# LCE PRM LIBRARY
# Copyright 2006 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# Buffalo Wireless Access Point
#
# DESCRIPTION:
#
# Log parser for Buffalo Wireless Access Point
#
# LAST UPDATE: $Date$

id=400
name=This Buffalo Wireless access point had a successful system connection.
match=AP
match=AP0
match= : WIRELESS:
match=ser
match=ate
match=ed
match=ss
match= : Associated User -
log=event:BuffaloWAP-Associated_MAC type:system

NEXT

id=401
name=This Buffalo Wireless access point had a system dis-connection.
match=AP
match=AP0
match= : WIRELESS:
match=ent
match=ion
match= : DeAuthentication
match=ser
match= User -
log=event:BuffaloWAP-DeAuthentication_MAC type:system

NEXT

id=402
name=This Buffalo Wireless Access Point offered a DHCP IP address.
match=AP
match=ER
match=AP0
match=cp
match=ing
match= udhcpd: sending OFFER of
regex= OFFER of ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:BuffaloWAP-DHCP_Address_Offer type:dhcp dstip:$1

NEXT

id=403
name=This Buffalo Wireless Access Point DHCP acknowledgment for existing IP address.
match=AP
match=AP0
match=cp
match=ing
match= udhcpd: sending ACK to
regex= ACK to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:BuffaloWAP-DHCP_Address_ACK type:dhcp dstip:$1

NEXT

id=404
name=This Buffalo Wireless Access Point detected an attack. 
match=AP
match=AP0
match=lo
match=log
match=AT
match= fwlogwatch: ATTACK:
match=ATTACK
regex= from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:BuffaloWAP-Attack_Detected type:intrusion srcip:$1

NEXT

id=405
name=This Buffalo Wireless access point re-associated a user who had previously connected. 
match=AP
match=AP0
match= : WIRELESS:
match=ser
match=ate
match=ed
match=ss
match= : ReAssociated User -
log=event:BuffaloWAP-ReAssociated_MAC type:system