##### # # PPP/PPTP/L2TP VPN Server rules # # Copyright (C) 2009-2012 CS-SI. All Rights Reserved. # Copyright (C) 2008 Alexander Afonyashin <firm@iname.com> # Author: Alexander Afonyashin <firm@iname.com> # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### # Dec 4 23:01:24 beorc pptpd[24795]: CTRL: Client 1.2.3.4 control connection started # Dec 4 23:01:24 beorc pptpd[24795]: CTRL: Starting call (launching pppd, opening GRE) # Dec 4 23:01:25 beorc ppp[24796]: tun2: IPCP: Selected IP address 5.6.7.8 # Logging succeed #LOG: Dec 4 23:01:36 beorc ppp[24796]: tun2: Phase: Chap Input: RESPONSE (49 bytes from afonyashin) regex=ppp\[(\d+)\]: (\S+): Phase: \S+ Input: RESPONSE \(\d+ bytes from (\S+)\); \ new_context=PPP_$1,expire:0; \ classification.text=VPN user authentication; \ assessment.impact.description=Authenticated attempt; \ target(0).interface=$2; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$3; \ silent; #LOG: Dec 4 23:01:36 beorc ppp[24796]: tun2: Phase: Chap Output: SUCCESS regex=ppp\[(\d+)\]: \S+: Phase: \S+ Output: SUCCESS; \ require_context=PPP_$1; \ id=10100; \ revision=1; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=user; \ silent; #LOG: Dec 4 23:01:36 beorc ppp[24796]: tun2: Phase: Chap Output: FAILURE regex=ppp\[(\d+)\]: \S+: Phase: \S+ Output: FAILURE; \ require_context=PPP_$1; \ id=10101; \ revision=1; \ assessment.impact.severity=medium; \ assessment.impact.completion=failed; \ assessment.impact.type=user; \ silent; #LOG: Dec 4 23:01:49 beorc pptpd[24795]: CTRL: Reaping child PPP[24796] regex=pptpd\[(\d+)\]: CTRL: \S+ \S+ PPP\[(\d+)\]; \ require_context=PPP_$2; \ new_context=PPTPD_$1,expire:5; \ destroy_context=PPP_$2; \ silent; #LOG: Dec 4 23:01:49 beorc pptpd[24795]: CTRL: Client 1.2.3.4 control connection finished regex=pptpd\[(\d+)\]: CTRL: Client (\S+) control; \ require_context=PPTPD_$1; \ analyzer(0).name=ppp; \ analyzer(0).class=VPN; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ last;