##### # # Copyright (C) 2006 G Ramon Gomez <gene at gomezbrothers dot com> # Ragingwire Enterprise Solutions (www.ragingwire.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### ##### # # The rules included here were developed using a Cisco IPS module running on an # ASA. Please report any inconsistencies on other models to G Ramon Gomez at # the address provided above # Special configuration is needed for this support: # * In your IDM interface, "SNMP" -> "Traps Configuration", "Enable SNMP Traps" # box must be on. "Enable detailed traps for alerts" must be off. # * In your IDM interface, "Signature Definition" -> "Signature Configuration", # all of the rules must be modified using the "Select All" button, followed # by the "Actions" button, and click the "Request SNMP Trap" box on. # * On your Prelude system, run snmptrapd using this command: # "snmptrapd -Ls 16 -Osq" # ##### #LOG:Nov 22 10:04:09 SOMEHOST snmptrapd[28547]: 2006-11-22 10:04:09 somehost.somedomain.com [192.168.134.193]: sysUpTime.0 54:17:25:06.49 snmpTrapOID.0 enterprises.9.9.383.0.1 enterprises.9.9.383.1.1.1 1159501964404429847 enterprises.9.9.383.1.1.2 "07 D6 0B 16 0A 04 0F 00 " enterprises.9.9.383.1.1.3 "07 D6 0B 16 12 04 0F 00 " enterprises.9.9.383.1.1.4 "SOMEHOST" enterprises.9.9.383.1.2.1 "low" enterprises.9.9.383.1.2.2 2147483648 enterprises.9.9.383.1.2.4 "ICMP Network Sweep w/Echo"enterprises.9.9.383.1.2.5 2100 enterprises.9.9.383.1.2.6 0 enterprises.9.9.383.1.2.16 "192.168.134.30" enterprises.9.9.383.1.2.17 "192.168.129.28" #LOG:Nov 22 10:04:01 SOMEHOST snmptrapd[28547]: 2006-11-22 10:04:01 somehost.somedomain.com [192.168.134.193]: sysUpTime.0 54:17:24:58.20 snmpTrapOID.0 enterprises.9.9.383.0.1 enterprises.9.9.383.1.1.1 1159501964404429845 enterprises.9.9.383.1.1.2 "07 D6 0B 16 0A 04 07 00 " enterprises.9.9.383.1.1.3 "07 D6 0B 16 12 04 07 00 " enterprises.9.9.383.1.1.4 "SOMEHOST" enterprises.9.9.383.1.2.1 "medium" enterprises.9.9.383.1.2.2 2147483648 enterprises.9.9.383.1.2.4 "Web Client Remote Code Execution Vulnerability" enterprises.9.9.383.1.2.5 5732 enterprises.9.9.383.1.2.6 2 enterprises.9.9.383.1.2.16 "192.168.129.29:0" enterprises.9.9.383.1.2.17 "0.0.0.0:0" regex=(\S+) \[([\d\.]+)\]:.+enterprises.9.9.383.1.2.1 "(low|medium|high)".+enterprises.9.9.383.1.2.4 "(.+?)"\s*enterprises.9.9.383.1.2.5 (\d+)\s+enterprises.9.9.383.1.2.6 (\d+).+enterprises.9.9.383.1.2.16 "([\d\.]+):?(\d+)?"\s+enterprises.9.9.383.1.2.17 "([\d\.]+):?(\d+)?"; \ classification.text=$4; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=ips_id; \ classification.reference(0).name=$5.$6; \ classification.reference(0).url=http://tools.cisco.com/MySDN/Intelligence/viewSignature.x?signatureId=$5&signatureSubId=$6; \ id=5000; \ revision=1; \ analyzer(0).name=IPS; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=IDS; \ analyzer(0).node.name=$1; \ analyzer(0).node.address(0).address=$2; \ assessment.impact.severity=$3; \ assessment.impact.description=This event was generated by the Cisco IPS; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$7; \ source(0).service.port=$8; \ target(0).node.address(0).category=ipv4-addr; \ target(0).node.address(0).address=$9; \ target(0).service.port=$10; \ last