File: sonicwall.rules

package info (click to toggle)
prelude-lml 1.0.0-1
links: PTS
area: main
in suites: squeeze
size: 7,724 kB
ctags: 4,520
sloc: ansic: 36,137; sh: 11,362; makefile: 253; python: 21
file content (262 lines) | stat: -rw-r--r-- 12,784 bytes
parent folder | download | duplicates (4)
#####
#
# Copyright (C) 2006 Igor Manassypov <imanassypov at rogers dot com>
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

# SonicWall syslog message 
#----------------------
#field	explanation
#----------------------
#m	Message ID		Provides the message id number
#c	Message category	Indicates the legacy category number
#pri	Message priority	Displays the event priority level (0=emergency 7=debug)
#n	Message count		Indicates the number of times event occurs

#LOG:Mar 10 13:44:49 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-10 13:44:50" fw=216.123.166.2 pri=6 c=16 m=29 msg="Administrator login allowed" n=40 usr=netadm src=192.168.30.57:0:X0 dst=192.168.30.10:443:X0
regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg=\"(.+)\" n=(\d+) usr=(\S+) src=([\d\.]+):(\d+):(\S+) dst=([\d\.]+):(\d+):(\S+)$; \
 classification.text=Admin login; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=message-id; \
 classification.reference(0).name=$4; \
 classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=priority-id; \
 classification.reference(1).name=$2; \
 classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 id=4600; \
 revision=1; \
 analyzer(0).name=SonicWall; \
 analyzer(0).manufacturer=SonicGuard; \
 analyzer(0).class=Firewall; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=User $7 logged in. Message Priority = $2, Category = $3, ID = $4, Count = $6; \
 source(0).interface=$10; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$8; \
 source(0).service.port=$9; \
 target(0).interface=$13; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$11; \
 target(0).service.port=$12; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$7; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Reporting firewall ip address; \
 additional_data(0).data=$1; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=Number of events; \
 additional_data(1).data=$6; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Legacy category; \
 additional_data(2).data=$3; \
 last

#LOG:Mar 10 16:14:21 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-10 16:14:22" fw=216.123.166.2 pri=1 c=32 m=23 msg="IP spoof dropped" n=64224 src=192.168.85.94:123:X0 dst=192.5.41.209:123:X1 mac=00:d0:ff:8b:8f:fc
regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg=\"(.+)\" n=(\d+) src=([\d\.]+):(\d+):(\S+) dst=([\d\.]+):(\d+):(\S+) mac=(\S+)$; \
 classification.text=Possible spoof attack; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=message-id; \
 classification.reference(0).name=$4; \
 classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=priority-id; \
 classification.reference(1).name=$2; \            
 classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 id=4601; \
 revision=1; \
 analyzer(0).name=SonicWall; \
 analyzer(0).manufacturer=SonicGuard; \
 analyzer(0).class=Firewall; \
 assessment.impact.severity=high; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=$5. MAC: $13. Message Priority = $2, Category = $3, ID = $4, Count = $6; \
 source(0).interface=$9; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$7; \
 source(0).node.address(1).category=mac; \
 source(0).node.address(1).address=$13; \
 source(0).service.port=$8; \
 target(0).interface=$12; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$10; \
 target(0).service.port=$11; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Reporting firewall ip address; \
 additional_data(0).data=$1; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=Number of events; \
 additional_data(1).data=$6; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Legacy category; \
 additional_data(2).data=$3; \
 last

#LOG:Mar 13 02:58:36 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-13 02:58:19" fw=216.123.166.2 pri=1 c=32 m=522 msg="Malformed IP packet dropped." n=5090 src=207.0.188.16:0:X1 dst=216.123.166.2:1026 dstname="IP Protocol 17"
regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg=\"(.+)\" n=(\d+) src=([\d\.]+):(\d+):(\S+) dst=([\d\.]+):(\d+) dstname="(.+)"$; \
 classification.text=Malformed packets; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=message-id; \
 classification.reference(0).name=$4; \
 classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=priority-id; \
 classification.reference(1).name=$2; \            
 classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 id=4602; \
 revision=1; \
 analyzer(0).name=SonicWall; \
 analyzer(0).manufacturer=SonicGuard; \
 analyzer(0).class=Firewall; \
 assessment.impact.severity=medium; \
 assessment.impact.completion=failed; \
 assessment.impact.description=$5 for $12. Message Priority = $2, Category = $3, ID = $4, Count = $6; \
 source(0).interface=$9; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$7; \
 source(0).service.port=$8; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$10; \
 target(0).service.port=$11; \
 target(0).service.iana_protocol_name=$12; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Reporting firewall ip address; \
 additional_data(0).data=$1; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=Number of events; \
 additional_data(1).data=$6; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Legacy category; \
 additional_data(2).data=$3; \
 last

#LOG:Mar 13 11:00:21 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-13 11:00:31" fw=216.123.166.2 pri=5 c=2048 m=173 msg="TCP connection from LAN denied" n=150 src=192.168.30.222:1:X0 dst=192.168.30.10:8:X0 proto=tcp/8
regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg=\"(.+)\" n=(\d+) src=([\d\.]+):(\d+):(\S+) dst=([\d\.]+):(\d+):(\S+) proto=(\S+)$; \
 classification.text=Connection from LAN denied; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=message-id; \
 classification.reference(0).name=$4; \
 classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=priority-id; \
 classification.reference(1).name=$2; \            
 classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 id=4603 \
 revision=1; \
 analyzer(0).name=SonicWall; \
 analyzer(0).manufacturer=SonicGuard; \
 analyzer(0).class=Firewall; \
 assessment.impact.severity=medium; \
 assessment.impact.completion=failed; \
 assessment.impact.description=$5 for $13. Message Priority = $2, Category = $3, ID = $4, Count = $6; \
 source(0).interface=$9; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$7; \
 source(0).service.port=$8; \
 target(0).interface=$12; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$10; \
 target(0).service.port=$11; \
 target(0).service.iana_protocol_name=$13; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Reporting firewall ip address; \
 additional_data(0).data=$1; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=Number of events; \
 additional_data(1).data=$6; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Legacy category; \
 additional_data(2).data=$3; \
 last

#LOG:Mar 13 11:00:22 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-13 11:00:32" fw=216.123.166.2 pri=1 c=0 m=860 msg="Possible SYN Flood on IF X0 - src: 192.168.30.222:1 dst: 192.168.30.10:481" n=1
regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg="Possible SYN Flood on IF (\S+) - src: ([\d\.]+):(\d+) dst: ([\d\.]+):(\d+)" n=(\d+)$; \
 classification.text=Possible SYN flood; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=message-id; \
 classification.reference(0).name=$4; \
 classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=priority-id; \
 classification.reference(1).name=$2; \            
 classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 id=4604; \
 revision=1; \
 analyzer(0).name=SonicWall; \
 analyzer(0).manufacturer=SonicGuard; \
 analyzer(0).class=Firewall; \
 assessment.impact.severity=high; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=Possible SYN Flood attack. Message Priority = $2, Category = $3, ID = $4, Count = $10; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$6; \
 source(0).service.port=$7; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$8; \
 target(0).service.port=$9; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Reporting firewall ip address; \
 additional_data(0).data=$1; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=Number of events; \
 additional_data(1).data=$10; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Legacy category; \
 additional_data(2).data=$3; \
 last

#LOG:Mar 13 14:50:06 192.168.30.10 id=firewall sn=0006B11302A2 time="2006-03-13 14:50:12" fw=216.123.166.2 pri=1 c=32 m=82 msg="Possible port scan dropped" n=268 src=70.29.251.124:20912:X1 dst=216.123.166.2:26917:X1
regex=fw=([\d\.]+) pri=(\d) c=(\d+) m=(\d+) msg="Possible port scan dropped" n=(\d+) src=([\d\.]+):(\d+):(\S+) dst=([\d\.]+):(\d+):(\S+)$; \
 classification.text=Possible port scan; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=sonicwall-sn; \
 classification.reference(0).name=$4; \
 classification.reference(0).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=priority-id; \
 classification.reference(1).name=$2; \            
 classification.reference(1).url=http://www.sonicwall.com/support/pdfs/SonicOS_Log_Event_Reference_Guide.pdf; \
 id=4605 \
 revision=1; \
 analyzer(0).name=SonicWall; \
 analyzer(0).manufacturer=SonicGuard; \
 analyzer(0).class=Firewall; \
 assessment.impact.severity=high; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=Possible port scan attack. Message Priority = $2, Category = $3, ID = $4, Count = $10; \
 source(0).interface=$8; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$6; \
 source(0).service.port=$7; \
 target(0).interface=$11; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$9; \
 target(0).service.port=$10; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Reporting firewall ip address; \
 additional_data(0).data=$1; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=Number of events; \
 additional_data(1).data=$10; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Legacy category; \
 additional_data(2).data=$3; \
 last