Sophie

Sophie

distrib > Mandriva > 2008.1 > x86_64 > media > main-release > by-pkgid > b6c04112cc9a9f62a44c5755eb215e7f > files > 17

prelude-lml-0.9.11-1mdv2008.1.x86_64.rpm

#####
#
# Copyright (C) 2003 G Ramon Gomez <gene at gomezbrothers dot com>
# Tyco Fire and Security GTS (www.tycofireandsecurity.com)
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

#####
#
# The rules included here were developed using a Cisco VPN 3000 Concentrator.
# Please report any inconsistencies on other models to G Ramon Gomez at the 
# address provided above
#
#####

#LOG:Oct 28 19:00:35 vpn 1453 10/28/2003 19:00:34.930 SEV=4 AUTH/28 RPT=22 12.34.56.78  User [gene.gomez], Group [Staff] disconnected:  Duration: 0:10:12  Bytes xmt: 2745816  Bytes rcv: 172696  Reason: User Requested
regex=([\d\.]+)  User \[(\S+)\], Group \[(\S+)\] disconnected:  Duration: (\S+)  Bytes xmt: (\d+)  Bytes rcv: (\d+)  Reason: (.+); \
 classification.text=VPN user disconnected; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=vpn_id; \
 classification.reference(0).name=AUTH/28; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=vpn_severity; \
 classification.reference(1).name=4; \
 id=300; \
 revision=2; \
 analyzer(0).name=VPN Concentrator; \
 analyzer(0).manufacturer=Cisco; \
 analyzer(0).class=VPN; \
 assessment.impact.severity=low; \
 assessment.impact.description=VPN user $2 disconnected; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 source(0).user.category=application; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$2; \
 source(0).user.user_id(1).type=current-group; \
 source(0).user.user_id(1).name=$3; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Connection duration; \
 additional_data(0).data=$4; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=Bytes transmitted; \
 additional_data(1).data=$5; \
 additional_data(2).type=integer; \
 additional_data(2).meaning=Bytes received; \
 additional_data(2).data=$6; \
 additional_data(3).type=string; \
 additional_data(3).meaning=Disconnect reason; \
 additional_data(3).data=$7; \
 last

#LOG:Oct 29 19:18:20 vpn 1793 10/29/2003 19:18:20.190 SEV=3 AUTH/5 RPT=6 12.34.56.78  Authentication rejected: Reason = Invalid password handle = 66, server = Internal, user = gene.gomez, domain = <not specified>
regex=([\d\.]+)  Authentication rejected: Reason = (.+) handle = \d+, server = (\w+), user = (\S+), domain = (.+); \
 classification.text=VPN user failed authentication; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=vpn_id; \
 classification.reference(0).name=AUTH/5; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=vpn_severity; \
 classification.reference(1).name=3; \
 id=301; \
 revision=2; \
 analyzer(0).name=VPN Concentrator; \
 analyzer(0).manufacturer=Cisco; \
 analyzer(0).class=VPN; \
 assessment.impact.severity=medium; \
 assessment.impact.type=user; \
 assessment.impact.completion=failed; \
 assessment.impact.description=VPN user $4 failed authentication because of $2; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 target(0).user.category=application; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$4; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Failure reason; \
 additional_data(0).data=$2; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Authentication server; \
 additional_data(1).data=$3; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Authentication domain; \
 additional_data(2).data=$5; \
 last

#LOG:Oct 28 18:50:21 vpn 1414 10/28/2003 18:50:21.930 SEV=4 IKE/52 RPT=22 12.34.56.78  Group [Staff] User [gene.gomez] User (gene.gomez) authenticated.
regex=([\d\.]+)  Group \[(\S+)\] User \[(\S+)\] User \(\S+\) authenticated; \
 classification.text=VPN user authenticated; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=vpn_id; \
 classification.reference(0).name=IKE/52; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=vpn_severity; \
 classification.reference(1).name=4; \
 id=302; \
 revision=3; \
 analyzer(0).name=VPN Concentrator; \
 analyzer(0).manufacturer=Cisco; \
 analyzer(0).class=VPN; \
 assessment.impact.severity=low; \
 assessment.impact.type=user; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=VPN user $3 authenticated; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 target(0).user.category=application; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$3; \
 target(0).user.user_id(1).type=current-group; \
 target(0).user.user_id(1).name=$2; \
 last

#LOG:Oct 29 19:53:18 vpn 1843 10/29/2003 19:53:18.680 SEV=5 AUTH/31 RPT=2  User [ admin ] Protocol [ HTTP ] attempted ADMIN logon.. Status: <REFUSED> authentication failure !
regex=User \[ (\S+) \] Protocol \[ (\S+) \] attempted ADMIN logon.. Status: <REFUSED>; \
 classification.text=VPN administration authentication failure; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=vpn_id; \
 classification.reference(0).name=AUTH/31; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=vpn_severity; \
 classification.reference(1).name=5; \
 id=303; \
 revision=2; \
 analyzer(0).name=VPN Concentrator; \
 analyzer(0).manufacturer=Cisco; \
 analyzer(0).class=VPN; \
 assessment.impact.severity=medium; \
 assessment.impact.type=admin; \
 assessment.impact.completion=failed; \
 assessment.impact.description=VPN administration authentication failure: $1 using $2; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$1; \
 target(0).service.name=$2; \
 last

#LOG:Oct 28 12:33:48 vpn 1359 10/28/2003 12:33:48.610 SEV=5 AUTH/36 RPT=1 12.34.56.78  User [ admin ] Protocol [ HTTP ] attempted ADMIN logon.. Status: <ACCESS GRANTED> !
regex=([\d\.]+)  User \[ (\S+) \] Protocol \[ (\S+) \] attempted ADMIN logon.. Status: <ACCESS GRANTED>; \
 classification.text=VPN administration authentication successful; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=vpn_id; \
 classification.reference(0).name=AUTH/36; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=vpn_severity; \
 classification.reference(1).name=5; \
 id=304; \
 revision=2; \
 analyzer(0).name=VPN Concentrator; \
 analyzer(0).manufacturer=Cisco; \
 analyzer(0).class=VPN; \
 assessment.impact.severity=low; \
 assessment.impact.type=admin; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=VPN administration authentication success: $2 using $3; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=current-user; \
 target(0).user.user_id(0).name=$2; \
 target(0).service.name=$3; \
 last

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional