File: cisco-acs.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (43 lines) | stat: -rw-r--r-- 5,027 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Sagan cisco-acs.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
# cisco-acs.rules (Access Countrol System)

# 10.1.1.1|local6|notice|notice|b5|2013-03-14|06:55:44|CSCOacs_Failed_Attempts| 0016626111 1 0 2013-03-14 06:55:44.141 -08:00 0155632123 5401 NOTICE Failed-Attempt: Authentication failed, ACSVersion=acs-5.3.0.40-B.839, ConfigVersionId=294, Device IP Address=10.2.2.2, Device Port=41673, UserName=someusername, Protocol=Tacacs, RequestLatency=4, NetworkDeviceName=somedevicename, Type=Authentication, Action=Login, Privilege-Level=1, Authen-Type=ASCII, Service=Login, User=someusername, Port=tty514, Remote-Address=10.3.3.3, UserName=someusername, AcsSessionID=somedevicename/124343839/16642276, AuthenticationIdentityStore=Internal Users, AuthenticationMethod=PAP_ASCII, SelectedAccessService=SOMESERVICE InternalDevice Admin, SelectedShellProfile=DenyAccess, IdentityGroup=IdentityGroup:All Groups:Network Operations, FailureReason=13036 , Step=13013 , Step=15008 , Step=15004 , Step=15012 , Step=15041 , Step=15006 , Step=15013 , Step=13045 , Step=13015 , Step=13014 , Step=15037 , Step=15041 , Step=15006 , Step=15013 , Step=24430 , Step=24412 , Step=24210 ,                                                                                                                                                                          

# We look for "UserName=" because "CSCOacs_Failed_Attempts" can generate 
# several types of messages.  We're only interested in failures with good
# information.  parse_src_ip: 3 because the ACSVersion gets parsed as a
# IP address.  - Champ Clark (03/14/2013).

# alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt"; program: CSCOacs_Failed_Attempts; content: "UserName="; parse_src_ip: 3; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001655; sid: 5001655; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt - Brute force [5/5]"; program: CSCOacs_Failed_Attempts; xbits: set,brute_force,21600; content: "UserName="; content:!"session timed out"; parse_src_ip: 3; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300;  classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001656; sid: 5001656; rev:7;)

# 10.10.10.10|auth|info|info|26|2014-02-20|16:23:54|CisACS_02_FailedAuth| 79fa6rs6 1 0 Message-Type=Authen failed,User-Name=champtest,NAS-IP-Address=172.16.1.1,Authen-Failure-Code=ACS user unknown,Caller-ID=10.10.10.10,NAS-Port=58634240,Group-Name=Default Group,

# alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt [CisACS]"; program: CisACS_02_FailedAuth; parse_src_ip: 1; parse_dst_ip: 2; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001975; sid: 5001975; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"[CISCO-ACS] Failed Login Attempt - Brute force [CisACS] [5/5]"; program: CisACS_02_FailedAuth; parse_src_ip: 1; parse_dst_ip: 2; xbits: set,brute_force,21600; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300;  classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5001976; sid: 5001976; rev:4;)