# THUNDER PRM LIBRARY
# Copyright 2004 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# Cisco Router Firewall
#
# DESCRIPTION:
# This library is used to process logs from the Cisco Router
# which are sent via SYSLOG. The SYSLOG messages must be sent either
# directly to the Thunder server, or to a UNIX server running a Thunder
# client which is 'tailing' a SYSLOG file on that system. 
#
# LAST UPDATE: $Date$

##############
# DENY RULES #
##############

id=1100
name=The Cisco router denied TCP traffic.
match=%SEC
match=SE
match=%SEC-6-IPACCESSLOGP: 
match=cp
match=ed
match= denied tcp 
regex=denied tcp ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)\s*-> ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)
log=event:Cisco-Blocked_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:firewall

NEXT

id=1101
name=The Cisco router denied UDP traffic.
match=%SEC
match=SE
match=%SEC-6-IPACCESSLOGP: 
match=ed
match= denied udp 
regex=denied udp ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)\s*-> ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)
log=event:Cisco-Blocked_UDP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:firewall

NEXT

id=1102
name=The Cisco router denied ICMP traffic.
match=%SEC
match=SE
match=%SEC-6-IPACCESSLOGDP: 
match=ed
match= denied icmp 
regex=denied icmp ([0-9]+(\.[0-9]+){3})\s*-> ([0-9]+(\.[0-9]+){3})
log=event:Cisco-Blocked_ICMP srcip:$1 dstip:$3 proto:1 type:firewall

NEXT

id=1103
name=The Cisco router denied IP address
match=%SEC
match=SE
match=%SEC-6-IPACCESSLOGS: list 
match=ack
match= packet
regex=denied ([0-9]+(\.[0-9]+){3})
log=event:Cisco-Blocked_IP srcip:$1 dstip:$3 type:firewall


################
# ACCEPT RULES #
################

NEXT 

id=1150
name=The Cisco router permitted TCP traffic.
match=%SEC
match=SE
match=%SEC-6-IPACCESSLOGP:
match=cp
match=ed
match= permitted tcp
regex=permitted tcp ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)\s*-> ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)
log=event:Cisco-Allowed_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection

NEXT

id=1151
name=The Cisco router permitted UDP traffic.
match=%SEC
match=SE
match=%SEC-6-IPACCESSLOGP:
match=ed
match= permitted udp 
regex=permitted udp ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)\s*-> ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)
log=event:Cisco-Allowed_UDP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:connection

NEXT

id=1152
name=The Cisco router permitted ICMP traffic.
match=%SEC
match=SE
match=%SEC-6-IPACCESSLOGDP: 
match=ed
match= permitted icmp 
regex=permitted icmp ([0-9]+(\.[0-9]+){3})\s*-> ([0-9]+(\.[0-9]+){3})
log=event:Cisco-Allowed_ICMP srcip:$1 dstip:$3 proto:1 type:connection

NEXT

id=1153
name=The Cisco router permitted GRE traffic.
match=%SEC
match=%SEC-6-IPACCESSLOGRP: 
match=SE
match=ed
match= permitted gre 
regex=permitted gre ([0-9]+(\.[0-9]+){3})\s*-> ([0-9]+(\.[0-9]+){3})
log=event:Cisco-Allowed_GRE srcip:$1 dstip:$3  type:connection

NEXT

id=1154
name=The Cisco router has missed packets.
match=%SEC
match=SE
match=lo
match=log
match=ate
match=ing
match=ce
match=ed
match=ss
match=%SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed
log=event:Cisco-Limited_Or_Missed_Packets type:error


#######################################
# Successful and Failed Login attempts #
#######################################

NEXT

id=1160
name=The Cisco router had a successful login.
match=%SEC
match=SE
match=%SEC_LOGIN-5-LOGIN_SUCCESS:
match=IN
regex=Source:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Cisco-Successful_Login srcip:$1 type:login

NEXT

id=1161
name=The Cisco router had a failed login.
match=%SEC
match=SE
match=%SEC_LOGIN-4-LOGIN_FAILED:
match=IN
regex=\[user:([a-zA-Z0-9._-]+)\] \[Source:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] \[localport:([0-9]+) 
log=event:Cisco-Failed_Login srcip:$2 srcport:$3  type:login-failure

NEXT

id=1162
name=RSHELL connect attempt
match=onnect
match=ect
match=RT
match=tem
match=AT
match=rom
match=ed
match=pt
match= %RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from
regex=RSHELL from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Cisco-RSHELL_Connect_Attempt srcip:$1 type:login-failure

##############
# MISC LOGS  #
##############

NEXT

id=1163
name=The Cisco router has a line in the down state.
match=ed
match=changed
match=OT
match=ol
match=: %LINEPROTO-5-UPDOWN: Line protocol on 
match=IN
match=sta
match=ate
match=, changed state to down
log=event:Cisco-Line_Down srcip:$1 type:system

NEXT

id=1164
name=The Cisco router has a line in the up state.
match=OT
match=ol
match=: %LINEPROTO-5-UPDOWN: Line protocol on 
match=IN
match=ed
match=changed
match=sta
match=ate
match=, changed state to up
log=event:Cisco-Line_Up srcip:$1 type:system

NEXT

id=1165
name=The Cisco router has had a configuration change. 
match=SYS
match=ol
match=le
match=onsole
match=: %SYS-5-CONFIG_I: 
match=rom
match=ed
match=: %SYS-5-CONFIG_I: Configured from console by
regex=Configured from console .*\(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\)
log=event:Cisco-Configured_From_Console srcip:$1 type:system

NEXT

id=1166
name=The Cisco router has had a failed SNMP probe. 
match=MP
match=SNMP
match=ent
match=ail
match=ion
match=: %SNMP-3-AUTHFAIL: Authentication failure for SNMP
regex=%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Cisco-SNMP_Authentication_Failure srcip:$1 type:access-denied

NEXT

id=1167
name=The Cisco router has had a standby vlan become active.
match= ->
match=AT
match=: %STANDBY-6-STATECHANGE: Vlan
match=ST
match=St
match=Standby -> Active
log=event:Cisco-Statechange_From_Standby_To_Active type:system

NEXT

id=1168
name=This Cisco router passed traffic from an IP address.
match=%SEC
match=SE
match=: %SEC-6-IPACCESSLOGS: 
regex= permitted ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Cisco-List_Permitted srcip:$1 type:connection

NEXT

id=1169
name=This Cisco router received unexpected VPN traffic.
match=%ACE
match=: %ACE-6-UNEXP_OUTBOUND_IPSEC: 
match=SE
match=ack
match=ce
match=ed
match=: received unexpected IPsec packet: src IP: 
match=ect
regex=src IP: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+); dst IP: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+);
log=event:Cisco-Unexpected_Outbound_IPSEC srcip:$1 dstip:$2 type:error

NEXT 

id=1170
name=This Cisco router was re-configure from snmp.
match=SYS
match=%SYS
match=: %SYS-5-CONFIG_I: 
match=rom
match=ed
match=: %SYS-5-CONFIG_I: Configured from 
match= by snmp
regex=Configured from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) by snmp
log=event:Cisco-Configured_By_SNMP srcip:$1 type:system

NEXT

id=1171
name=The Cisco router wrote its configuration to an SNMP device. 
match=MP
match=SNMP
match=SYS
match=est
match=EN
match=: %SYS-4-SNMP_WRITENET: SNMP WriteNet request.
match=%SYS
regex=Writing current configuration to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Cisco-Config_Obtained_By_SNMP srcip:$1 type:system

NEXT

id=1172
name=The Cisco router had stopped a TCP session.
match=FW
match=RA
match=%FW-6-SESS_AUDIT_TRAIL:
match=TR
match=SE
match=cp
match=tcp
match=ion
match=ss
match=session
match=St
match=Stop tcp session: initiator
regex=Stop tcp session: initiator \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) .* responder \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) sent
log=event:Cisco-Stop_TCP_Session srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:connection

NEXT

id=1173
name=The Cisco router had stopped a UDP session.
match=FW
match=RA
match=%FW-6-SESS_AUDIT_TRAIL:
match=TR
match=SE
match=St
match=ion
match=ss
match=Stop udp session: initiator
match=udp
match=session
regex=Stop udp session: initiator \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) .* responder \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) sent
log=event:Cisco-Stop_UDP_Session srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 type:connection

NEXT

id=1174
name=The Cisco router had started a TCP session.
match=FW
match=RT
match=RA
match=%FW-6-SESS_AUDIT_TRAIL_START:
match=ST
match=TR
match=SE
match=cp
match=tcp
match=ion
match=ss
match=session
match=St
match=ar
match=Start tcp session: initiator
regex=Start tcp session: initiator \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) .* responder \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\)
log=event:Cisco-Start_TCP_Session srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:connection

NEXT

id=1175
name=The Cisco router had started a UDP session.
match=FW
match=RA
match=%FW-6-SESS_AUDIT_TRAIL_START:
match=RT
match=ST
match=TR
match=SE
match=udp
match=ion
match=ss
match=session
match=St
match=ar
match=Start udp session: initiator
regex=Start udp session: initiator \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) .* responder \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\)
log=event:Cisco-Start_UDP_Session srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 type:connection

NEXT

id=1176
name=The Cisco router has issued a log summary
match=FW
match=%FW-6-LOG_SUMMARY
match=ack
match=packet
match=rom
match=ed
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) => ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)
log=event:Cisco-Log_Summary srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:system

NEXT

id=1177
name=The Cisco router has passed a packet.
match=FW
match=%FW-6-PASS_PKT
match=ss
match=ass
match=ing
match= Passing
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) => ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)
log=event:Cisco-Passing_Packet srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection

NEXT

id=1178
name=The Cisco router has dropped a session.
match=FW
match= %FW-6-DROP_PKT
match=ion
match=ing
match=ss
match=Dropping
match=session
match=pp
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)
log=event:Cisco-Dropped_Session srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall

NEXT

id=1179
name=The Cisco router has a BGP neighbor up.
match=neighbor
match=CHANGE
match=Up
match=CH
match=bo
match=AN
match=ei
match=gh
regex=neighbor ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) Up
log=event:Cisco-BGP_Neighbor_Up dstip:$1 type:system

NEXT

id=1180
name=The Cisco router has a BGP neighbor down.
match=neighbor
match=CHANGE
match=Down
match=CH
match=bo
match=AN
match=ei
match=gh
regex=neighbor ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) Down
log=event:Cisco-BGP_Neighbor_Down dstip:$1 type:system

NEXT

id=1181
name=The Cisco router had a topology base removed from a BGP session.
match=neighbor
match=CHANGE
match=SESSION
match=move
match=session
match=from
match=IP
match=gy
regex=neighbor ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Cisco-BGP_Session_Changed dstip:$1 type:system