# Copyright 2007 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# Stonegate Firewall
#
# This is the modified LogServerConfiguration.txt, witht the syslog IP added.
#
# SYSLOG_EXPORT_FORMAT=CSV
# SYSLOG_EXPORT_FW=YES
# SYSLOG_EXPORT_IPS=YES
# SYSLOG_FILTER_MATCH=ALL
# SYSLOG_FILTER_TYPE=
# SYSLOG_MESSAGE_PRIORITY=6
# SYSLOG_PORT=514
# SYSLOG_SERVER_ADDRESS=xxx.xxx.xxx.xxx
#
#
# DESCRIPTION:
# This library is used to process logs from a Stonegate firewall
#
# LAST UPDATE: $Date$

id=9520
name=This Stonegate firewall discarded a TCP connection.
match=ack
match=","Packet filter",
match=ion
match=ar
match=ed
match=","Connection discarded",
match=onnection
match=onnect
match=ect
match=TCP
match="TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Connection_Discarded_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$4 type:firewall

NEXT

id=9521
name=This Stonegate firewall allowed a TCP connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=","New connection","
match="TCP
match=onnection
match=onnect
match=ect
match=TCP
match=lo
match=Allow
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-New_Connection_Allowed_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$4 type:connection

NEXT

id=9522
name=This Stonegate firewall encountered an incomplete TCP connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=le
match=ed
match=","Incomplete connection closed"
match="TCP
match=onnection
match=onnect
match=ect
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Connection_Incomplete_Closed_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$4 type:firewall

NEXT

id=9523
name=This Stonegate firewall discarded a UDP connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=ar
match=ed
match=","Connection discarded",
match=onnection
match=onnect
match=ect
match=UDP
match="UDP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)",.*"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-Connection_Discarded_UDP sensor:$1 proto:17 srcip:$2 type:connection

NEXT

id=9524
name=This Stonegate firewall discarded an ICMP query.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=ate
match=ed
match=","Related packet","Allow",
match="ICMP
match=packet
match=ICMP
match=MP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-Connection_Allow_ICMP sensor:$1 proto:1 srcip:$2 dstip:$3 type:connection

NEXT

id=9525
name=This Stonegate firewall allowed a UDP connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=","New connection","Allow",
match="UDP
match=onnection
match=onnect
match=ect
match=UDP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-New_Connection_UDP sensor:$1 proto:17 srcip:$2 dstip:$3 dstport:$4 type:connection

NEXT

id=9526
name=This Stonegate firewall discarded an ICMP query.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=ed
match=","Connection closed",
match=onnection
match=onnect
match=ect
match=ICMP
match=MP
match="ICMP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-Connection_Closed_ICMP sensor:$1 proto:1 srcip:$2 dstip:$3 type:connection

NEXT

id=9527
name=This Stonegate firewall closed a TCP session.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=ed
match="Connection closed",
match="TCP
match=onnection
match=onnect
match=ect
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+)","([0-9]+)"
log=event:Stonegate-Connection_Closed_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$5 type:connection

NEXT

id=9528
name=This Stonegate firewall allowed an ICMP query.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=","New connection","Allow",
match="ICMP
match=onnection
match=onnect
match=ect
match=ICMP
match=MP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-New_Connection_ICMP sensor:$1 proto:1 srcip:$2 dstip:$3 type:connection

NEXT

id=9529
name=This Stonegate firewall closed a UDP connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=ed
match=","Connection closed",
match=,"UDP
match=onnection
match=onnect
match=ect
match=UDP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Connection_Closed_UDP sensor:$1 proto:17 srcip:$2 dstip:$3 dstport:$5 type:connection

NEXT

id=9530
name=This Stonegate firewall discarded an ICMP query.
match=ack
match=ion
match=","Packet filter","Notification","
match=ar
match=ed
match=","Connection discarded","Discard",
match="ICMP
match=onnection
match=onnect
match=ect
match=ICMP
match=MP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-Connection_Discarded_ICMP sensor:$1 proto:1 srcip:$2 dstip:$3 type:connection

NEXT

id=9531
name=This Stonegate firewall discarded an ICMP query.
match=ack
match=ion
match=","Packet filter","Notification","
match=ar
match=ed
match=","Packet discarded","Discard",
match="ICMP
match=ICMP
match=MP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)",,,"([0-9]+)"
log=event:Stonegate-Packet_Discarded_ICMP sensor:$1 proto:1 srcip:$2 dstip:$3 dstport:$4 type:firewall

NEXT

id=9532
name=This Stonegate firewall noticed a TCP session.
match=ent
match=ol
match=","Protocol Agent","
match=ion
match=","Notification",
match="TCP"
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Notice_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 srcport:$4 dstport:$5 type:firewall

NEXT

id=9533
name=This Stonegate firewall allowed a new TCP session which was related to an existing TCP connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=ate
match=ed
match=","Related connection","Allow",
match="TCP
match=onnection
match=onnect
match=ect
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Allow_Related_Connection_TCP sensor:$1 proto:6 srcip:$2 dstip:$3  dstport:$4 type:connection

NEXT

id=9534
name=This Stonegate firewall encountered an error in an existing TCP session.
match=ent
match=ol
match=,"Protocol Agent",
match=rr
match=ed
match=,"Error","Undefined",
match="TCP
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Error_Undefined_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 srcport:$4 dstport:$5 type:firewall

NEXT

id=9535
name=This Stonegate firewall discarded a TCP packet.
match=ack
match=ion
match=","Packet filter","Notification","
match=ar
match=ed
match=","Packet discarded","Discard",
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Packet_Discarded_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 srcport:$4 dstport:$5 type:firewall

NEXT

id=9536
name=This Stonegate firewall discarded a TCP incomplete connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=ar
match=le
match=ed
match=Incomplete connection closed","Discard",
match="TCP"
match=TCP
match=onnection
match=onnect
match=ect
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Connection_Incomplete_Discarded_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$4 type:firewall

NEXT

id=9537
name=This Stonegate firewall discarded an UDP connection, refused. 
match=ack
match=ion
match=","Packet filter","Notification","
match=ar
match=ed
match="Connection discarded","Refuse",
match="UDP
match=UDP
match=onnection
match=onnect
match=ect
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)",.*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Connection_Discarded_Refuse_UDP sensor:$1 proto:17 srcip:$2 dstip:$3 dstport:$4 type:firewall

NEXT

id=9538
name=This Stonegate firewall discarded an IGMP connection due to NAT request could not be done. 
match=ack
match=ion
match=","Packet filter","Notification","
match=AT
match=est
match=ar
match=ed
match="Requested NAT cannot be done","Discard",
match=an
match="IGMP
match=IGMP
match=MP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)",,,"([0-9]+)"
log=event:Stonegate-Connection_Discarded_IGMP sensor:$1 proto:2 srcip:$2 dstip:$3 dstport:$4 type:firewall

NEXT

id=9539
name=This Stonegate firewall discarded a TCP connection, refused.
match=ack
match=ion
match=","Packet filter","Notification","
match=ar
match=ed
match="Connection discarded","Refuse",
match="TCP
match=TCP
match=onnection
match=onnect
match=ect
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Connection_Discarded_Refuse_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$4 type:firewall

NEXT

id=9540
name=This Stonegate firewall discarded a UDP incomplete connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=ar
match=le
match=ed
match=Incomplete connection closed","Discard",
match="UDP
match=UDP
match=onnection
match=onnect
match=ect
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Connection_Incomplete_Discarded_UDP sensor:$1 proto:17 srcip:$2 dstip:$3 dstport:$4 type:firewall

NEXT

id=9541
name=This Stonegate firewall discarded an ICMP incomplete connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=lo
match=ar
match=le
match=ed
match=Incomplete connection closed","Discard",
match="ICMP
match=ICMP
match=MP
match=ect
match=onnect
match=onnection
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Stonegate-Connection_Incomplete_Discarded_ICMP sensor:$1 proto:1 srcip:$2 dstip:$3 type:firewall

NEXT

id=9542
name=This Stonegate firewall protocol agent error, application protocol data modification failed TCP.
match=ent
match=ail
match=rr
match=ol
match=ion
match=le
match=ed
match=","Protocol Agent","Error","Application protocol data modification failed"
match=Application
match=pp
match=TCP
match="TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Protocol_Data_Modification_Failed_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$5 type:firewall

NEXT

id=9543
name=This Stonegate firewall refused an IGMP request.
match=ack
match=ion
match=ar
match=ed
match=","Packet filter","Notification","Connection discarded","Refuse",
match=ect
match=onnect
match=onnection
match=IGMP
match="IGMP
match=MP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)",
log=event:Stonegate-Connection_Discarded_Refused_IGMP sensor:$1 proto:2 srcip:$2 dstip:$3 type:firewall

NEXT

id=9544
name=This Stonegate firewall allowed a IGMP connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=","New connection","
match=ect
match=onnect
match=onnection
match=lo
match=","Allow",
match=IGMP
match=MP
match="IGMP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)",,,"([0-9]+)"
log=event:Stonegate-New_Connection_Allowed_IGMP sensor:$1 proto:2 srcip:$2 dstip:$3 dstport:$4 type:connection

NEXT

id=9545
name=This Stonegate firewall reported that a requested nat could not be done, and discarded the connection.
match=ack
match=ion
match=","Packet filter","Notification","
match=AT
match=est
match=ed
match=Requested NAT cannot be done",
match=an
match=ar
match="Discard",
match="TCP
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-NAT_Could_Not_Be_Done_Discarded sensor:$1 proto:6 srcip:$2 dstip:$3 srcport:$4 dstport:$5 type:firewall

NEXT

id=9546
name=This Stonegate firewall is reporting a high load level.
match=St
match=StoneG
match=ol
match=lo
match=le
match=load level is above the threshold
log= event:Stonegate-High_Load_Level type:system

NEXT

id=9547
name=This Stonegate firewall is reporting a normal load level.
match=St
match=StoneG
match=Lo
match=Load OK 
log= event:Stonegate-Normal_Load_Level type:system

NEXT

id=9548
name=This Stonegate firewall diagnostics reported an invalid packet.
match=ack
match=","Packet filter",
match="Diagnostic",
match="Invalid packet",
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","Packet filter",
log=event:Stonegate-Diagnostic_Invalid_Packet sensor:$1 proto:6 type:firewall

NEXT

id=9549
name=This Stonegate firewall diagnostics reported that a packet was discarded.
match=ack
match=","Packet filter",
match="Diagnostic","
match=ar
match=ed
match=discarded",
match="TCP
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Diagnostic_Packet_Discarded sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$5 type:firewall

NEXT

id=19550
name=This Stonegate firewall diagnostics reported parameters for a protocol agent.
match=ent
match=ol
match=,"Protocol Agent"
match="Diagnostic"
match="TCP
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Diagnostic_Protocol_Agent sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$5 type:firewall

NEXT

id=19551
name=This Stonegate firewall discarded a UDP connection due to NAT request could not be done.
match=ack
match=ion
match=","Packet filter","Notification","
match=AT
match=est
match=ar
match=ed
match="Requested NAT cannot be done","Discard",
match=an
match="UDP
match=UDP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-Connection_Discarded_UDP sensor:$1 proto:17 srcip:$2 dstip:$3 dstport:$5 type:firewall

NEXT

id=19552
name=This Stonegate firewall reported that an IPsec notification of an IKE phase 1 or 2 has been deleted.
match=ion
match=","IPsec","Notification"
match=,"IKE-Phase-
match=IKE
match=le
match=ed
match=-SA-Deleted"
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-IKE_Phase_1_Or_2_Deleted sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$5 type:firewall

NEXT

id=19553
name=This Stonegate firewall reported a new UDP connection through the VPN.
match=ack
match=ion
match="Packet filter","Notification"
match=,"New connection through VPN"
match=onnection
match=onnect
match=ect
match=lo
match="Allow"
match=UDP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-VPN_New_Connection_UDP sensor:$1 proto:17 srcip:$2 dstip:$3 dstport:$5 type:connection

NEXT

id=19554
name=This Stonegate firewall reported that an IPsec notification of an IKE phase 1 or 2 initiator done.
match=ion
match=","IPsec","Notification"
match="IKE-Phase-
match=IKE
match=-Initiator-Done"
match=Do
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-IKE_Phase_1_Or_2_Initiator_Done sensor:$1 proto:6 srcip:$2 dstip:$3 type:firewall

NEXT

id=19555
name=This Stonegate firewall reported that an IPsec notification of an IKE phase 1 or 2 responder done.
match=ion
match=","IPsec","Notification"
match="IKE-Phase-
match=IKE
match=-Responder-Done"
match=Do
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-IKE_Phase_1_Or_2_Responder_Done sensor:$1 proto:6 srcip:$2 dstip:$3 type:firewall

NEXT

id=19556
name=This Stonegate firewall reported that an IPsec error, an IKE rejected message, an unknown IKE cookie.
match=rr
match=","IPsec","Error"
match=IKE
match=now
match="Unknown IKE cookie"
match=ed
match=ss
match=,"IKE-Rejected-Message"
match=ect
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-IKE_Rejected_Message sensor:$1 proto:6 srcip:$2 dstip:$3 type:error

NEXT

id=19557
name=This Stonegate firewall reported that a host is unreachable.
match=ack
match=lo
match=ate
match=ion
match=ed
match="Notification","Related packet","Allow"
match=packet
match=le
match=(Host Unreachable)","ICMP"
match=ICMP
match=MP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-Host_Unreachable sensor:$1 proto:1 srcip:$2 dstip:$3 type:firewall

NEXT

id=19558
name=This Stonegate firewall reported that a port is unreachable.
match=ion
match=ar
match=ed
match="Notification","Connection discarded","Refuse"
match=ect
match=onnect
match=onnection
match=le
match=(Port Unreachable)","ICMP"
match=ICMP
match=MP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-Port_Unreachable sensor:$1 proto:1 srcip:$2 dstip:$3 type:firewall

NEXT

id=19559
name=This Stonegate firewall reported that an IPsec error IKE no proposal chosen.
match=rr
match=","IPsec","Error"
match=,"IKE-No-Proposal-Chosen"
match=IKE
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-IKE_No_Proposal_Chosen sensor:$1 proto:6 srcip:$2 dstip:$3 type:error

NEXT

id=19560
name=This Stonegate firewall reported a new TCP connection through the VPN.
match=ack
match=ion
match="Packet filter","Notification"
match=,"New connection through VPN"
match=onnection
match=onnect
match=ect
match=lo
match="Allow"
match=TCP
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*"([0-9]+)","([0-9]+)"
log=event:Stonegate-VPN_New_Connection_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 dstport:$5 type:connection

NEXT

id=19561
name=This Stonegate firewall reported that an IPsec notification of starting IKE main mode initiator negotiation. 
match=ion
match=","IPsec","Notification"
match=St
match=ing
match=ar
match=,"IKE-Starting-Initiator-Negotiation"
match=IKE
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-IKE_Starting_Initiator_Negotiation sensor:$1 proto:6 srcip:$2 dstip:$3 type:firewall

NEXT

id=19562
name=This Stonegate firewall reported that an IPsec notification of starting IKE main mode responder negotiation.
match=ion
match=","IPsec","Notification"
match=St
match=ing
match=ar
match=,"IKE-Starting-Responder-Negotiation"
match=IKE
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-IKE_Starting_Responder_Negotiation sensor:$1 proto:6 srcip:$2 dstip:$3 type:firewall

NEXT

id=19564
name=This Stonegate firewall reported that an IPsec lookup failure.
match=IP
match=ion
match=","IPsec","Notification"
match=ail
match=Lo
match=,"IPSEC_ESP-SA-Lookup-Failure"
match=SE
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-ESP_SA_Lookup_Failure sensor:$1 proto:6 srcip:$2 dstip:$3 type:error

NEXT

id=19565
name=This Stonegate firewall reported that a connection has closed.
match=,"Packet filter"
match=ck
match=ion
match=ter
match="Notification"
match=nn
match=sed
match="Connection closed"
regex="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*,"([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)","([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)"
log=event:Stonegate-Connection_Closed sensor:$1 proto:6 srcip:$2 dstip:$3 type:connection