File: cisco-ios.rules

package info (click to toggle)
sagan-rules 1:20170725-1
  • links: PTS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 3,460 kB
  • sloc: makefile: 5
file content (132 lines) | stat: -rw-r--r-- 26,357 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# Sagan cisco-ios.rules
# Copyright (c) 2009-2017, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] SNMP Authentication Failure [0/5]"; content: "SNMP-3-AUTHFAIL"; default_proto: udp; default_dst_port: $SNMP_PORT; classtype: attempted-recon; xbits: set, recon, 86400; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000051; sid: 5000051; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Attempted RSHELL connection"; content: "RCMD-4-RSHPORTATTEMPT"; default_proto: tcp; default_dst_port: 514; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000052; sid: 5000052; rev:4;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINK-3-UPDOWN"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000053; sid: 5000053; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINEPROTO-5-UPDOWN"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000054; sid: 5000054; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Configuration from console"; content: "SYS-5-CONFIG_I"; parse_src_ip: 1; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000055; sid: 5000055; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS configuration changed"; content: "SYS-5-CONFIG"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000111; sid:5000111; rev:5;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Successful login"; content: "SEC_LOGIN-5-LOGIN_SUCCESS"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000112; sid:5000112; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5001520; sid:5001520; rev:2;)
drop any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; xbits: set,brute_force,21600; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; normalize; reference: url,wiki.quadrantsec.com/bin/view/Main/5000113; sid:5000113; rev:11;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fan failure - Fan not rotating [0/2]"; content: "ENVMON-3-FAN_FAILED"; classtype: hardware-event; threshold: type limit, track by_src, count 2, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000388; sid:5000388; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fans had a rotation error reported [0/2]"; content: "%FAN-3-FAN_FAILED"; classtype: hardware-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001198; sid:5001198; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Power Controller reports power Imax error detected"; content: "%ILPOWER-3-CONTROLLER_PORT_ERR"; threshold: type limit, track by_src, count 1, seconds 3600; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001190; sid:5001199; rev:3;)

# Rules submitted by Sniffty Dugen (July 31, 2012) 

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Unsupported Hardware Module"; content: "C6KPWR-SP-4-UNSUPPORTED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1ab; sid: 5001476; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IP Packet recieved to short"; content: "EARL_L3_ASIC-SP-4-INTR_THROTTLE: Throttling"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1abb; sid: 5001477; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IP Packet with probable bad checksum Dropped"; content: "EARL_L3_ASIC-SP-3-INTR_WARN"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#EARL; sid: 5001478; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] NetFlow addressable memory almost full"; content: "EARL_NETFLOW-SP-4-TCAM_THRLD"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1a; sid: 5001479; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS Keepalive Loop Detected"; content: "ETHCNTR-3-LOOP_BACK_DETECTED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1b; sid: 5001480; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Possible IOS System Crash"; content: "loadprog: error"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1bc; sid: 5001481; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Error in Layer 3 Forwarding ASIC [0/2]"; content: "L3_ASIC-DFC3-4-ERR_INTRPT"; threshold: type limit, track by_src, count 2, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#ASIC; sid: 5001482; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] MAC/IP length inconsistencies"; content: "MLS_STAT-SP-4-IP_LEN_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1; sid: 5001483; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid IP Checksum detected"; content: "MLS_STAT-SP-4-IP_CSUM_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob2; sid: 5001484; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Excessive Multicast Traffic to IGMP reserved address"; content: "MCAST-SP-6-ADDRESS_ALIASING_FALLBACK"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob3; sid: 5001485; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] PIM Hold Time Out of range"; content: "MROUTE-3-TWHEEL_DELAY_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob5; sid: 5001486; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Maximum Number of L2 Multicast Group Entries Created"; content: "MCAST-SP-6-GC_LIMIT_EXCEEDED"; classtype: system-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob6; sid: 5001487; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Internal Table Manager Parity Error"; content: "MISTRAL-SP-3-ERROR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob7; sid: 5001488; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Short IP Packets Detected"; content: "MLS_STAT-4-IP_TOO_SHRT"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob8; sid: 5001489; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Creating Session to module/slot failed"; content: "Processor"; content: "cannot service session requests"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#Processor; sid: 5001490; rev:2;) 
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Module Firmware error detected"; content: "PM_SCP-1-LCP_FW_ERR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob9; sid: 5001491; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Module Error Condition"; content: "PM_SCP-2-LCP_FW_ERR_INFORM"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-error; sid: 5001492; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Port Error Detected [0/3]"; content: "PM_SCP-SP-2-LCP_FW_ERR_INFORM"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#mod-issue; sid: 5001493; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Unsupported SFP GBIC Detected"; content: "PM_SCP-SP-3-TRANSCEIVER_BAD_EEPROM"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badkey; sid: 5001494; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] TCAM Resource Exhaustion Detected"; content: "QM-4-TCAM_ENTRY"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#TCAM; sid: 5001495; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Supervisor Engine Parity Errors [0/3]"; content: "SYSTEM_CONTROLLER-SP-3-ERROR"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tmparity; sid: 5001496; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Memory Parity Error [0/3]"; content: "SYSTEM_CONTROLLER-SW2_SPSTBY-3-ERROR"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-controller; sid: 5001497; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Linecard Endpoint Lost Sync"; content: "SP: Linecard endpoint of Channel 14 lost Sync"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#sp141; sid: 5001498; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Misconfigured Boot Variables"; content: "SYSTEM-1-INITFAIL: Network boot is not supported"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#nwboot; sid: 5001499; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] CPU Monitor Message Time Outs [0/3]"; content: "CPU_MONITOR-3-TIMED_OUT"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor; sid: 5001500; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] CPU Monitor Message Not Heard [0/3]"; content: "CPU_MONITOR-6-NOT_HEARD"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor; sid: 5001501; rev:3;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid IDPROM Image"; content: "Invalid IDPROM image for"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#idprom; sid: 5001502; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Module Powered Off"; content: "C6KPWR-4-DISABLED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#pwrdis; sid: 5001503; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ASIC Failed to Synchronize"; content: "ONLINE-SP-6-INITFAIL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#onlinefail; sid: 5001504; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Flow Mask Request Failed"; content: "FM_EARL7-4-FLOW_FEAT_FLOWMASK_REQ_FAIL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#flowmask; sid: 5001505; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IGMP join packet Flood"; content: "MCAST-2-IGMP_SNOOP_DISABLE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#igmpsnoop; sid: 5001506; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ASIC/Pinnacle Unrecoverable resources"; content: "C6KERRDETECT-2-FIFOCRITLEVEL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#dr; sid: 5001507; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switching Bus Stalled"; content: "C6KERRDETECT-SP-4-SWBUSSTALL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec; sid: 5001508; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switching Bus Recovered"; content: "C6KERRDETECT-SP-4-SWBUSSTALL_RECOVERED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec; sid: 5001509; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] SP-RP ping test failed, High Traffic"; content: "SP-RP Ping Test[7]"; classtype: system-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#srp; sid: 5001510; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Sub-interface Limit Reached"; content: "SW_VLAN-4-MAX_SUB_INT"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#subint; sid: 5001511; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Hash Bucket Collision"; content: "MCAST-6-L2_HASH_BUCKET_COLLISION"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#l2hash; sid: 5001512; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] QoS Hardware Resources Exceeded"; content: "QM-4-AGG_POL_EXCEEDED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#qm_agg; sid: 5001513; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Port Channel MTU Mismatch"; content: "EC-SP-5-CANNOT_BUNDLE2"; content: "MTU"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-bundle; sid: 5001514; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Port Channel Flow Control Mismatch"; content: "EC-SP-5-CANNOT_BUNDLE2"; content: "flow control"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#port; sid: 5001515; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Route entries about to reach FIB capacity"; content: "CFIB-7-CFIB_EXCEPTION"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tcamexception; sid: 5001516; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Port Data Path Error"; content: "CONST_DIAG-SP-3-HM_PORT_ERR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#disablingport; sid: 5001517; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Bad CRC on ASIC Line Card"; content: "CONST_DIAG-SP-4-ERROR_COUNTER_WARNING"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#module; sid: 5001518; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Detected Unknown Protocol"; content: "SYS-3-PORT_RX_BADCODE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badcode; sid: 5001519; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001625; sid: 5001625; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed - Brute Force [10/1]"; content: "SEC_LOGIN-4-LOGIN_FAILED"; xbits: set,brute_force,21600; after: track by_src, count 10, seconds 300; threshold: type limit, track by_src, count 1, seconds 86400; fwsam: src, 1 day; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001686; sid: 5001686; rev:8;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] High CPU usage detected"; content: "HIGH CPU DETECTED"; threshold: type limit, track by_src, count 1, seconds 3600; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001626; sid: 5001626; rev:3;)

# %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user cisco from 10.10.10.10 - sshd[27924]

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Authentication Failure SSH"; content: "%AUTHPRIV-3-SYSTEM_MSG|3a|"; content: "sshd["; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001668; sid: 5001668; rev:4;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Authentication Failure SSH - Brute force [5/5]"; content: "%AUTHPRIV-3-SYSTEM_MSG|3a|"; content: "sshd["; xbits: set,brute_force,21600; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-admin; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001670; sid: 5001670; rev:7;)

# %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user cisco from 10.10.10.10 - sshd[27926]

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Illegal User SSH"; content: "%DAEMON-3-SYSTEM_MSG|3a|"; content: "sshd["; parse_src_ip: 1; default_proto: tcp; default_dst_port: $SSH_PORT; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001669; sid: 5001669; rev:6;)

# %USER-3-SYSTEM_MSG: FATAL: bad tty - login (no program)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] FATAL - bad tty - login (no program)"; content: "%USER-3-SYSTEM_MSG|3a|"; content: "FATAL: bad tty"; content: "no program";  classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001671; sid: 5001671; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Auth to privilege 15 failed"; content: "%SYS-5-PRIV_AUTH_FAIL"; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001672; sid: 5001672; rev:3;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Multicast storm detected"; content: "%STORM_CONTROL-3-FILTERED";  classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001673; sid: 5001673; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid ARP"; content: "%SW_DAI-4-INVALID_ARP";  classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001674; sid: 5001674; rev:2;)
#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Low FAN RPM - Service recommended"; content: "%ENVMON-4-FAN_LOW_RPM"; classtype: hardware-event; threshold: type limit, track by_src, count 1, seconds 3600; reference: url,wiki.quadrantsec.com/bin/view/Main/5001688; sid: 5001688; rev:4;)

# Submitted by Robert Nunley (rnunley@quadrantsec.com) - 08/14/2013

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] EIGRP Adjacency Change - Neighbor Up"; content: "%DUAL-5-NBRCHANGE"; content: "EIGRP"; content: "is up"; classtype: system-event; parse_src_ipl 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001707; sid: 5001707; rev:5;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] EIGRP Adjacency Change - Neighbor Down"; content: "%DUAL-5-NBRCHANGE"; content: "EIGRP"; content: "is down"; classtype: system-event; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001708; sid: 5001708; rev:6;)

# Submittied by Robert Nunley (rnunley@quadrantsec.com) - 11/18/2013

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Adjacency Change - Neighbor Up"; content: "%BGP-5-ADJCHANGE"; content: "neighbor"; content: "Up"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001718; sid: 5001718; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Adjacency Change - Neighbor Down"; content: "%BGP-5-ADJCHANGE"; content: "neighbor"; content: "Down"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001719; sid: 5001719; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Neighbor Removed From Topology"; content: "%BGP_SESSION-5-ADJCHANGE"; content: "neighbor"; content: "topology"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001720; sid: 5001720; rev:2;)

# Submitted by Adam Hall (ahall@quadrantsec.com) - 11/18.2013

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP Requesting Active State"; content: "Grp"; content: "Coup"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001721; sid: 5001721; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP State Change"; content: "%STANDBY-6-STATECHANGE"; content: "state"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001722; sid: 5001722; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP State Change"; content: "%HSRP-5-STATECHANGE"; content: "state"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001723; sid: 5001723; rev:2;)

# %PARSER-5-CFGLOG_LOGGEDCMD: User:bob  logged command:!exec: enable

#alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Command logged"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; classtype: misc-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5001871; sid: 5001871; rev:2;)
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Enable command executed"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; content: "exec"; nocase; content: "enable"; nocase; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001872; sid: 5001872; rev:2;)

# Jan 22 16:03:51: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: bob] [Source: 10.10.0.1] [localport: 22] at 16:03:51 UTC Wed Jan 22 2014

alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Success"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; default_proto: tcp; classtype: successful-admin; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5001952; sid: 5001952; rev:2;)