# Copyright 2004 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # FreeBSD log parser # # DESCRIPTION: # This library is used to process logs from FreeBSD systems. # # LAST UPDATE: $Date$ id=1200 name=This system enabled promiscuous mode. This means a sniffer is active. match=kernel match=rom match=le match=ed match=romiscuous mode enabled regex=/kernel:.*romiscuous mode enabled log=event:Promiscuous_Mode_Enabled type:system NEXT id=1201 name=This system disabled promiscuous mode. This means a sniffer is no longer active. match=kernel match=rom match=le match=ed match=romiscuous mode disabled regex=/kernel:.*romiscuous mode disabled log=event:Promiscuous_Mode_Disabled type:system NEXT id=1202 name=This system has encountered another local system using the same IP address. match=ing match=ss match= is using my IP address match=kernel regex=/kernel: .* is using my IP address log=event:FreeBSD-IP_Address_In_Use type:error NEXT id=1203 name=This system has reached its ICMP bandwidth limit. The system may be under an ICMP denial of service attack. match=kernel match=icmp match=kernel: icmp-response bandwidth limit match=an log=event:FreeBSD-ICMP_Bandwidth_Limit type:system proto:1 NEXT id=1204 name=This system has reached its ICMP bandwidth limit. The system may be under an ICMP denial of service attack. match=kernel match=ing match=kernel: Limiting icmp ping response log=event:FreeBSD-ICMP_Limiting_Ping_Response type:scanning proto:1 NEXT id=1205 name=This system has reached its TCP bandwidth limit. The system may be under a TCP denial of service attack. match=kernel match=rom match=lo match=ing match=ed match=kernel: Limiting closed port RST response from match=ST log=event:FreeBSD-Limiting_RST_Response type:scanning proto:6 NEXT id=1206 name=This system refused a login. match=lo match=log match=login match=OT match=OOT match=ROOT match=login: LOGIN root REFUSED (NOROOT) match=IN log=event:FreeBSD-Refused_ROOT_Login type:login-failure NEXT id=1207 name=This Unix system had a login failure. match=lo match=log match=login match= LOGIN FAILURES FROM match=IN regex=FROM (\S+) log=event:FreeBSD-Mulitple_Login_Failures type:login-failure srcip:$1 NEXT id=1208 name=This system has logged a TCP connection attempt to a running service. match=kernel match=tem match=ion match=pt match=kernel: Connection attempt to TCP match=ect regex=/kernel: Connection attempt to TCP ([0-9]+(\.[0-9]+){3}):([0-9]+) from ([0-9]+(\.[0-9]+){3}):([0-9]+) log=event:FreeBSD-TCP_Connection_Attempt srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:connection NEXT id=1209 name=This system syslog daemon has discarded packets. match=lo match=log match=yslog match=ar match=ed match=syslogd: discarded match=ack match=packet match=ecu match= unwanted packets in secure mode match=an log=event:FreeBSD-syslogd_Discarded_Packets type:system dstport:514 proto:17 NEXT id=1211 name=This system has logged an rpc.cmsd connection which is likely an exploit attempt. match=rpc.cmsd match=ail match=le match=ed match=ailed match=rr match=cp match=daemon.error] svc_reg(tcp) failed match=mon log=event:FreeBSD-rpc.cmsd_Exploit_Attempt type:intrusion NEXT id=1212 name=This system has logged an rpc.statd connection which is likely an exploit attempt. match=sta match=rpc.statd match=ho match=ame match=In match=hostname match=on match=host match=al match=na match=me match=mo match=li match=mon match=to match=st match=name log=event:RPC-STATD_Exploit_Attempt type:intrusion NEXT id=1213 name=This system had a process exit on signal. If many of these occur it could mean the system is experiencing hardware or resource issues. It can also means the system is under attack. match=kernel match= pid match=, uid 0: match=ed match=: exited on signal match=signal match=core d log=event:FreeBSD-Root_Process_Exited type:process NEXT id=1214 name=This system detected calife usage. match= calife+[ match=cal match=]: BAD CALIFE match=AL log=event:FreeBSD-Failed_calife_Usage type:system NEXT id=1215 name=This system detected calife usage. match= calife+[ match=cal match= - BEGIN match=IN log=event:FreeBSD-Begin_calife_Usage type:system NEXT id=1216 name=This system detected calife usage. match= calife+[ match=cal match=EN match= - END log=event:FreeBSD-End_calife_Usage type:system NEXT id=1217 name=This system syslog daemon had to exit. match=lo match=log match=yslog match=ing match= syslogd: exiting on signal match=signal log=event:FreeBSD-syslogd_Crash type:error NEXT id=1218 name=This system has a full disk partition. match=kernel match=tem match=le match=file system full log=event:FreeBSD-File_System_Full type:error NEXT id=1219 name=This system process exited on signal match=kernel match=!, uid 0: match=: pid match=ed match=: exited on signal match=signal match=core d regex=pid .*, uid [^0][0-9]*: exited on signal [0-9]* log=event:FreeBSD-NonRoot_Process_Exited type:process NEXT id=1220 name=This system is out of memory. match=kernel match=ail match=ce match=ace match=le match=ed match=: swap_pager_getswapspace: failed match=ailed match=space log=event:FreeBSD-Out_of_memory type:error NEXT id=1221 name=This system is out of swap space. match=kernel match=kernel: pid match=le match=ed match=was killed match=ce match=ace match=out of swap space match=space log=event:FreeBSD-Out_of_swap_space type:error NEXT id=1223 name=This system had a command timeout due to a disk read error. match=ommand match=an match=: READ com match=ing match= - resetting log=event:FreeBSD-Disk_Error type:error NEXT id=1224 name=This system is resetting its disk drives. match=ing match=resetting match=AT match=: ATA i log=event:FreeBSD-Disk_Error type:error NEXT id=1225 name=This system has adjusted its time. match=time match=tp match=ntp match=ate match=ntpdate[ match=date match=ser match=]: adjust time server regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:FreeBSD-Time_Adjusted type:system srcip:$1 NEXT id=1226 name=This system had an invalid login attempt. match=rr match=error match=lo match=log match=ser match=ing match=login: pam_ldap: error trying to bind as user match=ent match=ed match=(Invalid credentials) log=event:FreeBSD-Login_Error type:login-failure NEXT id=1227 name=This system has run out of disk space on a partition. match=lo match=log match=pf match=pflogd[ match=ce match=ace match=le match=No space left match=space log=event:BSD-Disk_Full type:error NEXT id=1228 name=The system has a full file partition. match=tem match=le match=: file system full match=ystem log=event:BSD-File_System_Full type:error NEXT id=1229 name=A new user was added to this system. match=ser match=:useradd] match=user match=) home / match= made log=event:BSD-User_Added type:system ############################################## # # Accounting rules # ############################################## NEXT id=1230 name=This FreeBSD server had a command issued by root. This log was generated through analysis of process accounting logs. match=ser match=User 'root' match=User match=an match=ommand match=ecu match=ed match= executed command match=ce match=ss match= The process executed for match=ing match= during which an average of match= of memory was used. match=!minor page faults, match=!major page faults, log=event:FreeBSD-Root_Command_Issued type:process NEXT id=1231 name=This FreeBSD server had a command issued by a non-root system user. match=!User 'root' match=an match=ommand match=ecu match=ed match= executed command match=ce match=ss match= The process executed for match=ing match= during which an average of match= of memory was used. match=!minor page faults, match=!major page faults, log=event:FreeBSD-User_Issued_Command type:process