# # Copyright 2004-2014 Tenable Network Security # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # Cisco PIX Firewall # # DESCRIPTION: # This library is used to process logs from the Cisco PIX firewall # which are sent via SYSLOG. The SYSLOG messages must be sent either # directly to the LCE server, or to a UNIX server running a LCE # client which is 'tailing' a SYSLOG file on that system. The library # includes facilities to detect traffic which has been denied, traffic # which has been detected, malicious traffic and administration traffic. # # TUNEING: # Tenable customers who wish to tune this library may choose to # comment out various portions of the library. For example, they may wish # to only log TCP deny traffic. When adding and deleting signatures, ensure # that each active signature is seperated by a 'NEXT' seperator. # # ################################################################### # # Caution: Do not run this library if you are running the # firewall_cisco_pix_realname.prm library # ################################################################### # # LAST UPDATE: $Date$ ################ # DENY TRAFFIC # ################ id=8626 name=This Cisco PIX firewall denied inbound UDP traffic. match=%PIX match=rom match=-106006: Deny inbound UDP from regex=from ([^/]+)/([0-9]+) to ([^/]+)/([0-9]+) log=event:CiscoPIX-Blocked_UDP srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 type:firewall NEXT id=8627 name=This Cisco PIX firewall denied inbound TCP traffic. match=%PIX match=rom match=ion match=ed match=-106001: Inbound TCP connection denied from match=ect match=onnect match=onnection regex=from ([^/]+)/([0-9]+) to ([^/]+)/([0-9]+) log=event:CiscoPIX-Blocked_TCP srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:firewall NEXT id=8628 name=This Cisco PIX firewall denied inbound ICMP packets. match=%PIX match=MP match=ICMP match=ed match=ty match=-313001: Denied ICMP type= regex=type=[0-9]{1,3}, code=[0-9]{1,3} from ([^ ]+) on log=event:CiscoPIX-Blocked_ICMP srcip:$1 proto:1 type:firewall NEXT id=8629 name=This Cisco PIX firewall denied inbound UDP packets. match=%PIX match=-106023: Deny udp src regex=src (?:\S*:)?([^/]+)/([0-9]+) dst (?:\S*:)?([^/]+)/([0-9]+) log=event:CiscoPIX-Blocked_UDP proto:17 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall NEXT id=8630 name=This Cisco PIX firewall denied a TCP connection. match=%PIX match=cp match=-106023: Deny tcp src regex=src (?:\S*:)?([^/]+)/([0-9]+) dst (?:\S*:)?([^/]+)/([0-9]+) log=event:CiscoPIX-Blocked_TCP proto:6 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall NEXT id=8631 name=This Cisco PIX firewall denied an ICMP query. match=%PIX match=-106023: Deny icmp src regex=src (?:\S*:)?([^ ]+) dst (?:\S*:)?([^ ]+) log=event:CiscoPIX-Blocked_ICMP srcip:$1 dstip:$2 proto:1 type:firewall NEXT id=8632 name=This Cisco PIX firewall denied inbound TCP traffic. match=%PIX match=cp match=ate match=-106011: Deny inbound (No xlate) tcp src regex=src (?:\S*:)?([^/]+)/([0-9]+) dst (?:\S*:)?([^/]+)/([0-9]+) log=event:CiscoPIX-Blocked_Inbound_TCP_Noxlate proto:6 srcip:$1 dstip:$3 dstport:$4 type:firewall NEXT id=8633 name=This Cisco PIX firewall denied nbound ICMP traffic. match=%PIX match=ate match=-106011: Deny inbound (No xlate) icmp src regex=src (?:\S*:)?([^ ]+) dst (?:\S*:)?([^ ]+) log=event:CiscoPIX-Blocked_Inbound_ICMP_Noxlate proto:1 srcip:$1 dstip:$2 type:firewall NEXT id=8634 name=This Cisco PIX firewall denied inbound UDP traffic. match=%PIX match=-106010: Deny inbound udp src regex=src (?:\S*:)?([^/]+)\/([0-9]+) dst (?:\S*:)?([^/]+)\/([0-9]+) log=event:CiscoPIX-Blocked_UDP srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 type:firewall NEXT id=8635 name=This Cisco PIX firewall denied inbound TCP traffic. match=%PIX match=cp match=-106010: Deny inbound tcp src regex=src (?:\S*:)?([^/]+)\/([0-9]+) dst (?:\S*:)?([^/]+)\/([0-9]+) log=event:CiscoPIX-Blocked_TCP srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:firewall NEXT id=8636 name=This Cisco PIX firewall denied inbound ICMP traffic. match=%PIX match=-106010: Deny inbound icmp src regex=src (?:\S*:)?([^ ]+) dst (?:\S*:)?([^ ]+) log=event:CiscoPIX-Blocked_ICMP srcip:$1 dstip:$2 proto:1 type:firewall NEXT id=8637 name=This Cisco PIX firewall denied inbound ICMP traffic. match=%PIX match=-106014: Deny inbound icmp src regex=src (?:\S*:)?([^ ]+) dst (?:\S*:)?([^ ]+) log=event:CiscoPIX-Blocked_ICMP proto:1 srcip:$1 dstip:$2 type:firewall NEXT id=8638 name=This Cisco PIX firewall denied IP packets with options such as source routing. match=%PIX match=rom match=-106012: Deny IP from match=ion match=pt match=, IP options regex=from ([^ ]+) to ([^ ]+), log=event:CiscoPIX-Blocked_IP_Options srcip:$1 dstip:$2 type:firewall NEXT id=8639 name=This Cisco PIX firewall denied a TCP connection attempt. match=%PIX match=CL match=rom match=ce match=ed match=ss match=-710003: TCP access denied by ACL from regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Blocked_TCP proto:6 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall NEXT id=8640 name=This Cisco PIX firewall denied a UDP session. match=%PIX match=CL match=rom match=ce match=ed match=ss match=-710003: UDP access denied by ACL from regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Blocked_UDP proto:17 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall NEXT id=8641 name=This Cisco PIX firewall denied a UDP session. match=%PIX match=est match=rom match=ar match=ed match=-710005: UDP request discarded from regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9a-zA-Z]{1,5}) log=event:CiscoPIX-Blocked_UDP proto:17 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall NEXT id=8642 name=This Cisco PIX firewall denied a TCP session. match=%PIX match=rom match=ion match=-106015: Deny TCP (no connection) from match=ect match=onnect match=onnection regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Blocked_TCP proto:6 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall NEXT id=8643 name=This Cisco PIX firewall discarded a TCP session. match=%PIX match=est match=rom match=ar match=ed match=-710005: TCP request discarded from regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Blocked_TCP proto:6 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall NEXT id=8644 name=This Cisco PIX firewall blocked a packet based on its IP protocol. match=%PIX match=-710006: regex=: (\d+) request discarded from (?:\S*:)?([^ ]+) to (?:\S*:)?([^ ]+) log=event:CiscoPIX-Blocked_Protocol proto:$1 srcip:$2 dstip:$3 type:firewall ################## # ACCEPT TRAFFIC # ################## NEXT id=8645 name=This Cisco PIX firewall allowed a TCP connection. match=%PIX match=rom match=ce match=ed match=ss match=-710002: TCP access permitted from regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Allowed_TCP proto:6 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection NEXT id=8646 name=This Cisco PIX firewall allowed a UDP connection. match=%PIX match=rom match=ce match=ed match=ss match=-710002: UDP access permitted from regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Allowed_UDP proto:17 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection ####################### # AUTHENTICATION LOGS # ####################### NEXT id=8647 name=This Cisco PIX firewall had a valid user logout. match=%PIX match=lo match=log match=ser match=ed match=-611103: User logged out: Uname: log=event:CiscoPIX-User_Log_Out type:logout NEXT id=8648 name=This Cisco PIX firewall had a user fail to complete a valid login. match=%PIX match=ent match=ser match=ail match=ion match=le match=ed match=-611102: User authentication failed: Uname: log=event:CiscoPIX-User_Authentication_Failure type:login-failure NEXT id=8649 name=This Cisco PIX firewall had a valid user login. match=%PIX match=ent match=ser match=ion match=ce match=ed match=-611101: User authentication succeeded: Uname: log=event:CiscoPIX-User_Log_In type:login NEXT id=8650 name=This Cisco PIX firewall had a valid user change their administration privilege level. match=%PIX match=ser match=le match=ed match=-502103: User priv level changed: Uname: match=an log=event:CiscoPIX-User_Privilege_Change type:system NEXT id=8651 name=This Cisco PIX firewall had a valid administrator login. match=%PIX match=rom match=Lo match=ed match=-605005: Login permitted from match=!serial match=!console match=ser match=for user regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) for user "([^"]+)" log=event:CiscoPIX-Admin_Permited type:login srcip:$1 srcport:$2 dstip:$3 dstport:$4 user:$5 NEXT id=8652 name=This Cisco PIX firewall had a valid administrator login. match=%PIX match=ol match=le match=onsole match=Lo match=Login match=ser match=user match=rom match=ed match=-605005: Login permitted from serial to console for user regex=for user "([^"]+)" log=event:CiscoPIX-Admin_Permited_Console type:login user:$1 NEXT id=8653 name=This Cisco PIX firewall had an administrator login failure. match=%PIX match=rom match=Lo match=ed match=-605004: Login denied from match=!serial match=!console match=ser match=for user match=Login match=user regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Admin_Denied type:login-failure srcip:$1 srcport:$2 dstip:$3 dstport:$4 NEXT id=8654 name=This Cisco PIX firewall had an administrator login failure. match=%PIX match=Lo match=ed match=-605004: Login denied match=ser match=ol match=rom match=le match=from serial to console for user match=onsole match=Login log=event:CiscoPIX-Admin_Denied_Console type:login-failure NEXT id=8655 name=This Cisco PIX firewall had a user authenticate through a PPP interface. match=%PIX match=ce match=ace match=-603103: PPP virtual interface match=ent match=ion match=aaa authentication match=uthentication regex= user: (\S+) aaa log=event:CiscoPIX-PPP_User_AAA_Status type:login user:$1 NEXT id=8656 name=This Cisco PIX firewall had a network user logged in via SSH disconnect normally. match=%PIX match=rom match=ion match=ss match=-315011: SSH session from match=ser match=ed match=disconnected by SSH server, reason: match=ect match=onnect match=ate match=terminated normally regex=from (\S+) .* for user (\S+) log=event:CiscoPIX-SSH_Disconnect type:logout srcip:$1 user:$2 NEXT id=8657 name=This Cisco PIX firewall had a network user fail to login via SSH because of a bad password. match=%PIX match=rom match=ion match=ss match=-315011: SSH session from match=ser match=ed match=disconnected by SSH server, reason: match=onnect match=ect match=Rejected by server regex=SSH session from (\S+) log=event:CiscoPIX-SSH_Bad_Password type:login-failure srcip:$1 NEXT id=8658 name=This Cisco PIX firewall had a network user fail to login via SSH because of a bad password multiple times. match=%PIX match=ol match=le match=onsole match=-308001: PIX console match=rr match=ss match=ass match=enable password incorrect for match=ect regex=\(from ([^ )]+)\) log=event:CiscoPIX-Multiple_Enable_Failures type:login-failure srcip:$1 NEXT id=8659 name=This Cisco PIX firewall had a network user fail to authorize for network access. match=%PIX match=ser match=user match=ion match=ed match=-109008: Authorization denied for user regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-User_Authorization_Denied type:login-failure srcip:$1 srcport:$2 dstip:$3 dstport:$4 NEXT id=8660 name=This Cisco PIX firewall had a network user authenticate for network access. match=%PIX match=ser match=user match=ion match=ed match=-109007: Authorization permitted for user regex=for user ([^ ]*) from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-User_Authorization_Allowed type:login user:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=8661 name=This Cisco PIX firewall had a network user authenticate for network access. match=%PIX match=ser match=user match=ion match=ce match=ed match=-109005: Authorization succeeded for user regex=for user ([^ ]*) from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-User_Authorization_Allowed type:login user:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 ###################### # ADMINSTRATION LOGS # ###################### NEXT id=8662 name=This Cisco PIX firewall is experienceing a rollover issue with a large combination of authorized users and TCP network sessions. match=%PIX match=ser match=user match=cp match=lo match=-701001: alloc_user() out of Tcp_user objects match=ect log=event:CiscoPIX-Too_Many_Users type:error NEXT id=8663 name=This Cisco PIX firewall has detected a split DNS situation. match=%PIX match=ser match=est match=rom match=ed match=-614001: Split DNS: request patched from server: regex= from server: *([^ ]+) to server: *([^ ]+) log=event:CiscoPIX-Split_DNS type:system srcip:$1 dstip:$2 dstport:53 srcport:53 NEXT id=8664 name=This Cisco PIX firewall has detected a split DNS situation. match=%PIX match=ser match=rom match=-614002: Split DNS: reply from server: regex=from server: *([^ ]+) reverse patched back to original server: *([^ ]+) log=event:CiscoPIX-Split_DNS type:system srcip:$1 dstip:$2 dstport:53 srcport:53 NEXT id=8665 name=This Cisco PIX firewall has detected a change in the OSPF route table. match=%PIX match=-613003: match=rom match=ar match=ed match=changed from area match=an regex=%PIX-\d-613003: ([^ ]+) log=event:CiscoPIX-OSPF_IP_Area_Change type:system dstip:$1 dstport:2604 proto:6 NEXT id=8666 name=This Cisco PIX firewall has very poor bandwidth on one or more of its interfaces. match=%PIX match=ce match=ace match=-613002: interface match=has zero bandwidth match=an log=event:CiscoPIX-Interface_Zero_Bandwidth type:error NEXT id=8667 name=This Cisco PIX firewall has had an error with one of its automatic update processes. match=%PIX match=-61200 match=ail match=ate match=le match=ed match= Auto Update failed match=ailed log=event:CiscoPIX-Auto_Update_Failure type:error NEXT id=8668 name=This Cisco PIX firewall has had a user fail to execute a command due to inappropriate permissions. match=%PIX match=ail match=ion match=le match=ed match=-610101: Authorization failed: Cmd: match=ailed log=event:CiscoPIX-Command_Failure type:error NEXT id=8669 name=This Cisco PIX firewall has received an invalid network time protocol message. match=%PIX match=TP match=ce match=ace match=-610002: NTP daemon interface match=NTP match=ent match=ail match=rom match=ack match=ion match=le match=ed match=Authentication failed for packet from regex=from ([^ ]+) log=event:CiscoPIX-Bad_NTP_Packet type:access-denied srcip:$1 dstport:123 NEXT id=8670 name=This Cisco PIX firewall has blocked a network time protocol message. match=%PIX match=TP match=ce match=ace match=-610001: NTP daemon interface match=NTP match=rom match=ack match=ed match=: Packet denied from regex=from ([^ ]+) log=event:CiscoPIX-NTP_Packet_Denied type:firewall srcip:$1 dstport:123 proto:17 NEXT id=8671 name=This Cisco PIX firewall has detected another router with the same ID. match=%PIX match=-40901 match=ate match=ed match=: Detected router with duplicate router ID match=ect regex=ID ([^ ]+) in log=event:CiscoPIX-Duplicate_Router_ID type:error dstip:$1 NEXT id=8672 name=This Cisco PIX firewall has detected another router with the same ID. match=%PIX match=ate match=ed match=-409011: OSPF detected duplicate router-id match=ect regex=router-id ([^ ]+) from ([^ ]+) on log=event:CiscoPIX-Duplicate_Router_ID type:error srcip:$1 dstip:$2 NEXT id=8673 name=This Cisco PIX firewall has detected an invalid OSPF routing packet. match=%PIX match=rom match=ack match=le match=-409005: Invalid length number in OSPF packet from regex=from ([^ ]+) log=event:CiscoPIX-Invalid_OSPF_Packet type:system srcip:$1 NEXT id=8674 name=This Cisco PIX firewall has detected an invalid OSPF routing packet. match=%PIX match=ack match=ce match=ed match=-409003: Received invalid packet: regex=from ([^, ]+), log=event:CiscoPIX-Invalid_OSPF_Packet type:system srcip:$1 NEXT id=8675 name=This Cisco PIX firewall has exceeded its routing table limit due to a configuration error. match=%PIX match=ing match=ce match=le match=ed match=-317005: IP routing table limit exceeded - regex=, ([^ ]+) netmask log=event:CiscoPIX-Routing_Limit_Reached type:error dstip:$1 NEXT id=8676 name=This Cisco PIX firewall has had an administrator login. match=%PIX match=rom match=ion match=ed match=-309002: Permitted manager connection from match=ect match=onnect match=onnection match=an regex=from ([^ ]+)\. log=event:CiscoPIX-Manager_Connection type:login srcip:$1 NEXT id=8677 name=This Cisco PIX firewall is experiencing 100 percent CPU utilization. match=%PIX match=ion match=-211003: CPU utilization match=CPU log=event:CiscoPIX-High_CPU type:error NEXT id=8678 name=This Cisco PIX firewall has had a succsesful configuration modification. match=%PIX match=ser match=-111008: User match=ecu match=ed match= executed the match=an match=command regex=User '?([^' ]+) log=event:CiscoPIX-Config_Modification type:system user:$1 NEXT id=8679 name=This Cisco PIX firewall has reached its limit of tracked deny flows. This could mean your network is experiencing a denial of service attack, a large network scan, a worm outbreak or a large increase in network activity. match=%PIX match=lo match=log match=CL match=ed match=-106101 The number of ACL log deny-flows has reached limit log=event:CiscoPIX-Potential_DOS_Attack type:dos ########################## # MALICIOUS CONTENT LOGS # ########################## NEXT id=8680 name=This Cisco PIX firewall has detected a reply attack. match=%PIX match=ol match=lo match=ed match=-702302: replay rollover detected match=ect log=event:CiscoPIX-VPN_Rollover type:intrusion NEXT id=8681 name=This Cisco PIX fireall has detected a PPTP de-synchronization event. match=%PIX match=TP match=ate match=ce match=ed match=-603101: PPTP received out of seq or duplicate pkt, log=event:CiscoPIX-PPTP_Out_Of_Sequence_Packet type:error NEXT id=8682 name=This Cisco PIX firewall has detected and blocked a potential DNS buffer overflow attack. match=%PIX match=ack match=le match=ed match=-410001: UDP DNS packet dropped due to domainname length check of 255 bytes: actual length: match=pp log=event:CiscoPIX-DNS_Overflow type:intrusion proto:17 dstport:53 NEXT id=8683 name=This Cisco PIX firewall has detected and blocked a potential DNS buffer overflow attack. match=%PIX match=ack match=le match=ed match=-410001:UDP DNS packet dropped due to label length check of 63 bytes actual length: match=pp log=event:CiscoPIX-DNS_Overflow type:intrusion proto:17 dstport:53 NEXT id=8684 name=This Cisco PIX firewall has detected and blocked a potential DNS buffer overflow attack. match=-410001: match=UDP match=ack match=packet match=DNS match=ed match=packet dropped due match=le match=to packet length check of match=pp match=%PIX match=bytes: actual length: log=event:CiscoPIX-DNS_Overflow type:intrusion proto:17 dstport:53 NEXT id=8685 name=This Cisco PIX firewall has detected and blocked a potential DNS buffer overflow attack. match=%PIX match=ack match=-410001:UDP DNS packet match=ion match=le match=ed match=ss match=dropped due to compression length check of match=UDP match=packet match=DNS match=pp match=bytes: actual length: log=event:CiscoPIX-DNS_Overflow type:intrusion proto:17 dstport:53 NEXT id=8686 name=This Cisco PIX firewall has detected a potential denial of service attack. match=%PIX match=-407002: Embryonic limit match=ion match=ce match=ed match=for through connections exceeded. match=ect match=onnect match=onnection regex=exceeded. +([^/ ]+)\S* to ([^/ ]+)\S* log=event:CiscoPIX-DOS_Attack type:dos srcip:$1 dstip:$2 NEXT id=8687 name=This Cisco PIX firewall has detected a potential FTP attack. match=%PIX match=ent match=TP match=ss match=-406002: FTP port command different address: match=an regex=address: ([^ (]+)\([^)]+\) to ([^ ]+) on log=event:CiscoPIX-FTP_Port_Rewrite type:intrusion srcip:$1 dstip:$2 NEXT id=8688 name=This Cisco PIX firewall has detected a potential FTP attack which uses a target FTP server to perform a port scan of a second system. match=%PIX match=TP match=lo match=-406001: FTP port command low port: match=an regex=%PIX-\d-406001: FTP port command low port: *([^ /]+)/([0-9]{1,5}) to ([^ ]+) on log=event:CiscoPIX-FTP_Low_Port type:intrusion srcip:$1 srcport:$2 dstip:$3 NEXT id=8689 name=This Cisco PIX firewall has detected a layer two collision of MAC addresses. This could be an attempt to subvert traffic by modifiying the ARP table, but can also be caused by a having two systems with identical IP addresses. match=%PIX match=ce match=ed match=-405001: Received ARP re match=ol match=rom match=ion match=collision from regex=%PIX-\d-405001: Received ARP re(?:quest|sponse) collision from ([^ /]+)/ log=event:CiscoPIX-ARP_Poison type:error srcip:$1 NEXT id=8690 name=This Cisco PIX firewall has detected a spoofed PPTP packet. match=%PIX match=est match=TP match=ack match=ss match=-403109: Rec'd packet not an PPTP packet. (ip) dest_address= match=an regex=dest_address= ([^,]+), src_addr= ([^,]+), log=event:CiscoPIX-Spoofed_PPTP_Packet type:firewall dstip:$1 srcip:$2 NEXT id=8691 name=This Cisco PIX firewall has detected a mis-match with an IPSEC packet. This is most likely a mis-configuration of your VPN. match=%PIX match=ent match=est match=ate match=ed match=ty match=ss match=-402103: identity doesn't match negotiated identity (ip) dest_address= regex=dest_address= ([^,]+), src_addr= ([^,]+), prot= *(\d+) log=event:CiscoPIX-Spoofed_IPSEC_Packet type:error dstip:$1 srcip:$2 proto:$3 NEXT id=8692 name=This Cisco PIX firewall has detected a mis-match with an IPSEC packet. This is most likely a mis-configuration of your VPN. match=%PIX match=ack match=ate match=ing match=ss match=-402102: decapsulate: packet missing regex=%PIX-\d-402102: decapsulate: packet missing (AH|ESP), destadr=([0-9]+(\.[0-9]+){3}), log=event:CiscoPIX-Spoofed_IPSEC_Packet type:error dstip:$2 NEXT id=8693 name=This Cisco PIX firewall has detected an invalid destination for an ICMP error. match=%PIX match=est match=rr match=ion match=-313003: Invalid destination for ICMP error match=MP match=ICMP log=event:CiscoPIX-Invalid_ICMP_Error_Destination type:firewall NEXT id=8694 name=This Cisco PIX firewall has detected an illegal RIP routing traffic. match=%PIX match=ail match=rom match=le match=ed match=-312001: RIP hdr failed from regex=from ([^:]+): log=event:CiscoPIX-Invalid_RIP_Header srcip:$1 type:firewall NEXT id=8695 name=This Cisco PIX firewall has detected an illegal RIP routing traffic. match=%PIX match=-10700 regex=%PIX-\d-10700[12]: RIP (?:auth|pkt) failed from ([^:]+): log=event:CiscoPIX-Invalid_RIP_Header srcip:$1 type:firewall NEXT id=8696 name=This Cisco PIX firewall has detected a potential administration session hijack attempt. match=%PIX match=rom match=ion match=ing match=ss match=-214001: Terminating manager session from match=ed match=pt match=Reason: incoming encrypted data match=lo match=longer than match=an regex=session from ([^ ]+) on interface log=event:CiscoPIX-Potential_Manager_Session_Attack srcip:$1 type:intrusion NEXT id=8697 name=This Cisco PIX firewall has detected and blocked a potential SNMP buffer overflow attack. match=%PIX match=est match=ing match=-212005: incoming SNMP request match=MP match=SNMP match=ar match=ce match=ed match=exceeds data buffer size, discarding this SNMP request. log=event:CiscoPIX-Potential_SNMP_Overflow_Attempt type:intrusion NEXT id=8698 name=This Cisco PIX firewall has detected and blocked an IP fragment that may be part of a denial of service attack or an attempt to bypass detection by a network IDS. match=%PIX match=ent match=ar match=-209005: Discard IP fragment set with more than match=an regex=src = ([^,]+), dest = ([^,]+), proto = ([0-9]{1,3}) log=event:CiscoPIX-IP_Frag_Drop_Too_Many_Elements type:dos srcip:$1 dstip:$2 proto:$3 NEXT id=8699 name=This Cisco PIX firewall has detected and blocked an IP fragment that may be part of a denial of service attack or an attempt to bypass detection by a network IDS. match=%PIX match=ent match=-209004: Invalid IP fragment, size = regex=src = ([^,]+), dest = ([^,]+), proto = ([0-9]{1,3}) log=event:CiscoPIX-IP_Frag_Drop_Max_Size_Exceeded type:dos srcip:$1 dstip:$2 proto:$3 NEXT id=8700 name=This Cisco PIX firewall has detected and blocked an IP fragment that may be part of a denial of service attack or an attempt to bypass detection by a network IDS. match=%PIX match=ent match=-209003: Fragment database limit of regex=src = ([^,]+), *dest = ([^,]+), proto = ([0-9]{1,3}) log=event:CiscoPIX-IP_Frag_Database_Exceeded type:dos srcip:$1 dstip:$2 proto:$3 NEXT ####################################### # WebSense Cisco PIX MESSAGES ####################################### id=8701 name=This Cisco PIX firewall can not communicate with the URL server and is now allowing all web requests. match=%PIX match=ing match=-304007: URL Server not responding match=URL log=event:CiscoPIX-WebSense_URL_Server_Not_Responding type:error NEXT id=8702 name=This Cisco PIX firewall can now communicate with the URL server and will now filter all web requests. match=%PIX match=-304008: LEAVING ALLOW mode match=LO match=AL log=event:CiscoPIX-Websense_Leaving_Allow_mode type:error ##################################### # Misc #################################### NEXT id=8703 name=This Cisco PIX firewall has allowed an outbound TCP session. match=%PIX match=ion match=-302013: Built outbound TCP connection match=ect match=onnect match=onnection regex=for (?:\S*:)?([^/]+)/([0-9]{1,5}).* to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Built_Outbound_TCP_Connection type:connection dstip:$1 dstport:$2 srcip:$3 srcport:$4 proto:6 NEXT id=8704 name=This Cisco PIX firewall has allowed an outbound UDP session. match=%PIX match=ion match=-302015: Built outbound UDP connection match=ect match=onnect match=onnection regex=for (?:\S*:)?([^/]+)/([0-9]{1,5}).* to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Built_Outbound_UDP_Connection type:connection dstip:$1 dstport:$2 srcip:$3 srcport:$4 proto:17 NEXT id=8705 name=This Cisco PIX firewall has blocked a Tear Drop attack. match=%PIX match=ent match=ar match=-106020: Deny IP teardrop fragment regex=from ([^ ]+) to ([^ ]+) log=event:CiscoPIX-Deny_IP_Teardrop_Fragment type:dos srcip:$1 dstip:$2 NEXT id=8706 name=This Cisco PIX firewall could not build a UDP connection. match=%PIX match=ion match=-305005: No translation group found for match=an regex= (\S+) src (?:\S*:)?([^/]+)/([0-9]{1,5}) dst (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-No_Translation_Group_Found type:firewall srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:$1 NEXT id=8707 name=This Cisco PIX firewall could not build a UDP connection. match=%PIX match=-106021: Deny udp reverse path check regex=from ([^ ]+) to ([^ ]+) log=event:CiscoPIX-Deny_UDP_Reverse_Path_Check type:firewall srcip:$1 dstip:$2 proto:17 NEXT id=8708 name=This Cisco PIX firewall built an inbound TCP connection. match=%PIX match=ion match=-302013: Built inbound TCP connection match=ect match=onnect match=onnection regex=for (?:\S*:)?([^/]+)/([0-9]{1,5}).* to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Built_Inbound_TCP_Connection type:connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=8709 # Note, also see ID 8621 name=This Cisco PIX firewall logged access to a URL. match=%PIX match=-304001: match=ce match=ed match=ss match=Accessed match=URL match=!: Accessed URL regex=%PIX-\d-304001: ([^ ]+) Accessed (?:JAVA )?URL ([^: ]+) log=event:CiscoPIX-Accessed_URL type:web-access srcip:$1 dstip:$2 NEXT id=8601 name=This Cisco PIX has built a dynamic TCP connection. match=%PIX match=rom match=ion match=-305011: Built dynamic TCP translation from match=an regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Built-Dynamic_TCP_Translation srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection proto:6 NEXT id=8602 name=This Cisco PIX has tore down a TCP connection. match=%PIX match=ion match=ar match=-302014: Teardown TCP connection match=ect match=onnect match=onnection regex= for (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Teardown_TCP_Connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection proto:6 NEXT id=8603 name=This Cisco PIX has tore down a localhost connection. match=-609002: match=%PIX regex=Teardown local-host (?:\S*:)?([^ ]+) log=event:CiscoPIX-Teardown_LocalHost srcip:$1 type:connection NEXT id=8604 name=This Cisco PIX has tore down a dynamic TCP connection. match=%PIX match=-305012: regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Teardown_Dynamic_TCP_Translation srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection proto:6 NEXT id=8605 # Note, also see ID 8622 name=This Cisco PIX firewall denied access to a URL. match=%PIX match=ce match=ed match=ss match=-304002: Access denied URL match=URL regex=SRC ([^ ]+) DEST ([^ ]+) log=event:CiscoPIX-Accessed_Denied_URL type:web-error srcip:$1 dstip:$2 NEXT id=8606 name=This Cisco PIX firewall has tore down a UDP connection. match=%PIX match=ion match=ar match=-302016: Teardown UDP connection match=ect match=onnect match=onnection regex=for (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Teardown_UDP_Connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection proto:17 NEXT id=8607 name=This Cisco PIX firewall has built an inbound UDP connection. match=%PIX match=ion match=-302015: Built inbound UDP connection match=ect match=onnect match=onnection regex=for (?:\S*:)?([^/]+)/([0-9]{1,5}).* to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Built_inbound_UDP_Connection type:connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 NEXT id=8608 name=This Cisco PIX firewall has built a dynamic UDP connection. match=%PIX match=rom match=ion match=-305011: Built dynamic UDP translation from match=an regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Built-Dynamic_UDP_Translation srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection proto:17 NEXT id=8609 name=This Cisco PIX firewall has built a dynamic ICMP connection. match=%PIX match=rom match=ion match=-305011: Built dynamic ICMP translation from match=an match=ICMP match=MP regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) log=event:CiscoPIX-Built-Dynamic_ICMP_Translation srcip:$1 srcip:$2 dstip:$3 dstport:$4 type:connection proto:1 NEXT id=8610 name=This Cisco PIX firewall has denied an inbound UDP session. match=%PIX match=ate match=-106011: Deny inbound (No xlate) udp src regex=src (?:\S*:)?([^/]+)/([0-9]+) dst (?:\S*:)?([^/]+)/([0-9]+) log=event:CiscoPIX-Blocked_Inbound_UDP_Noxlate proto:17 srcip:$1 dstip:$3 dstport:$4 type:connection NEXT id=8611 name=This Cisco PIX firewall has built a local-host network connection. match=%PIX match=lo match=-609001: Built local-host regex=local-host (?:\S*:)?([^ ]+) log=event:CiscoPIX-Built_Local_Host srcip:$1 type:connection NEXT id=8612 name=This Cisco PIX firewall has built a local-host network connection. match=%PIX match=est match=rom match=ing match=-106013: Dropping echo request from match=pp regex=from ([^ ]+) .* address ([^ ]+) log=event:CiscoPIX-Dropping_Echo_Request srcip:$1 dstip:$2 type:connection NEXT id=8613 name=This Cisco PIX firewall has logged a file transfer via FTP or WEB access. match=%PIX match=-303002: regex=%PIX-\d-303002: +([^ ]+) .* ([^:]+): log=event:CiscoPIX-Retrieved_Or_Stored srcip:$1 dstip:$2 type:file-access NEXT id=8614 name=This Cisco PIX firewall has logged the number of and most used amound of TCP session. match=%PIX match=-302010: log=event:CiscoPIX-In_Use_Most_used type:system NEXT id=8615 name=This Cisco PIX firewall has built a network translation connection. match=%PIX match=-305009: regex=from (?:\S*:)?([^ ]+) to (?:\S*:)? *([^ ]+) log=event:CiscoPIX-Built_Static_Translation srcip:$1 dstip:$2 type:connection NEXT id=8616 name=This Cisco PIX firewall has detected and stopped a spoofed IP packet attack. match=%PIX match=-106016: regex=from \(([^)]+)\) to ([^ ]+) log=event:CiscoPIX-Deny_IP_Spoof srcip:$1 dstip:$2 type:firewall NEXT id=8618 name=This Cisco PIX firewall has detected a portmap translation failure. match=%PIX match=-305006: match=translation creation failed for regex= (\S+) src (?:\S+:)?([^/]+)/([0-9]+) dst (?:\S+:)?([^/]+)/([0-9]+) log=event:CiscoPIX-Translation_Creation_Failure srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:firewall proto:$1 NEXT id=8619 name=This Cisco PIX firewall has detected no route. match=%PIX match=-110001: match=No route to regex=to ([^ ]+) from ([^ ]+) log=event:CiscoPIX-No_Route srcip:$2 dstip:$1 type:error NEXT id=8620 name=This Cisco PIX firewall has detected a URL Server not responding. match=%PIX match=-304006: regex=URL Server ([^ ]+) not responding match=URL log=event:CiscoPIX-URL_Server_Not_Responding srcip:$1 type:error NEXT id=8621 # Note, also see ID 8709 name=This Cisco PIX firewall logged access to a URL. match=%PIX match=-304001: match=ce match=ed match=ss match=: Accessed URL match=URL regex=URL ([^:]+): log=event:CiscoPIX-Accessed_URL type:web-access dstip:$1 NEXT id=8622 # Note, also see ID 8605 name=This Cisco PIX firewall denied access to a URL. match=%PIX match=ce match=ed match=ss match=-304001: Denied Access URL match=URL regex=URL ([^:]+): log=event:CiscoPIX-Accessed_Denied_URL type:web-error dstip:$1 NEXT id=8623 name=This Cisco PIX firewall ACL has permitted a TCP connection. match=%PIX- match=ce match=ss match=-106100: access-list match=acc match=tcp match=permitted tcp regex=tcp \S+/([^(]+)\(([0-9]+)\) *-> \S+/([^(]+)\(([0-9]+)\) log=event:CiscoPIX-ACL_TCP_Allow type:connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=8624 name=This Cisco PIX firewall ACL has denied a TCP connection. match=%PIX- match=ce match=ss match=-106100: access-list match=acc match=tcp match=denied tcp regex=tcp \S+/([^(]+)\(([0-9]+)\) *-> \S+/([^(]+)\(([0-9]+)\) log=event:CiscoPIX-ACL_TCP_Deny type:firewall srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=8625 name=This Cisco PIX firewall ACL has permitted a UDP connection. match=%PIX- match=ce match=ss match=-106100: access-list match=acc match=udp match=permitted udp regex=udp \S+/([^(]+)\(([0-9]+)\) *-> \S+/([^(]+)\(([0-9]+)\) log=event:CiscoPIX-ACL_UDP_Allow type:connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 NEXT id=8600 name=This Cisco PIX firewall ACL has denied a UDP connection. match=%PIX- match=ce match=ss match=-106100: access-list match=acc match=udp match=denied udp regex=udp \S+/([^(]+)\(([0-9]+)\) *-> \S+/([^(]+)\(([0-9]+)\) log=event:CiscoPIX-ACL_UDP_Deny type:firewall srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 NEXT id=15325 name=This Cisco PIX firewall detected the start of a config terminal session. match=%PIX- match=config match=ation match=-111007: Begin configuration match=gi match=in log=event:CiscoPIX-Config_Begin type:system NEXT id=15326 name=This Cisco PIX firewall logged a user executing a command. match=%PIX- match=Use match=ecu match=-111009: User match=ex match=cmd match=executed cmd: regex=User '?([^' ]+) log=event:CiscoPIX-Command_Executed type:system user:$1 NEXT id=15327 name=This Cisco PIX firewall has denied traffic based on an ACL. match=%PIX- match=Deny match=protocol match=-106023: Deny protocol match=access match=group match=src match=dst regex=protocol (\S+) src (?:[^:]+:)?([^ ]+) dst (?:[^:]+:)?([^ ]+) log=event:CiscoPIX-ACL_Deny type:firewall srcip:$2 dstip:$3 proto:$1 NEXT id=15328 name=This Cisco PIX firewall detected a non-IPSEC packet when an IPSEC packet was expected. match=%PIX- match=IPSEC match=src match=-402106: Rec'd packet not an IPSEC packet match=pro match=addr match=dest regex=dest_addr= ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), src_addr= ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), prot= (\S+) log=event:CiscoPIX-Non_IPSEC_Packet_Received type:firewall srcip:$1 dstip:$2 proto:$3 NEXT id=15329 name=This Cisco PIX firewall detected an invalid transport field. match=%PIX- match=proto match=trans match=-500004: Invalid transport field for protocol match=from match=Invalid match=port regex=protocol=(\d+), from ([^/]+)/([0-9]+) to ([^/]+)/([0-9]+) log=event:CiscoPIX-Invalid_Transport type:firewall srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:$1