Sophie

Sophie

distrib > Mandriva > 2008.1 > x86_64 > media > main-release > by-pkgid > b6c04112cc9a9f62a44c5755eb215e7f > files > 11

prelude-lml-0.9.11-1mdv2008.1.x86_64.rpm

#####
#
# Copyright (C) 2003 Exaprobe
# All Rights Reserved
# This ruleset is currently unmaintained.  Contact the Prelude
# development team if you would like to maintain it.
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

###
# I. FireWall-1, VPN-1
###

# 1. Dropped packets; several cases depending on the service format.
# 1.a Both ports are numbers
# No sample log entry; please submit

regex=drop   ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: (\d+). dst: ([\d\.]+). service: (\d+). proto: (\w+). rule: (\d+); \
 classification.text=$8 packet denied; \
 id=100; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=FireWall $1 dropped and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).service.port=$5; \
 source(0).service.protocol=$8; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$6; \
 target(0).service.port=$7; \
 target(0).service.protocol=$8; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ACL; \
 additional_data(0).data=$9; \
 last

# 1.b Source or Target port is a service name
# No sample log entry; please submit
regex=drop   ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: (\d+). dst: ([\d\.]+). service: ([\w-]+). proto: (\w+). rule: (\d+); \
 classification.text=$8 packet denied; \
 id=101; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=FireWall $1 dropped and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).service.port=$5; \
 source(0).service.protocol=$8; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$6; \
 target(0).service.name=$7; \
 target(0).service.protocol=$8; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ACL; \
 additional_data(0).data=$9; \
 last

# No sample log entry; please submit
regex=drop   ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: (\d+). proto: (\w+). rule: (\d+); \
 classification.text=$8 packet denied; \
 id=102; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=FireWall $1 dropped and logged a $8 sent by $4:$5 to $6:$7 (rule #$9); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).service.name=$5; \
 source(0).service.protocol=$8; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$6; \
 target(0).service.port=$7; \
 target(0).service.protocol=$8; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ACL; \
 additional_data(0).data=$9; \
 last

# 1.c Both ports are service names
# No sample log entry; please submit
regex=drop   ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: ([\w-]+). proto: (\w+). rule: (\d+); \
 classification.text=$8 packet denied; \
 id=103; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=FireWall $1 dropped and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).service.name=$5; \
 source(0).service.protocol=$8; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$6; \
 target(0).service.name=$7; \
 target(0).service.protocol=$8; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ACL; \
 additional_data(0).data=$9; \
 last


# 2. Accepted packets; same as above...
# 2.a Both ports are numbers
# No sample log entry; please submit
regex=accept ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: (\d+). dst: ([\d\.]+). service: (\d+). proto: (\w+). rule: (\d+); \
 classification.text=$8 packet denied; \
 id=104; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=FireWall $1 accepted and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).service.port=$5; \
 source(0).service.protocol=$8; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$6; \
 target(0).service.port=$7; \
 target(0).service.protocol=$8; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ACL; \
 additional_data(0).data=$9; \
 last

# 2.b One port is a service name
#LOG:14Aug2006 16:38:54 accept 12.34.56.78 >eth1c0 product: VPN-1 & FireWall-1; src: 90.12.34.56; s_port: 41307; dst: 78.90.12.34; service: domain-udp; proto: udp; rule: 8;
regex=accept ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: (\d+). dst: ([\d\.]+). service: ([\w-]+). proto: (\w+). rule: (\d+); \
 classification.text=$8 packet denied; \
 id=105; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=FireWall $1 accepted and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).service.port=$5; \
 source(0).service.protocol=$8; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$6; \
 target(0).service.name=$7; \
 target(0).service.protocol=$8; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ACL; \
 additional_data(0).data=$9; \
 last

# No sample log entry; please submit
regex=accept ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: (\d+). proto: (\w+). rule: (\d+); \
 classification.text=$8 packet denied; \
 id=106; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=FireWall $1 accepted and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).service.name=$5; \
 source(0).service.protocol=$8; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$6; \
 target(0).service.port=$7; \
 target(0).service.protocol=$8; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ACL; \
 additional_data(0).data=$9; \
 last

# 2.c Only service names
# No sample log entry; please submit
regex=accept ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: ([\w-]+). proto: (\w+). rule: (\d+); \
 classification.text=$8 packet accepted; \
 id=107; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=FireWall $1 accepted and logged a $8 packet sent by $4:$5 to $6:$7 (rule #$9); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).service.name=$5; \
 source(0).service.protocol=$8; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$6; \
 target(0).service.name=$7; \
 target(0).service.protocol=$8; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ACL; \
 additional_data(0).data=$9; \
 last


# 3 ICMP packets
# 3.1 Dropped packets
# No sample log entry; please submit
regex=drop   ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). dst: ([\d\.]+). proto: icmp. icmp-type: (\d+). icmp-code: (\d+). rule: (\d+); \
 classification.text=ICMP packet denied; \
 id=108; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion=failed; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=FireWall $1 dropped and logged an icmp packet sent by $4 to $5, with type $6 and code $7 (rule #$8); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).service.protocol=icmp; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$5; \
 target(0).service.protocol=icmp; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ICMP type; \
 additional_data(0).data=$6; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=ICMP code; \
 additional_data(1).data=$7; \
 additional_data(2).type=integer; \
 additional_data(2).meaning=ACL; \
 additional_data(2).data=$8; \
 last

# 3.2 Accepted packets
# No sample log entry; please submit
regex=accept ([\d+\.]+) (<|>)([\w-]+) product: VPN-1 & FireWall-1. src: ([\d\.]+). dst: ([\d\.]+). proto: icmp. icmp-type: (\d+). icmp-code: (\d+). rule: (\d+); \
 classification.text=ICMP packet accepted; \
 id=109; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.severity=medium; \
 assessment.impact.description=FireWall $1 dropped and logged an icmp packet sent by $4 to $5, with type $6 and code $7 (rule #$8); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).service.protocol=icmp; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$5; \
 target(0).service.protocol=icmp; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ICMP type; \
 additional_data(0).data=$6; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=ICMP code; \
 additional_data(1).data=$7; \
 additional_data(2).type=integer; \
 additional_data(2).meaning=ACL; \
 additional_data(2).data=$8; \
 last

# 4. Misc. other Packets, we won't try to be as exhaustive as above
# No sample log entry; please submit
regex=product: VPN-1 & FireWall-1. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: ([\w-]+). proto: (\w+). rule: (\d+); \
 classification.text=Packet logged; \
 id=110; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.completion = failed; \
 assessment.impact.type = other; \
 assessment.impact.severity = low; \
 assessment.impact.description=FireWall-1 has logged a $5 packet sent by $1:$2 to $3:$4 (rule #$6); \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 source(0).service.protocol=$5; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$3; \
 target(0).service.protocol=$5; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=ACL; \
 additional_data(0).data=$6; \
 last


# 5. Generic VPN-1 / FW-1 alert
# No sample log entry; please submit
regex=product: VPN-1 & FireWall-1; \
 classification.text=Generic alert; \
 id=111; \
 revision=1; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=VPN-1 & FireWall-1 generic alert; \
 last



###
# II. SmartDefense
###

#LOG:14Aug2006 16:39:44        12.34.56.78 >    alert product: SmartDefense; cpmad: CPMAD; attack: Port Scanning; dst: 90.12.34.56; src: 78.90.12.34; 
regex=product: SmartDefense\;.+attack: (.+)\; dst: ([\d\.])+\; src: ([\d\.]+); \
 classification.text=$1; \
 id=112; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.severity=low; \
 assessment.impact.type=recon; \
 assessment.impact.description=Checkpoint SmartDefense has detected a $1 from $3 to $2; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$3; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$2; \
 last

# 3. Successive multiple connections
# No sample log entry; please submit
regex=product: SmartDefense. service: ([\w-]+|\d+). attack: Successive Multiple Connections. dst: ([\d\.]+). src: ([\d\.]+); \
 classification.text=Successive multiple connections; \
 id=114; \
 revision=1; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=Checkpoint Smart Defense: multiple connections from $3 to $2:$1; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$3; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$2; \
 target(0).service.name=$1; \
 last

# 4. TODO: Come up with a name
# 4.1 Port number to port number
# No sample log entry; please submit
regex=product: SmartDefense\;.+attack: (.+)\; src: ([\d\.]+)\; s_port: (\d+)\; dst: ([\d\.]+)\; service: (\d+)\; proto: ([\w\-]+|\d+); \
 classification.text=$1; \
 id=115; \
 revision=2; \ 
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=$1 sent by $2:$3 to $4:$5; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).service.port=$3; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$4; \
 target(0).service.port=$5; \
 last

#4.2 port number to Service Name
# No sample log entry; please submit
regex=product: SmartDefense. Attack Info: (.+). attack: Bad packet. src: ([\d\.]+). s_port: (\d+). dst: ([\d\.]+). service: ([\w-]+). proto: ([\w-]+|\d+); \
 classification.text=Bad $6 flags; \
 id=116; \
 revision=1; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description= $1 sent by $2:$3 to $4:$5; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).service.port=$3; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$4; \
 target(0).service.name=$5; \
 last

#4.3 Service Name to service name
# No sample log entry; please submit
regex=product: SmartDefense. Attack Info: (.+). attack: Bad packet. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: ([\w-]+). proto: ([\w-]+|\d+); \
 classification.text=Bad $6 flags; \
 id=117; \
 revision=1; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description= $1 sent by $2:$3 to $4:$5; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).service.name=$3; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$4; \
 target(0).service.name=$5; \
 last

#4.4 Service Name to port number
# No sample log entry; please submit
regex=product: SmartDefense. Attack Info: (.+). attack: Bad packet. src: ([\d\.]+). s_port: ([\w-]+). dst: ([\d\.]+). service: (\d+). proto: ([\w-]+|\d+); \
 classification.text=Bad $6 flags; \
 id=118; \
 revision=1; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description= $1 sent by $2:$3 to $4:$5; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 source(0).service.name=$3; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$4; \
 target(0).service.port=$5; \
 last

# 5. Large ping
# No sample log entry; please submit
regex=product: SmartDefense\;.+attack: (.+)\; src: ([\d\.]+)\; dst: ([\d\.]+); \
 classification.text=$1; \
 id=119; \
 revision=1; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=$1 sent by $2 to $3; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 target(0).node.address(0).category = ipv4-addr; \
 target(0).node.address(0).address=$3; \
 last

# No sample log entry; please submit
regex=product: SmartDefense\;.+attack: (.+?)\;; \
 classification.text=$1; \
 id=125; \
 revision=2; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.severity=low; \
 assessment.impact.type=other; \
 assessment.impact.description=Checkpoint SmartDefense has detected a $1; \
 last

# 9. Generic Smart Defense alert
# No sample log entry; please submit
regex=product: SmartDefense; \
 classification.text=Misc logs; \
 id=126; \
 revision=1; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=Checkpoint Smart Defense: generic alert; \
 last

###
# III. System Monitor
###
# No sample log entry; please submit
regex=([\d+\.]+) (<|>)\s+(\w+) System Alert message: (.+). Object: (\w+). (.+). product: System Monitor; \
 classification.text=Checkpoint System Monitor; \
 id=127; \
 revision=1; \
 analyzer(0).name=FW-1; \
 analyzer(0).manufacturer=Checkpoint; \
 analyzer(0).class=Firewall; \
 assessment.impact.type=other; \
 assessment.impact.severity=low; \
 assessment.impact.description=System alert reported a $4; \
 last

#TODO:  Audit (and probably re-write) all SmartDefense events

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional