##### # # Copyright (C) 2003 G Ramon Gomez <gene at gomezbrothers dot com> # Tyco Fire and Security GTS (www.tycofireandsecurity.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### ##### # # The rules included here were developed using a Cisco VPN 3000 Concentrator. # Please report any inconsistencies on other models to G Ramon Gomez at the # address provided above # ##### #LOG:Oct 28 19:00:35 vpn 1453 10/28/2003 19:00:34.930 SEV=4 AUTH/28 RPT=22 12.34.56.78 User [gene.gomez], Group [Staff] disconnected: Duration: 0:10:12 Bytes xmt: 2745816 Bytes rcv: 172696 Reason: User Requested regex=([\d\.]+) User \[(\S+)\], Group \[(\S+)\] disconnected: Duration: (\S+) Bytes xmt: (\d+) Bytes rcv: (\d+) Reason: (.+); \ classification.text=VPN user disconnected; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=AUTH/28; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=4; \ id=300; \ revision=2; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=low; \ assessment.impact.description=VPN user $2 disconnected; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ source(0).user.category=application; \ source(0).user.user_id(0).type=current-user; \ source(0).user.user_id(0).name=$2; \ source(0).user.user_id(1).type=current-group; \ source(0).user.user_id(1).name=$3; \ additional_data(0).type=string; \ additional_data(0).meaning=Connection duration; \ additional_data(0).data=$4; \ additional_data(1).type=integer; \ additional_data(1).meaning=Bytes transmitted; \ additional_data(1).data=$5; \ additional_data(2).type=integer; \ additional_data(2).meaning=Bytes received; \ additional_data(2).data=$6; \ additional_data(3).type=string; \ additional_data(3).meaning=Disconnect reason; \ additional_data(3).data=$7; \ last #LOG:Oct 29 19:18:20 vpn 1793 10/29/2003 19:18:20.190 SEV=3 AUTH/5 RPT=6 12.34.56.78 Authentication rejected: Reason = Invalid password handle = 66, server = Internal, user = gene.gomez, domain = <not specified> regex=([\d\.]+) Authentication rejected: Reason = (.+) handle = \d+, server = (\w+), user = (\S+), domain = (.+); \ classification.text=VPN user failed authentication; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=AUTH/5; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=3; \ id=301; \ revision=2; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=medium; \ assessment.impact.type=user; \ assessment.impact.completion=failed; \ assessment.impact.description=VPN user $4 failed authentication because of $2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).user.category=application; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$4; \ additional_data(0).type=string; \ additional_data(0).meaning=Failure reason; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Authentication server; \ additional_data(1).data=$3; \ additional_data(2).type=string; \ additional_data(2).meaning=Authentication domain; \ additional_data(2).data=$5; \ last #LOG:Oct 28 18:50:21 vpn 1414 10/28/2003 18:50:21.930 SEV=4 IKE/52 RPT=22 12.34.56.78 Group [Staff] User [gene.gomez] User (gene.gomez) authenticated. regex=([\d\.]+) Group \[(\S+)\] User \[(\S+)\] User \(\S+\) authenticated; \ classification.text=VPN user authenticated; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=IKE/52; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=4; \ id=302; \ revision=3; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=low; \ assessment.impact.type=user; \ assessment.impact.completion=succeeded; \ assessment.impact.description=VPN user $3 authenticated; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).user.category=application; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$3; \ target(0).user.user_id(1).type=current-group; \ target(0).user.user_id(1).name=$2; \ last #LOG:Oct 29 19:53:18 vpn 1843 10/29/2003 19:53:18.680 SEV=5 AUTH/31 RPT=2 User [ admin ] Protocol [ HTTP ] attempted ADMIN logon.. Status: <REFUSED> authentication failure ! regex=User \[ (\S+) \] Protocol \[ (\S+) \] attempted ADMIN logon.. Status: <REFUSED>; \ classification.text=VPN administration authentication failure; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=AUTH/31; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=5; \ id=303; \ revision=2; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=medium; \ assessment.impact.type=admin; \ assessment.impact.completion=failed; \ assessment.impact.description=VPN administration authentication failure: $1 using $2; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$1; \ target(0).service.name=$2; \ last #LOG:Oct 28 12:33:48 vpn 1359 10/28/2003 12:33:48.610 SEV=5 AUTH/36 RPT=1 12.34.56.78 User [ admin ] Protocol [ HTTP ] attempted ADMIN logon.. Status: <ACCESS GRANTED> ! regex=([\d\.]+) User \[ (\S+) \] Protocol \[ (\S+) \] attempted ADMIN logon.. Status: <ACCESS GRANTED>; \ classification.text=VPN administration authentication successful; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=AUTH/36; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=5; \ id=304; \ revision=2; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=low; \ assessment.impact.type=admin; \ assessment.impact.completion=succeeded; \ assessment.impact.description=VPN administration authentication success: $2 using $3; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).user.category=os-device; \ target(0).user.user_id(0).type=current-user; \ target(0).user.user_id(0).name=$2; \ target(0).service.name=$3; \ last