \
 additional_data(0).data=$5; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Target OS; \
 additional_data(1).data=$6; \
 last

#LOG:2006-08-18-12:21:12.1239 udp(17) E 11.11.11.11 43569 22.22.22.22 135: 280 0
 regex=(udp|tcp)\((\d+)\) E ([\d\.]+) (\d+) ([\d\.]+) (\d+): (\d+) (\d+); \
 classification.text=End of connection; \
 id=2615; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$3; \
 source(0).service.port=$4; \
 source(0).service.iana_protocol_name=$1; \
 source(0).service.iana_protocol_number=$2; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$5; \
 target(0).service.port=$6; \
 target(0).service.iana_protocol_name=$1; \
 target(0).service.iana_protocol_number=$2; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=$1 connection to your honeypot has been closed; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Data received; \
 additional_data(0).data=$7; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=Data sent; \
 additional_data(1).data=$8; \
 last

#LOG:2006-08-18-12:21:12.1239 tcp(6) S 11.11.11.11 48877 22.22.22.22 2778 [Linux 2.6 ]
 regex=(udp|tcp)\((\d+)\) S ([\d\.]+) (\d+) ([\d\.]+) (\d+) \[(.*)\]; \
 classification.text=Start of connection; \
 id=2616; \
 revision=1; \
 analyzer(0).name=honeyd; \
 analyzer(0).manufacturer=www.honeyd.org; \
 analyzer(0).class=Honeypot; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$3; \
 source(0).service.port=$4; \
 source(0).service.iana_protocol_name=$1; \
 source(0).service.iana_protocol_number=$2; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$5; \
 target(0).service.port=$6; \
 target(0).service.iana_protocol_name=$1; \
 target(0).service.iana_protocol_number=$2; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=recon; \
 assessment.impact.severity=medium; \
 assessment.impact.description=$1 connection to your honeypot has been opened; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Target OS; \
 additional_data(0).data=$7; \
 last

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional