Sophie

Sophie

distrib > * > cooker > x86_64 > by-pkgid > da2a89686a81980bc1060d2b1d9fea2f > files > 47

prelude-lml-1.0.1-1.x86_64.rpm

#####
#
# Copyright (C) 2003 Stephane Loeuillet (stephane.loeuillet@tiscali.fr)
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

# 1) Scan :

# source regex : portsentry\[?(\d+)+\]?:.* attackalert: (\S+) scan from host: (\S+)/($IP) to (TCP|UDP) port: (\d+)

# Sample matching logs :
#LOG:May 11 23:29:48 icecube portsentry[791]: attackalert: SYN/Normal scan from host: server1.miniclip.com/64.23.60.30 to TCP port: 443
#LOG:May  8 08:58:22 icecube portsentry[795]: attackalert: UDP scan from host: 193.63.249.24/193.63.249.24 to UDP port: 177
#LOG:Apr 18 10:42:51 20.0.0.3 portsentry[2549]: attackalert: TCP SYN/Normal scan from  host: 2.0.0.3/2.0.0.3 to TCP port: 119
regex=attackalert:.*?(\S+) scan from\s+host: (\S+)/([\d\.]+|[\dA-Fa-f\:]+) to (TCP|UDP) port: (\d+); \
 classification.text=$1 Scan; \
 id=1500; \
 revision=1; \
 analyzer(0).name=PortSentry; \
 analyzer(0).manufacturer=sentrytools.sourceforge.net; \
 analyzer(0).class=HIDS; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=PortSentry found someone performed a '$1' scan; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$3; \
 source(0).node.name=$2; \
 source(0).service.iana_protocol_name=$4; \
 target(0).service.iana_protocol_name=$4; \
 source(0).service.port=$5; \
 last;

# 2) Connection :
#
# source regex : portsentry\[?(\d+)+\]?:.* attackalert: Connect from host: (\S+)/($IP) to (TCP|UDP) port: (\d+)
#
#LOG:Mar 28 00:03:25 hoste portsentry[103]: attackalert: Connect from host: 217.33.28.29/217.33.28.29 to TCP port: 111
#
regex=attackalert: Connect from host: (\S+)/([\d\.]+|[\dA-Fa-f\:]+) to (TCP|UDP) port: (\d+); \
 classification.text=Connection logged; \
 id=1501; \
 revision=1; \
 analyzer(0).name=PortSentry; \
 analyzer(0).manufacturer=sentrytools.sourceforge.net; \
 analyzer(0).class=HIDS; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=PortSentry found someone connecting to port $3/$4; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).node.name=$1; \
 source(0).service.iana_protocol_name=$3; \
 target(0).service.iana_protocol_name=$3; \
 target(0).service.port=$4; \
 last;

# 3) Rules :
#
#LOG:Oct 15 13:50:07 basile portsentry[28412]: attackalert: Host 195.220.107.15 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 195.220.107.15 -j DENY"
#
regex=attackalert: Host ([\d\.]+) has been blocked via dropped route using command: "([^"]+)"; \
 classification.text=Host blocked; \
 id=1502; \
 revision=1; \
 analyzer(0).name=PortSentry; \
 analyzer(0).manufacturer=sentrytools.sourceforge.net; \
 analyzer(0).class=HIDS; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=PortSentry saw your firewall blocked a host via : $2; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 last;

# Copyright (C) 2004-2005 G Ramon Gomez <gene at gomezbrothers dot com>
# All Rights Reserved

#LOG:Apr 18 10:42:51 20.0.0.3 portsentry[2549]: attackalert: Host: 2.0.0.3/2.0.0.3 is  already blocked Ignoring
regex=attackalert: Host: (\S+)/([\d\.]+) is\s+already blocked; \
 classification.text=Host blocked; \
 id=1503; \
 revision=1; \
 analyzer(0).name=PortSentry; \
 analyzer(0).manufacturer=sentrytools.sourceforge.net; \
 analyzer(0).class=HIDS; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=PortSentry saw your firewall blocked a host.; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).node.name=$1; \
 last;

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional