##### # # Copyright (C) 2006 G Ramon Gomez <gene at gomezbrothers dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### ##### # # The rules included here were developed using BIG-IP Kernel 4.5PTF-06 Build25. # Please report any inconsistencies on other versions to G Ramon Gomez at the # address provided above # ##### #LOG:AUG 14 08:31:13 smf-custlog-02 1/1 88 NETMAN-2: Generic:LINK DOWN for e3 regex=NETMAN-\d: Generic:LINK DOWN for (\S+); \ classification.text=Interface down; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=NETMAN; \ id=4700; \ revision=2; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.completion=succeeded; \ assessment.impact.type=dos; \ assessment.impact.severity=medium; \ assessment.impact.description=Interface $1 status changed to down; \ target(0).interface=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=New state; \ additional_data(0).data=down; \ last #LOG:AUG 16 06:45:00 smf-custlog-02 1/1 1022 NETMAN-6: CLMcmd: wr mem,neteng@12.34.56.78 #LOG:AUG 16 00:12:35 smf-custlog-02 1/1 49169 NETMAN-6: CLMcmd: wr memory ,neteng@90.12.34.56 regex=NETMAN-\d: CLMcmd: wr (\S+)\s*,(\S+)@([\d\.]+); \ classification.text=Configuration written to $1; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=NETMAN; \ id=4701; \ revision=2; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Configuration was stored on $1; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).user.category=os-device; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Destination device; \ additional_data(0).data=$1; \ last #LOG:AUG 16 07:31:45 smf-custlog-02 1/1 1065 NETMAN-6: CLMcmd: exit,neteng@12.34.56.78 regex=NETMAN-\d: CLMcmd: (.+)\s*,(\S+)@([\d\.]+); \ classification.text=Command audit; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=NETMAN; \ id=4702; \ revision=2; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=low; \ assessment.impact.completion=succeeded; \ assessment.impact.type=admin; \ assessment.impact.description=The command $1 was executed; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$3; \ source(0).user.category=os-device; \ source(0).user.category=application; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ additional_data(0).type=string; \ additional_data(0).meaning=Command; \ additional_data(0).data=$1; \ last #LOG:AUG 16 00:13:46 smf-custlog-02 1/1 49172 SSHD-4: Access attempted by from 12.34.56.78 port 1106 #LOG:AUG 16 07:31:52 smf-custlog-02 1/1 1067 SSHD-4: Access attempted by neteng from 12.34.56.78 port 1121 regex=SSHD-\d: Access attempted by (.*) from ([\d\.]+) port (\d+); \ classification.text=User login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=SSHD; \ id=4703; \ revision=3; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=failed; \ assessment.impact.description=User $1 failed login; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ source(0).service.port=$3; \ target(0).service.port=22; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ last #LOG:AUG 16 07:31:57 smf-custlog-02 1/1 1069 NETMAN-6: CLM: Login neteng@12.34.56.78 regex=NETMAN-\d: CLM: Login (\S+)@([\d\.]+); \ classification.text=User login; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=NETMAN; \ id=4704; \ revision=3; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=This message appears when a user is authenticated successfully and a management session starts.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ last #LOG:AUG 18 05:44:35 smf-custlog-02 1/1 3201 IPV4-4: Duplicate IP address detected: 12.34.56.78 00-0a-b8-68-2d-8c regex=IPV4-\d: Duplicate IP address detected: ([\d\.]+) ([a-f\d\-]+); \ classification.text=Duplicate IP; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=IPV4; \ id=4705; \ revision=2; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=high; \ assessment.impact.completion=succeeded; \ assessment.impact.type=other; \ assessment.impact.description=An IP currently in use by the CSS has been detected as in use by another device on the network.; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).node.address(1).category=mac; \ source(0).node.address(1).address=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ last #LOG:AUG 16 06:46:56 smf-custlog-02 1/1 49124 NETMAN-2: Enterprise:Service Transition:web1-rw -> suspended regex=NETMAN-\d: Enterprise:Service Transition:(\S+) -> (\S+); \ classification.text=Service $2; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=css_subsystem; \ classification.reference(0).name=NETMAN; \ id=4706; \ revision=2; \ analyzer(0).name=CSS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=Load Balancer; \ assessment.impact.severity=medium; \ assessment.impact.type=dos; \ assessment.impact.description=Service $1 is $2; \ additional_data(0).type=string; \ additional_data(0).meaning=Service name; \ additional_data(0).data=$1; \ last #TODO: More rules (lots of stuff left in my logs to go through)