# Copyright 2004 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# FreeBSD log parser
#
# DESCRIPTION:
# This library is used to process logs from FreeBSD systems.
#
# LAST UPDATE: $Date$

id=1200
name=This system enabled promiscuous mode. This means a sniffer is active. 
match=kernel
match=rom
match=le
match=ed
match=romiscuous mode enabled
regex=/kernel:.*romiscuous mode enabled
log=event:Promiscuous_Mode_Enabled type:system

NEXT

id=1201
name=This system disabled promiscuous mode. This means a sniffer is no longer active. 
match=kernel
match=rom
match=le
match=ed
match=romiscuous mode disabled
regex=/kernel:.*romiscuous mode disabled
log=event:Promiscuous_Mode_Disabled type:system

NEXT

id=1202
name=This system has encountered another local system using the same IP address.
match=ing
match=ss
match= is using my IP address
match=kernel
regex=/kernel: .* is using my IP address
log=event:FreeBSD-IP_Address_In_Use type:error

NEXT

id=1203
name=This system has reached its ICMP bandwidth limit. The system may be under an ICMP denial of service attack.
match=kernel
match=icmp
match=kernel: icmp-response bandwidth limit
match=an
log=event:FreeBSD-ICMP_Bandwidth_Limit type:system proto:1

NEXT

id=1204
name=This system has reached its ICMP bandwidth limit. The system may be under an ICMP denial of service attack.
match=kernel
match=ing
match=kernel: Limiting icmp ping response
log=event:FreeBSD-ICMP_Limiting_Ping_Response type:scanning proto:1

NEXT

id=1205
name=This system has reached its TCP bandwidth limit. The system may be under a TCP denial of service attack.
match=kernel
match=rom
match=lo
match=ing
match=ed
match=kernel: Limiting closed port RST response from 
match=ST
log=event:FreeBSD-Limiting_RST_Response type:scanning proto:6

NEXT

id=1206
name=This system refused a login.
match=lo
match=log
match=login
match=OT
match=OOT
match=ROOT
match=login: LOGIN root REFUSED (NOROOT)
match=IN
log=event:FreeBSD-Refused_ROOT_Login type:login-failure

NEXT

id=1207
name=This Unix system had a login failure.
match=lo
match=log
match=login
match= LOGIN FAILURES FROM
match=IN
regex=FROM (\S+)
log=event:FreeBSD-Mulitple_Login_Failures type:login-failure srcip:$1

NEXT

id=1208
name=This system has logged a TCP connection attempt to a running service.
match=kernel
match=tem
match=ion
match=pt
match=kernel: Connection attempt to TCP
match=ect
regex=/kernel: Connection attempt to TCP ([0-9]+(\.[0-9]+){3}):([0-9]+) from ([0-9]+(\.[0-9]+){3}):([0-9]+)
log=event:FreeBSD-TCP_Connection_Attempt srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:connection

NEXT

id=1209
name=This system syslog daemon has discarded packets.
match=lo
match=log
match=yslog
match=ar
match=ed
match=syslogd: discarded
match=ack
match=packet
match=ecu
match= unwanted packets in secure mode
match=an
log=event:FreeBSD-syslogd_Discarded_Packets type:system dstport:514 proto:17

NEXT

id=1211
name=This system has logged an rpc.cmsd connection which is likely an exploit attempt.
match=rpc.cmsd
match=ail
match=le
match=ed
match=ailed
match=rr
match=cp
match=daemon.error] svc_reg(tcp) failed
match=mon
log=event:FreeBSD-rpc.cmsd_Exploit_Attempt type:intrusion

NEXT

id=1212
name=This system has logged an rpc.statd connection which is likely an exploit attempt.
match=sta
match=rpc.statd
match=ho
match=ame
match=In
match=hostname
match=on
match=host
match=al
match=na
match=me
match=mo
match=li
match=mon
match=to
match=st
match=name
log=event:RPC-STATD_Exploit_Attempt type:intrusion

NEXT

id=1213
name=This system had a process exit on signal. If many of these occur it could mean the system is experiencing hardware or resource issues. It can also means the system is under attack. 
match=kernel
match= pid 
match=, uid 0: 
match=ed
match=: exited on signal 
match=signal
match=core d
log=event:FreeBSD-Root_Process_Exited type:process

NEXT

id=1214
name=This system detected calife usage.
match= calife+[
match=cal
match=]: BAD CALIFE
match=AL
log=event:FreeBSD-Failed_calife_Usage type:system

NEXT

id=1215
name=This system detected calife usage.
match= calife+[
match=cal
match= - BEGIN
match=IN
log=event:FreeBSD-Begin_calife_Usage type:system

NEXT

id=1216
name=This system detected calife usage.
match= calife+[
match=cal
match=EN
match= - END
log=event:FreeBSD-End_calife_Usage type:system

NEXT

id=1217
name=This system syslog daemon had to exit. 
match=lo
match=log
match=yslog
match=ing
match= syslogd: exiting on signal 
match=signal
log=event:FreeBSD-syslogd_Crash type:error

NEXT

id=1218
name=This system has a full disk partition. 
match=kernel
match=tem
match=le
match=file system full
log=event:FreeBSD-File_System_Full type:error

NEXT

id=1219
name=This system process exited on signal
match=kernel
match=!, uid 0:
match=: pid 
match=ed
match=: exited on signal 
match=signal
match=core d
regex=pid .*, uid [^0][0-9]*: exited on signal [0-9]*
log=event:FreeBSD-NonRoot_Process_Exited type:process

NEXT

id=1220
name=This system is out of memory.
match=kernel
match=ail
match=ce
match=ace
match=le
match=ed
match=: swap_pager_getswapspace: failed
match=ailed
match=space
log=event:FreeBSD-Out_of_memory type:error

NEXT

id=1221
name=This system is out of swap space.
match=kernel
match=kernel: pid 
match=le
match=ed
match=was killed
match=ce
match=ace
match=out of swap space
match=space
log=event:FreeBSD-Out_of_swap_space type:error

NEXT

id=1223
name=This system had a command timeout due to a disk read error.
match=ommand
match=an
match=: READ com
match=ing
match= - resetting
log=event:FreeBSD-Disk_Error type:error

NEXT

id=1224
name=This system is resetting its disk drives.
match=ing
match=resetting
match=AT
match=: ATA i
log=event:FreeBSD-Disk_Error type:error

NEXT

id=1225
name=This system has adjusted its time.
match=time
match=tp
match=ntp
match=ate
match=ntpdate[
match=date
match=ser
match=]: adjust time server 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)	
log=event:FreeBSD-Time_Adjusted type:system srcip:$1

NEXT

id=1226
name=This system had an invalid login attempt.
match=rr
match=error
match=lo
match=log
match=ser
match=ing
match=login: pam_ldap: error trying to bind as user
match=ent
match=ed
match=(Invalid credentials)
log=event:FreeBSD-Login_Error type:login-failure

NEXT

id=1227
name=This system has run out of disk space on a partition.
match=lo
match=log
match=pf
match=pflogd[
match=ce
match=ace
match=le
match=No space left
match=space
log=event:BSD-Disk_Full type:error

NEXT

id=1228
name=The system has a full file partition.
match=tem
match=le
match=: file system full
match=ystem
log=event:BSD-File_System_Full type:error

NEXT

id=1229
name=A new user was added to this system.
match=ser
match=:useradd] 
match=user
match=) home /
match= made
log=event:BSD-User_Added type:system

##############################################
#
# Accounting rules
#
##############################################

NEXT

id=1230
name=This FreeBSD server had a command issued by root. This log was generated through analysis of process accounting logs. 
match=ser
match=User 'root'
match=User
match=an
match=ommand
match=ecu
match=ed
match= executed command
match=ce
match=ss
match= The process executed for
match=ing
match= during which an average of
match= of memory was used.
match=!minor page faults,
match=!major page faults,
log=event:FreeBSD-Root_Command_Issued type:process

NEXT

id=1231
name=This FreeBSD server had a command issued by a non-root system user.
match=!User 'root'
match=an
match=ommand
match=ecu
match=ed
match= executed command
match=ce
match=ss
match= The process executed for
match=ing
match= during which an average of
match= of memory was used.
match=!minor page faults,
match=!major page faults,
log=event:FreeBSD-User_Issued_Command type:process