Sophie

Sophie

distrib > Mandriva > 2008.1 > x86_64 > media > main-release > by-pkgid > b6c04112cc9a9f62a44c5755eb215e7f > files > 55

prelude-lml-0.9.11-1mdv2008.1.x86_64.rpm

#####
#
# Copyright (C) 2003 Vincent Glaume
# All Rights Reserved
# Currently supported by G Ramon Gomez <gene at gomezbrothers dot com>
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by 
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

# I. Starting / stopping squid, and associated services (informational, do not show a real attack)

# starting 
#LOG:2005/11/28 06:00:42| Starting Squid Cache version 2.5.STABLE1 for i386-redhat-linux-gnu...
regex=Starting Squid Cache version ([\w\.]+) for (\S+)\.\.\.; \
 classification.text=Proxy started; \
 id=1801; \
 revision=2; \
 analyzer(0).name=Squid; \
 analyzer(0).manufacturer=www.squid-cache.org; \
 analyzer(0).class=Proxy; \
 assessment.impact.severity=info; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Squid Proxy was started; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Version; \
 additional_data(0).data=$1; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Platform; \
 additional_data(1).data=$2; \
 last

# accepting connections or disabled servicesa
#LOG:2005/11/28 06:00:44| Accepting HTTP connections at 0.0.0.0, port 3128, FD 12.
regex=Accepting HTTP connections at ([\d\.]+), port (\d+), FD (\d+)\.; \
 classification.text=Proxy accepts HTTP; \
 id=1802; \
 revision=2; \
 analyzer(0).name=Squid; \
 analyzer(0).manufacturer=www.squid-cache.org; \
 analyzer(0).class=Proxy; \
 assessment.impact.severity=info; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Squid listens for incoming HTTP connections on $1:$2, file descriptor #$3; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$1; \
 target(0).service.port=$2; \
 target(0).service.name=HTTP; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=File descriptor; \
 additional_data(0).data=$3; \
 last

#LOG:2005/11/28 06:00:44| Accepting ICP messages at 0.0.0.0, port 3130, FD 13.
regex=Accepting ICP messages at ([\d\.]+), port (\d+), FD (\d+)\.; \
 classification.text=Proxy accepts ICP; \
 id=1803; \
 revision=2; \
 analyzer(0).name=Squid; \
 analyzer(0).manufacturer=www.squid-cache.org; \
 analyzer(0).class=Proxy; \
 assessment.impact.severity=info; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Squid listens for incoming ICP messages on $1:$2, file descriptor #$3; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$1; \
 target(0).service.port=$2; \
 target(0).service.name=ICP; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=File descriptor; \
 additional_data(0).data=$3; \
 last

# No log sample; please submit
regex=Accepting HTCP messages on port (\d+), FD (\d+)\.; \
 classification.text=Proxy accepts HTCP; \
 id=1804; \
 revision=2; \
 analyzer(0).name=Squid; \
 analyzer(0).manufacturer=www.squid-cache.org; \
 analyzer(0).class=Proxy; \
 assessment.impact.severity=info; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Squid listens for incoming HTCP messages on port $1, file descriptor #$2; \
 target(0).service.port=$1; \
 target(0).service.name=HTCP; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=File descriptor; \
 additional_data(0).data=$2; \
 last

# No log sample; please submit
regex=Accepting WCCP messages on port (\d+), FD (\d+)\.; \
 classification.text=Proxy accepts WCCP; \
 id=1805; \
 revision=2; \
 analyzer(0).name=Squid; \
 analyzer(0).manufacturer=www.squid-cache.org; \
 analyzer(0).class=Proxy; \
 assessment.impact.severity=info; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Squid listens for incoming WCCP messages on port $1, file descriptor #$2; \
 target(0).service.port=$1; \
 target(0).service.name=WCCP; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=File descriptor; \
 additional_data(0).data=$2; \
 last

# No log sample; please submit
regex=HTCP Disabled\.; \
 classification.text=Proxy started without HTCP; \
 id=1806; \
 revision=1; \
 analyzer(0).name=Squid; \
 analyzer(0).manufacturer=www.squid-cache.org; \
 analyzer(0).class=Proxy; \
 assessment.impact.severity=info; \
 assessment.impact.type=other; \
 assessment.impact.description=Squid was invoked without the HTCP service; \
 last

#LOG:2005/11/28 06:00:44| WCCP Disabled.
regex=WCCP Disabled\.; \
 classification.text=Proxy started without WCCP; \
 id=1807; \
 revision=1; \
 analyzer(0).name=Squid; \
 analyzer(0).manufacturer=www.squid-cache.org; \
 analyzer(0).class=Proxy; \
 assessment.impact.severity=info; \
 assessment.impact.type=other; \
 assessment.impact.description=Squid was invoked without the WCCP service; \
 last

#LOG:2005/11/28 06:00:44| Squid Parent: child process 10216 exited due to signal 6
regex=Squid Parent: child process (\d+) exited due to signal (\d+); \
 classification.text=Proxy child process stopped; \
 id=1808; \
 revision=2; \
 analyzer(0).name=Squid; \
 analyzer(0).manufacturer=www.squid-cache.org; \
 analyzer(0).class=Proxy; \
 assessment.impact.severity=medium; \
 assessment.impact.type=other; \
 assessment.impact.description=A Squid child process (pid $1) exited after receiving the signal $2; \
 target(0).process.pid=$1; \
 last


# II. ACL log 
# 1. From /var/log/squid/access.log

#LOG:1133224765.027     23 12.34.56.78 TCP_DENIED/403 1387 GET http://was.nld.l.google.com:81/hit? - NONE/- text/html
regex=(\d+) ([\d\.]+) (\S+DENIED)/(\d+) (\d+) (\S+) (\S+); \
 classification.text=Proxy ACL violation attempt; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=squid_id; \
 classification.reference(0).name=$3; \
 classification.reference(0).url=http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.7; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=squid_status; \
 classification.reference(1).name=$4; \
 classification.reference(1).url=http://www.squid-cache.org/Doc/FAQ/FAQ-6.html#ss6.8; \
 id=1809; \
 revision=2; \
 analyzer(0).name=Squid; \
 analyzer(0).manufacturer=www.squid-cache.org; \
 analyzer(0).class=Proxy; \
 assessment.impact.severity=medium; \
 assessment.impact.completion=failed; \
 assessment.impact.description=Host $2 tried to violate Squid ACL; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$2; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Elapsed time; \
 additional_data(0).data=$1 ms; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=Bytes transmitted; \
 additional_data(1).data=$5; \
 additional_data(2).type=string; \
 additional_data(2).meaning=HTTP method; \
 additional_data(2).data=$6; \
 additional_data(3).type=string; \
 additional_data(3).meaning=URL; \
 additional_data(3).data=$7; \
 last

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional