##### # # Copyright (C) 2012 <operador@sesabe.mooo.com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### ##### # # Rules to monitor the SSLVPN of Juniper # ##### #Mar 30 15:11:50 xx.xx.xx.xx Juniper: 2012-03-30 15:11:50 - Namexxx - [200.49.92.226] Root::System(xx)[] - Login failed. Reason: Failed regex=Juniper:+.+ - (\S+) - \[([\d\.]+)\] Root::(\S+)\((\S+) (\S+)\)\[\] - Login failed. Reason: Failed; \ classification.text=SSLVPN - Login failed.; \ id=50001; \ revision=1; \ analyzer(0).name=Juniper SA; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=SSLVPN; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Login failed. Reason: Failed; \ additional_data(0).type=string; \ additional_data(0).meaning=User Name; \ additional_data(0).data=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ last #Mar 30 14:36:29 xx.xx.xx.xx Juniper: 2012-03-30 14:36:29 - Namexxx - [190.132.169.34] Root::user(xx)[] - Login failed. Reason: NoRoles regex=Juniper:+.+ - (\S+) - \[([\d\.]+)\] Root::(\S+)\((\S+) (\S+)\)\[\] - Login failed. Reason: NoRoles; \ classification.text=SSLVPN - Login failed.; \ id=50002; \ revision=1; \ analyzer(0).name=Juniper SA; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=SSLVPN; \ assessment.impact.severity=medium; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Login failed. Reason: NoRoles; \ additional_data(0).type=string; \ additional_data(0).meaning=User Name; \ additional_data(0).data=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ last #Apr 10 12:23:33 xx.xx.xx.xx Juniper: 2012-04-10 12:23:33 - Namexxx - [127.0.0.1] Root::System()[] - The current virus signature list imported successfully regex=Juniper:+.+ - (\S+) - \[([\d\.]+)\] Root::(\S+)\(\)\[\] - The current virus signature list imported successfully; \ classification.text=SSLVPN - Virus Signature Update; \ id=50003; \ revision=1; \ analyzer(0).name=Juniper SA; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=SSLVPN; \ assessment.impact.severity=info; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=SSLVPN - The current virus signature list download and imported successfully.; \ additional_data(0).type=string; \ additional_data(0).meaning=User Name; \ additional_data(0).data=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ last regex=Juniper:+.+ - (\S+) - \[([\d\.]+)\] Root::(\S+)\(\)\[\] - The current patch management data imported successfully; \ classification.text=SSLVPN - Patch Management Update; \ id=50004; \ revision=1; \ analyzer(0).name=Juniper SA; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=SSLVPN; \ assessment.impact.severity=info; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=SSLVPN - The current patch management data download and imported successfully.; \ additional_data(0).type=string; \ additional_data(0).meaning=User Name; \ additional_data(0).data=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ last regex=Juniper:+.+ - (\S+) - \[([\d\.]+)\] Root::(\S+)\(\)\[\] - Unable to download current patch management; \ classification.text=SSLVPN - Patch Management Update Failed; \ id=50005; \ revision=1; \ analyzer(0).name=Juniper SA; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=SSLVPN; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=SSLVPN - Patch Management download Failed.; \ additional_data(0).type=string; \ additional_data(0).meaning=User Name; \ additional_data(0).data=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ last regex=Juniper:+.+ - (\S+) - \[([\d\.]+)\] Root::(\S+)\(\)\[\] - Unable to download current virus signature; \ classification.text=SSLVPN - Virus Signature Update Failed; \ id=50006; \ revision=1; \ analyzer(0).name=Juniper SA; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=SSLVPN; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=SSLVPN - Virus Signature download Failed.; \ additional_data(0).type=string; \ additional_data(0).meaning=User Name; \ additional_data(0).data=$3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$2; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$1; \ last regex=Juniper:+.+ - (\S+) - \[([\d\.]+)\] Root::(\S+)\(\)\[\] - Node '(\S+)' deactivated in cluster; \ classification.text=Failover: deactivated in cluster; \ id=50007; \ revision=1; \ analyzer(0).name=Juniper SA; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=SSLVPN; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=deactivated in cluster; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last regex=Juniper:+.+ - (\S+) - \[([\d\.]+)\] Root::(\S+)\(\)\[\] - Node '(\S+)' activated in cluster; \ classification.text=Failover: activated in cluster; \ id=50008; \ revision=1; \ analyzer(0).name=Juniper SA; \ analyzer(0).manufacturer=www.juniper.net; \ analyzer(0).class=SSLVPN; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=activated in cluster; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$2; \ last