# THUNDER PRM LIBRARY # Copyright 2004 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # Cisco Router Firewall # # DESCRIPTION: # This library is used to process logs from the Cisco Router # which are sent via SYSLOG. The SYSLOG messages must be sent either # directly to the Thunder server, or to a UNIX server running a Thunder # client which is 'tailing' a SYSLOG file on that system. # # LAST UPDATE: $Date$ ############## # DENY RULES # ############## id=1100 name=The Cisco router denied TCP traffic. match=%SEC match=SE match=%SEC-6-IPACCESSLOGP: match=cp match=ed match= denied tcp regex=denied tcp ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)\s*-> ([0-9]+(\.[0-9]+){3})\(([0-9]+)\) log=event:Cisco-Blocked_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:firewall NEXT id=1101 name=The Cisco router denied UDP traffic. match=%SEC match=SE match=%SEC-6-IPACCESSLOGP: match=ed match= denied udp regex=denied udp ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)\s*-> ([0-9]+(\.[0-9]+){3})\(([0-9]+)\) log=event:Cisco-Blocked_UDP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:firewall NEXT id=1102 name=The Cisco router denied ICMP traffic. match=%SEC match=SE match=%SEC-6-IPACCESSLOGDP: match=ed match= denied icmp regex=denied icmp ([0-9]+(\.[0-9]+){3})\s*-> ([0-9]+(\.[0-9]+){3}) log=event:Cisco-Blocked_ICMP srcip:$1 dstip:$3 proto:1 type:firewall NEXT id=1103 name=The Cisco router denied IP address match=%SEC match=SE match=%SEC-6-IPACCESSLOGS: list match=ack match= packet regex=denied ([0-9]+(\.[0-9]+){3}) log=event:Cisco-Blocked_IP srcip:$1 dstip:$3 type:firewall ################ # ACCEPT RULES # ################ NEXT id=1150 name=The Cisco router permitted TCP traffic. match=%SEC match=SE match=%SEC-6-IPACCESSLOGP: match=cp match=ed match= permitted tcp regex=permitted tcp ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)\s*-> ([0-9]+(\.[0-9]+){3})\(([0-9]+)\) log=event:Cisco-Allowed_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection NEXT id=1151 name=The Cisco router permitted UDP traffic. match=%SEC match=SE match=%SEC-6-IPACCESSLOGP: match=ed match= permitted udp regex=permitted udp ([0-9]+(\.[0-9]+){3})\(([0-9]+)\)\s*-> ([0-9]+(\.[0-9]+){3})\(([0-9]+)\) log=event:Cisco-Allowed_UDP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:connection NEXT id=1152 name=The Cisco router permitted ICMP traffic. match=%SEC match=SE match=%SEC-6-IPACCESSLOGDP: match=ed match= permitted icmp regex=permitted icmp ([0-9]+(\.[0-9]+){3})\s*-> ([0-9]+(\.[0-9]+){3}) log=event:Cisco-Allowed_ICMP srcip:$1 dstip:$3 proto:1 type:connection NEXT id=1153 name=The Cisco router permitted GRE traffic. match=%SEC match=%SEC-6-IPACCESSLOGRP: match=SE match=ed match= permitted gre regex=permitted gre ([0-9]+(\.[0-9]+){3})\s*-> ([0-9]+(\.[0-9]+){3}) log=event:Cisco-Allowed_GRE srcip:$1 dstip:$3 type:connection NEXT id=1154 name=The Cisco router has missed packets. match=%SEC match=SE match=lo match=log match=ate match=ing match=ce match=ed match=ss match=%SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed log=event:Cisco-Limited_Or_Missed_Packets type:error ####################################### # Successful and Failed Login attempts # ####################################### NEXT id=1160 name=The Cisco router had a successful login. match=%SEC match=SE match=%SEC_LOGIN-5-LOGIN_SUCCESS: match=IN regex=Source:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Successful_Login srcip:$1 type:login NEXT id=1161 name=The Cisco router had a failed login. match=%SEC match=SE match=%SEC_LOGIN-4-LOGIN_FAILED: match=IN regex=\[user:([a-zA-Z0-9._-]+)\] \[Source:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] \[localport:([0-9]+) log=event:Cisco-Failed_Login srcip:$2 srcport:$3 type:login-failure NEXT id=1162 name=RSHELL connect attempt match=onnect match=ect match=RT match=tem match=AT match=rom match=ed match=pt match= %RCMD-4-RSHPORTATTEMPT: Attempted to connect to RSHELL from regex=RSHELL from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-RSHELL_Connect_Attempt srcip:$1 type:login-failure ############## # MISC LOGS # ############## NEXT id=1163 name=The Cisco router has a line in the down state. match=ed match=changed match=OT match=ol match=: %LINEPROTO-5-UPDOWN: Line protocol on match=IN match=sta match=ate match=, changed state to down log=event:Cisco-Line_Down srcip:$1 type:system NEXT id=1164 name=The Cisco router has a line in the up state. match=OT match=ol match=: %LINEPROTO-5-UPDOWN: Line protocol on match=IN match=ed match=changed match=sta match=ate match=, changed state to up log=event:Cisco-Line_Up srcip:$1 type:system NEXT id=1165 name=The Cisco router has had a configuration change. match=SYS match=ol match=le match=onsole match=: %SYS-5-CONFIG_I: match=rom match=ed match=: %SYS-5-CONFIG_I: Configured from console by regex=Configured from console .*\(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\) log=event:Cisco-Configured_From_Console srcip:$1 type:system NEXT id=1166 name=The Cisco router has had a failed SNMP probe. match=MP match=SNMP match=ent match=ail match=ion match=: %SNMP-3-AUTHFAIL: Authentication failure for SNMP regex=%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-SNMP_Authentication_Failure srcip:$1 type:access-denied NEXT id=1167 name=The Cisco router has had a standby vlan become active. match= -> match=AT match=: %STANDBY-6-STATECHANGE: Vlan match=ST match=St match=Standby -> Active log=event:Cisco-Statechange_From_Standby_To_Active type:system NEXT id=1168 name=This Cisco router passed traffic from an IP address. match=%SEC match=SE match=: %SEC-6-IPACCESSLOGS: regex= permitted ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-List_Permitted srcip:$1 type:connection NEXT id=1169 name=This Cisco router received unexpected VPN traffic. match=%ACE match=: %ACE-6-UNEXP_OUTBOUND_IPSEC: match=SE match=ack match=ce match=ed match=: received unexpected IPsec packet: src IP: match=ect regex=src IP: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+); dst IP: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+); log=event:Cisco-Unexpected_Outbound_IPSEC srcip:$1 dstip:$2 type:error NEXT id=1170 name=This Cisco router was re-configure from snmp. match=SYS match=%SYS match=: %SYS-5-CONFIG_I: match=rom match=ed match=: %SYS-5-CONFIG_I: Configured from match= by snmp regex=Configured from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) by snmp log=event:Cisco-Configured_By_SNMP srcip:$1 type:system NEXT id=1171 name=The Cisco router wrote its configuration to an SNMP device. match=MP match=SNMP match=SYS match=est match=EN match=: %SYS-4-SNMP_WRITENET: SNMP WriteNet request. match=%SYS regex=Writing current configuration to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Config_Obtained_By_SNMP srcip:$1 type:system NEXT id=1172 name=The Cisco router had stopped a TCP session. match=FW match=RA match=%FW-6-SESS_AUDIT_TRAIL: match=TR match=SE match=cp match=tcp match=ion match=ss match=session match=St match=Stop tcp session: initiator regex=Stop tcp session: initiator \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) .* responder \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) sent log=event:Cisco-Stop_TCP_Session srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:connection NEXT id=1173 name=The Cisco router had stopped a UDP session. match=FW match=RA match=%FW-6-SESS_AUDIT_TRAIL: match=TR match=SE match=St match=ion match=ss match=Stop udp session: initiator match=udp match=session regex=Stop udp session: initiator \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) .* responder \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) sent log=event:Cisco-Stop_UDP_Session srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 type:connection NEXT id=1174 name=The Cisco router had started a TCP session. match=FW match=RT match=RA match=%FW-6-SESS_AUDIT_TRAIL_START: match=ST match=TR match=SE match=cp match=tcp match=ion match=ss match=session match=St match=ar match=Start tcp session: initiator regex=Start tcp session: initiator \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) .* responder \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) log=event:Cisco-Start_TCP_Session srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:connection NEXT id=1175 name=The Cisco router had started a UDP session. match=FW match=RA match=%FW-6-SESS_AUDIT_TRAIL_START: match=RT match=ST match=TR match=SE match=udp match=ion match=ss match=session match=St match=ar match=Start udp session: initiator regex=Start udp session: initiator \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) .* responder \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\) log=event:Cisco-Start_UDP_Session srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 type:connection NEXT id=1176 name=The Cisco router has issued a log summary match=FW match=%FW-6-LOG_SUMMARY match=ack match=packet match=rom match=ed regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) => ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=event:Cisco-Log_Summary srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:system NEXT id=1177 name=The Cisco router has passed a packet. match=FW match=%FW-6-PASS_PKT match=ss match=ass match=ing match= Passing regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) => ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=event:Cisco-Passing_Packet srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:connection NEXT id=1178 name=The Cisco router has dropped a session. match=FW match= %FW-6-DROP_PKT match=ion match=ing match=ss match=Dropping match=session match=pp regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=event:Cisco-Dropped_Session srcip:$1 srcport:$2 dstip:$3 dstport:$4 type:firewall NEXT id=1179 name=The Cisco router has a BGP neighbor up. match=neighbor match=CHANGE match=Up match=CH match=bo match=AN match=ei match=gh regex=neighbor ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) Up log=event:Cisco-BGP_Neighbor_Up dstip:$1 type:system NEXT id=1180 name=The Cisco router has a BGP neighbor down. match=neighbor match=CHANGE match=Down match=CH match=bo match=AN match=ei match=gh regex=neighbor ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) Down log=event:Cisco-BGP_Neighbor_Down dstip:$1 type:system NEXT id=1181 name=The Cisco router had a topology base removed from a BGP session. match=neighbor match=CHANGE match=SESSION match=move match=session match=from match=IP match=gy regex=neighbor ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-BGP_Session_Changed dstip:$1 type:system