#
# Copyright 2004-2014 Tenable Network Security
# This library may only be used with the LCE server and may not
# be used with other products or open source projects
#
# NAME:
# Cisco PIX Firewall
#
# DESCRIPTION:
# This library is used to process logs from the Cisco PIX firewall
# which are sent via SYSLOG. The SYSLOG messages must be sent either
# directly to the LCE server, or to a UNIX server running a LCE
# client which is 'tailing' a SYSLOG file on that system. The library
# includes facilities to detect traffic which has been denied, traffic
# which has been detected, malicious traffic and administration traffic.
#
# TUNEING:
# Tenable customers who wish to tune this library may choose to
# comment out various portions of the library. For example, they may wish
# to only log TCP deny traffic. When adding and deleting signatures, ensure
# that each active signature is seperated by a 'NEXT' seperator.
#
#
###################################################################
#
# Caution: Do not run this library if you are running the
# firewall_cisco_pix_realname.prm library
#
###################################################################
#
# LAST UPDATE: $Date$
################
# DENY TRAFFIC #
################
id=8626
name=This Cisco PIX firewall denied inbound UDP traffic.
match=%PIX
match=rom
match=-106006: Deny inbound UDP from
regex=from ([^/]+)/([0-9]+) to ([^/]+)/([0-9]+)
log=event:CiscoPIX-Blocked_UDP srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 type:firewall
NEXT
id=8627
name=This Cisco PIX firewall denied inbound TCP traffic.
match=%PIX
match=rom
match=ion
match=ed
match=-106001: Inbound TCP connection denied from
match=ect
match=onnect
match=onnection
regex=from ([^/]+)/([0-9]+) to ([^/]+)/([0-9]+)
log=event:CiscoPIX-Blocked_TCP srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:firewall
NEXT
id=8628
name=This Cisco PIX firewall denied inbound ICMP packets.
match=%PIX
match=MP
match=ICMP
match=ed
match=ty
match=-313001: Denied ICMP type=
regex=type=[0-9]{1,3}, code=[0-9]{1,3} from ([^ ]+) on
log=event:CiscoPIX-Blocked_ICMP srcip:$1 proto:1 type:firewall
NEXT
id=8629
name=This Cisco PIX firewall denied inbound UDP packets.
match=%PIX
match=-106023: Deny udp src
regex=src (?:\S*:)?([^/]+)/([0-9]+) dst (?:\S*:)?([^/]+)/([0-9]+)
log=event:CiscoPIX-Blocked_UDP proto:17 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall
NEXT
id=8630
name=This Cisco PIX firewall denied a TCP connection.
match=%PIX
match=cp
match=-106023: Deny tcp src
regex=src (?:\S*:)?([^/]+)/([0-9]+) dst (?:\S*:)?([^/]+)/([0-9]+)
log=event:CiscoPIX-Blocked_TCP proto:6 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall
NEXT
id=8631
name=This Cisco PIX firewall denied an ICMP query.
match=%PIX
match=-106023: Deny icmp src
regex=src (?:\S*:)?([^ ]+) dst (?:\S*:)?([^ ]+)
log=event:CiscoPIX-Blocked_ICMP srcip:$1 dstip:$2 proto:1 type:firewall
NEXT
id=8632
name=This Cisco PIX firewall denied inbound TCP traffic.
match=%PIX
match=cp
match=ate
match=-106011: Deny inbound (No xlate) tcp src
regex=src (?:\S*:)?([^/]+)/([0-9]+) dst (?:\S*:)?([^/]+)/([0-9]+)
log=event:CiscoPIX-Blocked_Inbound_TCP_Noxlate proto:6 srcip:$1 dstip:$3 dstport:$4 type:firewall
NEXT
id=8633
name=This Cisco PIX firewall denied nbound ICMP traffic.
match=%PIX
match=ate
match=-106011: Deny inbound (No xlate) icmp src
regex=src (?:\S*:)?([^ ]+) dst (?:\S*:)?([^ ]+)
log=event:CiscoPIX-Blocked_Inbound_ICMP_Noxlate proto:1 srcip:$1 dstip:$2 type:firewall
NEXT
id=8634
name=This Cisco PIX firewall denied inbound UDP traffic.
match=%PIX
match=-106010: Deny inbound udp src
regex=src (?:\S*:)?([^/]+)\/([0-9]+) dst (?:\S*:)?([^/]+)\/([0-9]+)
log=event:CiscoPIX-Blocked_UDP srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 type:firewall
NEXT
id=8635
name=This Cisco PIX firewall denied inbound TCP traffic.
match=%PIX
match=cp
match=-106010: Deny inbound tcp src
regex=src (?:\S*:)?([^/]+)\/([0-9]+) dst (?:\S*:)?([^/]+)\/([0-9]+)
log=event:CiscoPIX-Blocked_TCP srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:firewall
NEXT
id=8636
name=This Cisco PIX firewall denied inbound ICMP traffic.
match=%PIX
match=-106010: Deny inbound icmp src
regex=src (?:\S*:)?([^ ]+) dst (?:\S*:)?([^ ]+)
log=event:CiscoPIX-Blocked_ICMP srcip:$1 dstip:$2 proto:1 type:firewall
NEXT
id=8637
name=This Cisco PIX firewall denied inbound ICMP traffic.
match=%PIX
match=-106014: Deny inbound icmp src
regex=src (?:\S*:)?([^ ]+) dst (?:\S*:)?([^ ]+)
log=event:CiscoPIX-Blocked_ICMP proto:1 srcip:$1 dstip:$2 type:firewall
NEXT
id=8638
name=This Cisco PIX firewall denied IP packets with options such as source routing.
match=%PIX
match=rom
match=-106012: Deny IP from
match=ion
match=pt
match=, IP options
regex=from ([^ ]+) to ([^ ]+),
log=event:CiscoPIX-Blocked_IP_Options srcip:$1 dstip:$2 type:firewall
NEXT
id=8639
name=This Cisco PIX firewall denied a TCP connection attempt.
match=%PIX
match=CL
match=rom
match=ce
match=ed
match=ss
match=-710003: TCP access denied by ACL from
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Blocked_TCP proto:6 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall
NEXT
id=8640
name=This Cisco PIX firewall denied a UDP session.
match=%PIX
match=CL
match=rom
match=ce
match=ed
match=ss
match=-710003: UDP access denied by ACL from
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Blocked_UDP proto:17 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall
NEXT
id=8641
name=This Cisco PIX firewall denied a UDP session.
match=%PIX
match=est
match=rom
match=ar
match=ed
match=-710005: UDP request discarded from
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9a-zA-Z]{1,5})
log=event:CiscoPIX-Blocked_UDP proto:17 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall
NEXT
id=8642
name=This Cisco PIX firewall denied a TCP session.
match=%PIX
match=rom
match=ion
match=-106015: Deny TCP (no connection) from
match=ect
match=onnect
match=onnection
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Blocked_TCP proto:6 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall
NEXT
id=8643
name=This Cisco PIX firewall discarded a TCP session.
match=%PIX
match=est
match=rom
match=ar
match=ed
match=-710005: TCP request discarded from
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Blocked_TCP proto:6 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall
NEXT
id=8644
name=This Cisco PIX firewall blocked a packet based on its IP protocol.
match=%PIX
match=-710006:
regex=: (\d+) request discarded from (?:\S*:)?([^ ]+) to (?:\S*:)?([^ ]+)
log=event:CiscoPIX-Blocked_Protocol proto:$1 srcip:$2 dstip:$3 type:firewall
##################
# ACCEPT TRAFFIC #
##################
NEXT
id=8645
name=This Cisco PIX firewall allowed a TCP connection.
match=%PIX
match=rom
match=ce
match=ed
match=ss
match=-710002: TCP access permitted from
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Allowed_TCP proto:6 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection
NEXT
id=8646
name=This Cisco PIX firewall allowed a UDP connection.
match=%PIX
match=rom
match=ce
match=ed
match=ss
match=-710002: UDP access permitted from
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Allowed_UDP proto:17 srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection
#######################
# AUTHENTICATION LOGS #
#######################
NEXT
id=8647
name=This Cisco PIX firewall had a valid user logout.
match=%PIX
match=lo
match=log
match=ser
match=ed
match=-611103: User logged out: Uname:
log=event:CiscoPIX-User_Log_Out type:logout
NEXT
id=8648
name=This Cisco PIX firewall had a user fail to complete a valid login.
match=%PIX
match=ent
match=ser
match=ail
match=ion
match=le
match=ed
match=-611102: User authentication failed: Uname:
log=event:CiscoPIX-User_Authentication_Failure type:login-failure
NEXT
id=8649
name=This Cisco PIX firewall had a valid user login.
match=%PIX
match=ent
match=ser
match=ion
match=ce
match=ed
match=-611101: User authentication succeeded: Uname:
log=event:CiscoPIX-User_Log_In type:login
NEXT
id=8650
name=This Cisco PIX firewall had a valid user change their administration privilege level.
match=%PIX
match=ser
match=le
match=ed
match=-502103: User priv level changed: Uname:
match=an
log=event:CiscoPIX-User_Privilege_Change type:system
NEXT
id=8651
name=This Cisco PIX firewall had a valid administrator login.
match=%PIX
match=rom
match=Lo
match=ed
match=-605005: Login permitted from
match=!serial
match=!console
match=ser
match=for user
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5}) for user "([^"]+)"
log=event:CiscoPIX-Admin_Permited type:login srcip:$1 srcport:$2 dstip:$3 dstport:$4 user:$5
NEXT
id=8652
name=This Cisco PIX firewall had a valid administrator login.
match=%PIX
match=ol
match=le
match=onsole
match=Lo
match=Login
match=ser
match=user
match=rom
match=ed
match=-605005: Login permitted from serial to console for user
regex=for user "([^"]+)"
log=event:CiscoPIX-Admin_Permited_Console type:login user:$1
NEXT
id=8653
name=This Cisco PIX firewall had an administrator login failure.
match=%PIX
match=rom
match=Lo
match=ed
match=-605004: Login denied from
match=!serial
match=!console
match=ser
match=for user
match=Login
match=user
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Admin_Denied type:login-failure srcip:$1 srcport:$2 dstip:$3 dstport:$4
NEXT
id=8654
name=This Cisco PIX firewall had an administrator login failure.
match=%PIX
match=Lo
match=ed
match=-605004: Login denied
match=ser
match=ol
match=rom
match=le
match=from serial to console for user
match=onsole
match=Login
log=event:CiscoPIX-Admin_Denied_Console type:login-failure
NEXT
id=8655
name=This Cisco PIX firewall had a user authenticate through a PPP interface.
match=%PIX
match=ce
match=ace
match=-603103: PPP virtual interface
match=ent
match=ion
match=aaa authentication
match=uthentication
regex= user: (\S+) aaa
log=event:CiscoPIX-PPP_User_AAA_Status type:login user:$1
NEXT
id=8656
name=This Cisco PIX firewall had a network user logged in via SSH disconnect normally.
match=%PIX
match=rom
match=ion
match=ss
match=-315011: SSH session from
match=ser
match=ed
match=disconnected by SSH server, reason:
match=ect
match=onnect
match=ate
match=terminated normally
regex=from (\S+) .* for user (\S+)
log=event:CiscoPIX-SSH_Disconnect type:logout srcip:$1 user:$2
NEXT
id=8657
name=This Cisco PIX firewall had a network user fail to login via SSH because of a bad password.
match=%PIX
match=rom
match=ion
match=ss
match=-315011: SSH session from
match=ser
match=ed
match=disconnected by SSH server, reason:
match=onnect
match=ect
match=Rejected by server
regex=SSH session from (\S+)
log=event:CiscoPIX-SSH_Bad_Password type:login-failure srcip:$1
NEXT
id=8658
name=This Cisco PIX firewall had a network user fail to login via SSH because of a bad password multiple times.
match=%PIX
match=ol
match=le
match=onsole
match=-308001: PIX console
match=rr
match=ss
match=ass
match=enable password incorrect for
match=ect
regex=\(from ([^ )]+)\)
log=event:CiscoPIX-Multiple_Enable_Failures type:login-failure srcip:$1
NEXT
id=8659
name=This Cisco PIX firewall had a network user fail to authorize for network access.
match=%PIX
match=ser
match=user
match=ion
match=ed
match=-109008: Authorization denied for user
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-User_Authorization_Denied type:login-failure srcip:$1 srcport:$2 dstip:$3 dstport:$4
NEXT
id=8660
name=This Cisco PIX firewall had a network user authenticate for network access.
match=%PIX
match=ser
match=user
match=ion
match=ed
match=-109007: Authorization permitted for user
regex=for user ([^ ]*) from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-User_Authorization_Allowed type:login user:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5
NEXT
id=8661
name=This Cisco PIX firewall had a network user authenticate for network access.
match=%PIX
match=ser
match=user
match=ion
match=ce
match=ed
match=-109005: Authorization succeeded for user
regex=for user ([^ ]*) from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-User_Authorization_Allowed type:login user:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5
######################
# ADMINSTRATION LOGS #
######################
NEXT
id=8662
name=This Cisco PIX firewall is experienceing a rollover issue with a large combination of authorized users and TCP network sessions.
match=%PIX
match=ser
match=user
match=cp
match=lo
match=-701001: alloc_user() out of Tcp_user objects
match=ect
log=event:CiscoPIX-Too_Many_Users type:error
NEXT
id=8663
name=This Cisco PIX firewall has detected a split DNS situation.
match=%PIX
match=ser
match=est
match=rom
match=ed
match=-614001: Split DNS: request patched from server:
regex= from server: *([^ ]+) to server: *([^ ]+)
log=event:CiscoPIX-Split_DNS type:system srcip:$1 dstip:$2 dstport:53 srcport:53
NEXT
id=8664
name=This Cisco PIX firewall has detected a split DNS situation.
match=%PIX
match=ser
match=rom
match=-614002: Split DNS: reply from server:
regex=from server: *([^ ]+) reverse patched back to original server: *([^ ]+)
log=event:CiscoPIX-Split_DNS type:system srcip:$1 dstip:$2 dstport:53 srcport:53
NEXT
id=8665
name=This Cisco PIX firewall has detected a change in the OSPF route table.
match=%PIX
match=-613003:
match=rom
match=ar
match=ed
match=changed from area
match=an
regex=%PIX-\d-613003: ([^ ]+)
log=event:CiscoPIX-OSPF_IP_Area_Change type:system dstip:$1 dstport:2604 proto:6
NEXT
id=8666
name=This Cisco PIX firewall has very poor bandwidth on one or more of its interfaces.
match=%PIX
match=ce
match=ace
match=-613002: interface
match=has zero bandwidth
match=an
log=event:CiscoPIX-Interface_Zero_Bandwidth type:error
NEXT
id=8667
name=This Cisco PIX firewall has had an error with one of its automatic update processes.
match=%PIX
match=-61200
match=ail
match=ate
match=le
match=ed
match= Auto Update failed
match=ailed
log=event:CiscoPIX-Auto_Update_Failure type:error
NEXT
id=8668
name=This Cisco PIX firewall has had a user fail to execute a command due to inappropriate permissions.
match=%PIX
match=ail
match=ion
match=le
match=ed
match=-610101: Authorization failed: Cmd:
match=ailed
log=event:CiscoPIX-Command_Failure type:error
NEXT
id=8669
name=This Cisco PIX firewall has received an invalid network time protocol message.
match=%PIX
match=TP
match=ce
match=ace
match=-610002: NTP daemon interface
match=NTP
match=ent
match=ail
match=rom
match=ack
match=ion
match=le
match=ed
match=Authentication failed for packet from
regex=from ([^ ]+)
log=event:CiscoPIX-Bad_NTP_Packet type:access-denied srcip:$1 dstport:123
NEXT
id=8670
name=This Cisco PIX firewall has blocked a network time protocol message.
match=%PIX
match=TP
match=ce
match=ace
match=-610001: NTP daemon interface
match=NTP
match=rom
match=ack
match=ed
match=: Packet denied from
regex=from ([^ ]+)
log=event:CiscoPIX-NTP_Packet_Denied type:firewall srcip:$1 dstport:123 proto:17
NEXT
id=8671
name=This Cisco PIX firewall has detected another router with the same ID.
match=%PIX
match=-40901
match=ate
match=ed
match=: Detected router with duplicate router ID
match=ect
regex=ID ([^ ]+) in
log=event:CiscoPIX-Duplicate_Router_ID type:error dstip:$1
NEXT
id=8672
name=This Cisco PIX firewall has detected another router with the same ID.
match=%PIX
match=ate
match=ed
match=-409011: OSPF detected duplicate router-id
match=ect
regex=router-id ([^ ]+) from ([^ ]+) on
log=event:CiscoPIX-Duplicate_Router_ID type:error srcip:$1 dstip:$2
NEXT
id=8673
name=This Cisco PIX firewall has detected an invalid OSPF routing packet.
match=%PIX
match=rom
match=ack
match=le
match=-409005: Invalid length number in OSPF packet from
regex=from ([^ ]+)
log=event:CiscoPIX-Invalid_OSPF_Packet type:system srcip:$1
NEXT
id=8674
name=This Cisco PIX firewall has detected an invalid OSPF routing packet.
match=%PIX
match=ack
match=ce
match=ed
match=-409003: Received invalid packet:
regex=from ([^, ]+),
log=event:CiscoPIX-Invalid_OSPF_Packet type:system srcip:$1
NEXT
id=8675
name=This Cisco PIX firewall has exceeded its routing table limit due to a configuration error.
match=%PIX
match=ing
match=ce
match=le
match=ed
match=-317005: IP routing table limit exceeded -
regex=, ([^ ]+) netmask
log=event:CiscoPIX-Routing_Limit_Reached type:error dstip:$1
NEXT
id=8676
name=This Cisco PIX firewall has had an administrator login.
match=%PIX
match=rom
match=ion
match=ed
match=-309002: Permitted manager connection from
match=ect
match=onnect
match=onnection
match=an
regex=from ([^ ]+)\.
log=event:CiscoPIX-Manager_Connection type:login srcip:$1
NEXT
id=8677
name=This Cisco PIX firewall is experiencing 100 percent CPU utilization.
match=%PIX
match=ion
match=-211003: CPU utilization
match=CPU
log=event:CiscoPIX-High_CPU type:error
NEXT
id=8678
name=This Cisco PIX firewall has had a succsesful configuration modification.
match=%PIX
match=ser
match=-111008: User
match=ecu
match=ed
match= executed the
match=an
match=command
regex=User '?([^' ]+)
log=event:CiscoPIX-Config_Modification type:system user:$1
NEXT
id=8679
name=This Cisco PIX firewall has reached its limit of tracked deny flows. This could mean your network is experiencing a denial of service attack, a large network scan, a worm outbreak or a large increase in network activity.
match=%PIX
match=lo
match=log
match=CL
match=ed
match=-106101 The number of ACL log deny-flows has reached limit
log=event:CiscoPIX-Potential_DOS_Attack type:dos
##########################
# MALICIOUS CONTENT LOGS #
##########################
NEXT
id=8680
name=This Cisco PIX firewall has detected a reply attack.
match=%PIX
match=ol
match=lo
match=ed
match=-702302: replay rollover detected
match=ect
log=event:CiscoPIX-VPN_Rollover type:intrusion
NEXT
id=8681
name=This Cisco PIX fireall has detected a PPTP de-synchronization event.
match=%PIX
match=TP
match=ate
match=ce
match=ed
match=-603101: PPTP received out of seq or duplicate pkt,
log=event:CiscoPIX-PPTP_Out_Of_Sequence_Packet type:error
NEXT
id=8682
name=This Cisco PIX firewall has detected and blocked a potential DNS buffer overflow attack.
match=%PIX
match=ack
match=le
match=ed
match=-410001: UDP DNS packet dropped due to domainname length check of 255 bytes: actual length:
match=pp
log=event:CiscoPIX-DNS_Overflow type:intrusion proto:17 dstport:53
NEXT
id=8683
name=This Cisco PIX firewall has detected and blocked a potential DNS buffer overflow attack.
match=%PIX
match=ack
match=le
match=ed
match=-410001:UDP DNS packet dropped due to label length check of 63 bytes actual length:
match=pp
log=event:CiscoPIX-DNS_Overflow type:intrusion proto:17 dstport:53
NEXT
id=8684
name=This Cisco PIX firewall has detected and blocked a potential DNS buffer overflow attack.
match=-410001:
match=UDP
match=ack
match=packet
match=DNS
match=ed
match=packet dropped due
match=le
match=to packet length check of
match=pp
match=%PIX
match=bytes: actual length:
log=event:CiscoPIX-DNS_Overflow type:intrusion proto:17 dstport:53
NEXT
id=8685
name=This Cisco PIX firewall has detected and blocked a potential DNS buffer overflow attack.
match=%PIX
match=ack
match=-410001:UDP DNS packet
match=ion
match=le
match=ed
match=ss
match=dropped due to compression length check of
match=UDP
match=packet
match=DNS
match=pp
match=bytes: actual length:
log=event:CiscoPIX-DNS_Overflow type:intrusion proto:17 dstport:53
NEXT
id=8686
name=This Cisco PIX firewall has detected a potential denial of service attack.
match=%PIX
match=-407002: Embryonic limit
match=ion
match=ce
match=ed
match=for through connections exceeded.
match=ect
match=onnect
match=onnection
regex=exceeded. +([^/ ]+)\S* to ([^/ ]+)\S*
log=event:CiscoPIX-DOS_Attack type:dos srcip:$1 dstip:$2
NEXT
id=8687
name=This Cisco PIX firewall has detected a potential FTP attack.
match=%PIX
match=ent
match=TP
match=ss
match=-406002: FTP port command different address:
match=an
regex=address: ([^ (]+)\([^)]+\) to ([^ ]+) on
log=event:CiscoPIX-FTP_Port_Rewrite type:intrusion srcip:$1 dstip:$2
NEXT
id=8688
name=This Cisco PIX firewall has detected a potential FTP attack which uses a target FTP server to perform a port scan of a second system.
match=%PIX
match=TP
match=lo
match=-406001: FTP port command low port:
match=an
regex=%PIX-\d-406001: FTP port command low port: *([^ /]+)/([0-9]{1,5}) to ([^ ]+) on
log=event:CiscoPIX-FTP_Low_Port type:intrusion srcip:$1 srcport:$2 dstip:$3
NEXT
id=8689
name=This Cisco PIX firewall has detected a layer two collision of MAC addresses. This could be an attempt to subvert traffic by modifiying the ARP table, but can also be caused by a having two systems with identical IP addresses.
match=%PIX
match=ce
match=ed
match=-405001: Received ARP re
match=ol
match=rom
match=ion
match=collision from
regex=%PIX-\d-405001: Received ARP re(?:quest|sponse) collision from ([^ /]+)/
log=event:CiscoPIX-ARP_Poison type:error srcip:$1
NEXT
id=8690
name=This Cisco PIX firewall has detected a spoofed PPTP packet.
match=%PIX
match=est
match=TP
match=ack
match=ss
match=-403109: Rec'd packet not an PPTP packet. (ip) dest_address=
match=an
regex=dest_address= ([^,]+), src_addr= ([^,]+),
log=event:CiscoPIX-Spoofed_PPTP_Packet type:firewall dstip:$1 srcip:$2
NEXT
id=8691
name=This Cisco PIX firewall has detected a mis-match with an IPSEC packet. This is most likely a mis-configuration of your VPN.
match=%PIX
match=ent
match=est
match=ate
match=ed
match=ty
match=ss
match=-402103: identity doesn't match negotiated identity (ip) dest_address=
regex=dest_address= ([^,]+), src_addr= ([^,]+), prot= *(\d+)
log=event:CiscoPIX-Spoofed_IPSEC_Packet type:error dstip:$1 srcip:$2 proto:$3
NEXT
id=8692
name=This Cisco PIX firewall has detected a mis-match with an IPSEC packet. This is most likely a mis-configuration of your VPN.
match=%PIX
match=ack
match=ate
match=ing
match=ss
match=-402102: decapsulate: packet missing
regex=%PIX-\d-402102: decapsulate: packet missing (AH|ESP), destadr=([0-9]+(\.[0-9]+){3}),
log=event:CiscoPIX-Spoofed_IPSEC_Packet type:error dstip:$2
NEXT
id=8693
name=This Cisco PIX firewall has detected an invalid destination for an ICMP error.
match=%PIX
match=est
match=rr
match=ion
match=-313003: Invalid destination for ICMP error
match=MP
match=ICMP
log=event:CiscoPIX-Invalid_ICMP_Error_Destination type:firewall
NEXT
id=8694
name=This Cisco PIX firewall has detected an illegal RIP routing traffic.
match=%PIX
match=ail
match=rom
match=le
match=ed
match=-312001: RIP hdr failed from
regex=from ([^:]+):
log=event:CiscoPIX-Invalid_RIP_Header srcip:$1 type:firewall
NEXT
id=8695
name=This Cisco PIX firewall has detected an illegal RIP routing traffic.
match=%PIX
match=-10700
regex=%PIX-\d-10700[12]: RIP (?:auth|pkt) failed from ([^:]+):
log=event:CiscoPIX-Invalid_RIP_Header srcip:$1 type:firewall
NEXT
id=8696
name=This Cisco PIX firewall has detected a potential administration session hijack attempt.
match=%PIX
match=rom
match=ion
match=ing
match=ss
match=-214001: Terminating manager session from
match=ed
match=pt
match=Reason: incoming encrypted data
match=lo
match=longer than
match=an
regex=session from ([^ ]+) on interface
log=event:CiscoPIX-Potential_Manager_Session_Attack srcip:$1 type:intrusion
NEXT
id=8697
name=This Cisco PIX firewall has detected and blocked a potential SNMP buffer overflow attack.
match=%PIX
match=est
match=ing
match=-212005: incoming SNMP request
match=MP
match=SNMP
match=ar
match=ce
match=ed
match=exceeds data buffer size, discarding this SNMP request.
log=event:CiscoPIX-Potential_SNMP_Overflow_Attempt type:intrusion
NEXT
id=8698
name=This Cisco PIX firewall has detected and blocked an IP fragment that may be part of a denial of service attack or an attempt to bypass detection by a network IDS.
match=%PIX
match=ent
match=ar
match=-209005: Discard IP fragment set with more than
match=an
regex=src = ([^,]+), dest = ([^,]+), proto = ([0-9]{1,3})
log=event:CiscoPIX-IP_Frag_Drop_Too_Many_Elements type:dos srcip:$1 dstip:$2 proto:$3
NEXT
id=8699
name=This Cisco PIX firewall has detected and blocked an IP fragment that may be part of a denial of service attack or an attempt to bypass detection by a network IDS.
match=%PIX
match=ent
match=-209004: Invalid IP fragment, size =
regex=src = ([^,]+), dest = ([^,]+), proto = ([0-9]{1,3})
log=event:CiscoPIX-IP_Frag_Drop_Max_Size_Exceeded type:dos srcip:$1 dstip:$2 proto:$3
NEXT
id=8700
name=This Cisco PIX firewall has detected and blocked an IP fragment that may be part of a denial of service attack or an attempt to bypass detection by a network IDS.
match=%PIX
match=ent
match=-209003: Fragment database limit of
regex=src = ([^,]+), *dest = ([^,]+), proto = ([0-9]{1,3})
log=event:CiscoPIX-IP_Frag_Database_Exceeded type:dos srcip:$1 dstip:$2 proto:$3
NEXT
#######################################
# WebSense Cisco PIX MESSAGES
#######################################
id=8701
name=This Cisco PIX firewall can not communicate with the URL server and is now allowing all web requests.
match=%PIX
match=ing
match=-304007: URL Server not responding
match=URL
log=event:CiscoPIX-WebSense_URL_Server_Not_Responding type:error
NEXT
id=8702
name=This Cisco PIX firewall can now communicate with the URL server and will now filter all web requests.
match=%PIX
match=-304008: LEAVING ALLOW mode
match=LO
match=AL
log=event:CiscoPIX-Websense_Leaving_Allow_mode type:error
#####################################
# Misc
####################################
NEXT
id=8703
name=This Cisco PIX firewall has allowed an outbound TCP session.
match=%PIX
match=ion
match=-302013: Built outbound TCP connection
match=ect
match=onnect
match=onnection
regex=for (?:\S*:)?([^/]+)/([0-9]{1,5}).* to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Built_Outbound_TCP_Connection type:connection dstip:$1 dstport:$2 srcip:$3 srcport:$4 proto:6
NEXT
id=8704
name=This Cisco PIX firewall has allowed an outbound UDP session.
match=%PIX
match=ion
match=-302015: Built outbound UDP connection
match=ect
match=onnect
match=onnection
regex=for (?:\S*:)?([^/]+)/([0-9]{1,5}).* to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Built_Outbound_UDP_Connection type:connection dstip:$1 dstport:$2 srcip:$3 srcport:$4 proto:17
NEXT
id=8705
name=This Cisco PIX firewall has blocked a Tear Drop attack.
match=%PIX
match=ent
match=ar
match=-106020: Deny IP teardrop fragment
regex=from ([^ ]+) to ([^ ]+)
log=event:CiscoPIX-Deny_IP_Teardrop_Fragment type:dos srcip:$1 dstip:$2
NEXT
id=8706
name=This Cisco PIX firewall could not build a UDP connection.
match=%PIX
match=ion
match=-305005: No translation group found for
match=an
regex= (\S+) src (?:\S*:)?([^/]+)/([0-9]{1,5}) dst (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-No_Translation_Group_Found type:firewall srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:$1
NEXT
id=8707
name=This Cisco PIX firewall could not build a UDP connection.
match=%PIX
match=-106021: Deny udp reverse path check
regex=from ([^ ]+) to ([^ ]+)
log=event:CiscoPIX-Deny_UDP_Reverse_Path_Check type:firewall srcip:$1 dstip:$2 proto:17
NEXT
id=8708
name=This Cisco PIX firewall built an inbound TCP connection.
match=%PIX
match=ion
match=-302013: Built inbound TCP connection
match=ect
match=onnect
match=onnection
regex=for (?:\S*:)?([^/]+)/([0-9]{1,5}).* to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Built_Inbound_TCP_Connection type:connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=8709
# Note, also see ID 8621
name=This Cisco PIX firewall logged access to a URL.
match=%PIX
match=-304001:
match=ce
match=ed
match=ss
match=Accessed
match=URL
match=!: Accessed URL
regex=%PIX-\d-304001: ([^ ]+) Accessed (?:JAVA )?URL ([^: ]+)
log=event:CiscoPIX-Accessed_URL type:web-access srcip:$1 dstip:$2
NEXT
id=8601
name=This Cisco PIX has built a dynamic TCP connection.
match=%PIX
match=rom
match=ion
match=-305011: Built dynamic TCP translation from
match=an
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Built-Dynamic_TCP_Translation srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection proto:6
NEXT
id=8602
name=This Cisco PIX has tore down a TCP connection.
match=%PIX
match=ion
match=ar
match=-302014: Teardown TCP connection
match=ect
match=onnect
match=onnection
regex= for (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Teardown_TCP_Connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection proto:6
NEXT
id=8603
name=This Cisco PIX has tore down a localhost connection.
match=-609002:
match=%PIX
regex=Teardown local-host (?:\S*:)?([^ ]+)
log=event:CiscoPIX-Teardown_LocalHost srcip:$1 type:connection
NEXT
id=8604
name=This Cisco PIX has tore down a dynamic TCP connection.
match=%PIX
match=-305012:
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Teardown_Dynamic_TCP_Translation srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection proto:6
NEXT
id=8605
# Note, also see ID 8622
name=This Cisco PIX firewall denied access to a URL.
match=%PIX
match=ce
match=ed
match=ss
match=-304002: Access denied URL
match=URL
regex=SRC ([^ ]+) DEST ([^ ]+)
log=event:CiscoPIX-Accessed_Denied_URL type:web-error srcip:$1 dstip:$2
NEXT
id=8606
name=This Cisco PIX firewall has tore down a UDP connection.
match=%PIX
match=ion
match=ar
match=-302016: Teardown UDP connection
match=ect
match=onnect
match=onnection
regex=for (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Teardown_UDP_Connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection proto:17
NEXT
id=8607
name=This Cisco PIX firewall has built an inbound UDP connection.
match=%PIX
match=ion
match=-302015: Built inbound UDP connection
match=ect
match=onnect
match=onnection
regex=for (?:\S*:)?([^/]+)/([0-9]{1,5}).* to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Built_inbound_UDP_Connection type:connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17
NEXT
id=8608
name=This Cisco PIX firewall has built a dynamic UDP connection.
match=%PIX
match=rom
match=ion
match=-305011: Built dynamic UDP translation from
match=an
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Built-Dynamic_UDP_Translation srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection proto:17
NEXT
id=8609
name=This Cisco PIX firewall has built a dynamic ICMP connection.
match=%PIX
match=rom
match=ion
match=-305011: Built dynamic ICMP translation from
match=an
match=ICMP
match=MP
regex=from (?:\S*:)?([^/]+)/([0-9]{1,5}) to (?:\S*:)?([^/]+)/([0-9]{1,5})
log=event:CiscoPIX-Built-Dynamic_ICMP_Translation srcip:$1 srcip:$2 dstip:$3 dstport:$4 type:connection proto:1
NEXT
id=8610
name=This Cisco PIX firewall has denied an inbound UDP session.
match=%PIX
match=ate
match=-106011: Deny inbound (No xlate) udp src
regex=src (?:\S*:)?([^/]+)/([0-9]+) dst (?:\S*:)?([^/]+)/([0-9]+)
log=event:CiscoPIX-Blocked_Inbound_UDP_Noxlate proto:17 srcip:$1 dstip:$3 dstport:$4 type:connection
NEXT
id=8611
name=This Cisco PIX firewall has built a local-host network connection.
match=%PIX
match=lo
match=-609001: Built local-host
regex=local-host (?:\S*:)?([^ ]+)
log=event:CiscoPIX-Built_Local_Host srcip:$1 type:connection
NEXT
id=8612
name=This Cisco PIX firewall has built a local-host network connection.
match=%PIX
match=est
match=rom
match=ing
match=-106013: Dropping echo request from
match=pp
regex=from ([^ ]+) .* address ([^ ]+)
log=event:CiscoPIX-Dropping_Echo_Request srcip:$1 dstip:$2 type:connection
NEXT
id=8613
name=This Cisco PIX firewall has logged a file transfer via FTP or WEB access.
match=%PIX
match=-303002:
regex=%PIX-\d-303002: +([^ ]+) .* ([^:]+):
log=event:CiscoPIX-Retrieved_Or_Stored srcip:$1 dstip:$2 type:file-access
NEXT
id=8614
name=This Cisco PIX firewall has logged the number of and most used amound of TCP session.
match=%PIX
match=-302010:
log=event:CiscoPIX-In_Use_Most_used type:system
NEXT
id=8615
name=This Cisco PIX firewall has built a network translation connection.
match=%PIX
match=-305009:
regex=from (?:\S*:)?([^ ]+) to (?:\S*:)? *([^ ]+)
log=event:CiscoPIX-Built_Static_Translation srcip:$1 dstip:$2 type:connection
NEXT
id=8616
name=This Cisco PIX firewall has detected and stopped a spoofed IP packet attack.
match=%PIX
match=-106016:
regex=from \(([^)]+)\) to ([^ ]+)
log=event:CiscoPIX-Deny_IP_Spoof srcip:$1 dstip:$2 type:firewall
NEXT
id=8618
name=This Cisco PIX firewall has detected a portmap translation failure.
match=%PIX
match=-305006:
match=translation creation failed for
regex= (\S+) src (?:\S+:)?([^/]+)/([0-9]+) dst (?:\S+:)?([^/]+)/([0-9]+)
log=event:CiscoPIX-Translation_Creation_Failure srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:firewall proto:$1
NEXT
id=8619
name=This Cisco PIX firewall has detected no route.
match=%PIX
match=-110001:
match=No route to
regex=to ([^ ]+) from ([^ ]+)
log=event:CiscoPIX-No_Route srcip:$2 dstip:$1 type:error
NEXT
id=8620
name=This Cisco PIX firewall has detected a URL Server not responding.
match=%PIX
match=-304006:
regex=URL Server ([^ ]+) not responding
match=URL
log=event:CiscoPIX-URL_Server_Not_Responding srcip:$1 type:error
NEXT
id=8621
# Note, also see ID 8709
name=This Cisco PIX firewall logged access to a URL.
match=%PIX
match=-304001:
match=ce
match=ed
match=ss
match=: Accessed URL
match=URL
regex=URL ([^:]+):
log=event:CiscoPIX-Accessed_URL type:web-access dstip:$1
NEXT
id=8622
# Note, also see ID 8605
name=This Cisco PIX firewall denied access to a URL.
match=%PIX
match=ce
match=ed
match=ss
match=-304001: Denied Access URL
match=URL
regex=URL ([^:]+):
log=event:CiscoPIX-Accessed_Denied_URL type:web-error dstip:$1
NEXT
id=8623
name=This Cisco PIX firewall ACL has permitted a TCP connection.
match=%PIX-
match=ce
match=ss
match=-106100: access-list
match=acc
match=tcp
match=permitted tcp
regex=tcp \S+/([^(]+)\(([0-9]+)\) *-> \S+/([^(]+)\(([0-9]+)\)
log=event:CiscoPIX-ACL_TCP_Allow type:connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=8624
name=This Cisco PIX firewall ACL has denied a TCP connection.
match=%PIX-
match=ce
match=ss
match=-106100: access-list
match=acc
match=tcp
match=denied tcp
regex=tcp \S+/([^(]+)\(([0-9]+)\) *-> \S+/([^(]+)\(([0-9]+)\)
log=event:CiscoPIX-ACL_TCP_Deny type:firewall srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=8625
name=This Cisco PIX firewall ACL has permitted a UDP connection.
match=%PIX-
match=ce
match=ss
match=-106100: access-list
match=acc
match=udp
match=permitted udp
regex=udp \S+/([^(]+)\(([0-9]+)\) *-> \S+/([^(]+)\(([0-9]+)\)
log=event:CiscoPIX-ACL_UDP_Allow type:connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17
NEXT
id=8600
name=This Cisco PIX firewall ACL has denied a UDP connection.
match=%PIX-
match=ce
match=ss
match=-106100: access-list
match=acc
match=udp
match=denied udp
regex=udp \S+/([^(]+)\(([0-9]+)\) *-> \S+/([^(]+)\(([0-9]+)\)
log=event:CiscoPIX-ACL_UDP_Deny type:firewall srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17
NEXT
id=15325
name=This Cisco PIX firewall detected the start of a config terminal session.
match=%PIX-
match=config
match=ation
match=-111007: Begin configuration
match=gi
match=in
log=event:CiscoPIX-Config_Begin type:system
NEXT
id=15326
name=This Cisco PIX firewall logged a user executing a command.
match=%PIX-
match=Use
match=ecu
match=-111009: User
match=ex
match=cmd
match=executed cmd:
regex=User '?([^' ]+)
log=event:CiscoPIX-Command_Executed type:system user:$1
NEXT
id=15327
name=This Cisco PIX firewall has denied traffic based on an ACL.
match=%PIX-
match=Deny
match=protocol
match=-106023: Deny protocol
match=access
match=group
match=src
match=dst
regex=protocol (\S+) src (?:[^:]+:)?([^ ]+) dst (?:[^:]+:)?([^ ]+)
log=event:CiscoPIX-ACL_Deny type:firewall srcip:$2 dstip:$3 proto:$1
NEXT
id=15328
name=This Cisco PIX firewall detected a non-IPSEC packet when an IPSEC packet was expected.
match=%PIX-
match=IPSEC
match=src
match=-402106: Rec'd packet not an IPSEC packet
match=pro
match=addr
match=dest
regex=dest_addr= ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), src_addr= ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+), prot= (\S+)
log=event:CiscoPIX-Non_IPSEC_Packet_Received type:firewall srcip:$1 dstip:$2 proto:$3
NEXT
id=15329
name=This Cisco PIX firewall detected an invalid transport field.
match=%PIX-
match=proto
match=trans
match=-500004: Invalid transport field for protocol
match=from
match=Invalid
match=port
regex=protocol=(\d+), from ([^/]+)/([0-9]+) to ([^/]+)/([0-9]+)
log=event:CiscoPIX-Invalid_Transport type:firewall srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:$1