# THUNDER PRM LIBRARY # Copyright 2005 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # Cisco VPN Concentrator # # DESCRIPTION: # This library is used to process logs from a Cisco VPN Concentrator, # which are sent via SYSLOG. The SYSLOG messages must be sent either # directly to the LCE server, or to a UNIX server running a LCE # client which is 'tailing' a SYSLOG file on that system. # # LAST UPDATE: $Date$ id=2101 name=This Cisco VPN Concentrator has IKE Peer. match=IKEDBG match=RPT match=ent match=ion match=ed match=ty match=IKE Peer included IKE fragmentation capability flags: regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-VPN_Concentrator_IKE_Peer dstip:$2 type:system NEXT id=2102 name=This Cisco VPN Concentrator has received an unencrypted packet. match=IKE match=RPT match=Group [ match=ack match=ing match=ce match=ed match=pt match=] received an unencrypted packet when crypto active!! Dropping packet. match=pp match=an regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-VPN_Concentrator_Dropping_Packet dstip:$2 type:firewall NEXT id=2103 name=This Cisco VPN Concentrator has authenticated a user. match=IKE match=RPT match=Group match=ent match=ate match=ed match=) authenticated. match=ser match=] User [ match=] User ( match=User match=!ADMIN regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_User_Authenticated type:login dstip:$2 user:$3 NEXT id=2104 name=This Cisco VPN Concentrator has received a client connection. match=IKE match=RPT match=Group [ match=ent match=Client Type: regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_User_Client_Type dstip:$2 user:$3 type:connection NEXT id=2105 name=This Cisco VPN Concentrator has made a connection. match=AUTH match=RPT match=Group [ match=ion match=ed match=ss match=] connected, Session Type: match=onnect match=ect match=ser match=User regex=RPT=([0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_User_Connected user:$2 type:connection NEXT id=2106 name=This Cisco VPN Concentrator has completed phase 1 completed. match=IKE match=RPT match=MP match=Group [ match=] PHASE 1 COMPLETED match=SE regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_Phase_1_Completed dstip:$2 user:$3 type:system NEXT id=2107 name=This Cisco VPN Concentrator has received a remote proxy host information. match=IKE match=RPT match=Group [ match=lo match=ce match=ed match=ss match=] Received remote Proxy Host data in ID Payload: Address match=rem regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_Received_Remote_Proxy dstip:$2 user:$3 type:system NEXT id=2108 name=This Cisco VPN Concentrator has received a local IP proxy subnet data message. match=IKE match=RPT match=Group [ match=lo match=ce match=ed match=ss match=] Received local IP Proxy Subnet data in ID Payload: Address match=cal regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_Received_Local_IP_Proxy dstip:$2 user:$3 type:system NEXT id=2109 name=This Cisco VPN Concentrator has configured a remote IKE peer. match=IKE match=RPT match=Group [ match=ed match=] IKE Remote Peer configured for regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_IKE_Remote_Peer dstip:$2 user:$3 type:system NEXT id=2110 name=This Cisco VPN Concentrator has rekeyed a long network VPN session. match=IKE match=RPT match=Group [ match=rr match=rom match=ion match=ing match=] Overriding Initiator's IPSec rekeying duration from regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_Overriding_Initiator_Duration dstip:$2 user:$3 type:system NEXT id=2111 name=This Cisco VPN Concentrator has completed a user login. match=IKE match=RPT match=Group match=ser match=ecu match=ion match=le match=ty match=Security negotiation complete for User ( match=Secur regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_Negotiation_Complete dstip:$2 user:$3 type:login NEXT id=2112 name=This Cisco VPN Concentrator has logged a user through Phase 2. match=IKE match=RPT match=Group [ match=MP match=] PHASE 2 COMPLETED (msgid= match=SE regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_Phase_2_Complete dstip:$2 user:$3 type:system NEXT id=2113 name=This Cisco VPN Concentrator has failed to synchronize its time with an NTP server. match=RA match=EN match=GENERAL match=ER match=RPT match=TP match=NTP match=AL match=ail match=ion match=le match=ed match= NTP time synchronization failed - log=event:Cisco-VPN_Concentrator_Time_Sync_Failure type:error NEXT id=2114 name=This Cisco VPN Concentrator has terminated a connection. match=peer match=IKE match=RPT match=Group [ match=ate match=ion match=ed match=] Connection terminated for peer match=onnection match=onnect match=ect match=ser match=User regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_Connection_Terminated dstip:$2 user:$3 type:system NEXT id=2115 name=This Cisco VPN Concentrator has sent an IKE key. match=IKE match=RPT match=ser match=User match=Group [ match=ing match=le match=ss match=] Sending IKE Delete With Reason message: regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_IKE_Delete dstip:$2 user:$3 type:system NEXT id=2116 name=This Cisco VPN Concentrator had a user terminate their session. match=AUTH match=RPT match=Group [ match=ion match=ed match=ss match=] disconnected: Session Type: IPSec Duration: match=onnect match=ect regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_Disconnect_Session dstip:$2 user:$3 type:logout NEXT id=2117 name=This Cisco VPN Concentrator has lost network connectivity with a remote user. match=IKE match=RPT match=Group [ match=ont match=lo match=ion match=ing match=le match=] IKE lost contact with remote peer, deleting connection match=rem match=peer match=connection match=onnect match=ect regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*User.*\[([A-Za-z0-9._-]+)\] log=event:Cisco-VPN_Concentrator_IKE_Lost_Contact dstip:$2 user:$3 type:error NEXT id=2118 name=This Cisco VPN Concentrator has bad a user try to login with a bad password. match=reject match=ect match=AUTH match=RPT match=ent match=ion match=ed match= Authentication rejected: Reason = regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-VPN_Concentrator_Auth_Rejected srcip:$2 type:login-failure NEXT id=2119 name=This Cisco VPN Concentrator has had a failed admin login. match=AUTH match=RPT match=ser match=User [ match=User match=ent match=tem match=lo match=log match=ail match=St match=ion match=ed match=pt match=] attempted ADMIN logon.. Status: <REFUSED> authentication failure ! match=IN log=event:Cisco-VPN_Concentrator_Failed_Admin_Login type:login-failure NEXT id=2120 name=This Cisco VPN Concentrator has had an admin login. match=AUTH match=RPT match=ser match=User [ match=User match=tem match=lo match=log match=RA match=St match=ed match=pt match=] attempted ADMIN logon.. Status: <ACCESS GRANTED> match=IN regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-VPN_Concentrator_Admin_Login type:login srcip:$2 NEXT id=2121 name=This Cisco VPN Concentrator has completed a user login. match=IKE match=RPT match=Group match=ecu match=ion match=le match=ty match=Security negotiation complete for match=Secur match=!User regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* Group log=event:Cisco-VPN_Concentrator_Negotiation_Complete dstip:$2 type:system NEXT id=2122 name=This Cisco VPN Concentrator has logged a user through Phase 2. match=IKE match=RPT match=Group [ match=MP match=] PHASE 2 COMPLETED (msgid= match=SE match=!User regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* Group log=event:Cisco-VPN_Concentrator_Phase_2_Complete dstip:$2 type:system NEXT id=2123 name=This Cisco VPN Concentrator could not find centry for IPSec, messaged deleted. match=IKE match=RPT match=ent match=ce match=Could not find centry for IPSec log=event:Cisco-VPN_Concentrator_No_Centry_IPSec type:error NEXT id=2124 name=This Cisco VPN Concentrator IKE Initiator: Rekeying Phase 2. match=IKE match=RPT match=ing match=IKE Initiator: Rekeying Phase regex=IKE Peer ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-VPN_Concentrator_Rekeying dstip:$1 type:system NEXT id=2125 name=This Cisco VPN Concentrator has completed phase 1 completed. match=IKE match=RPT match=Group [ match=] PHASE 1 COMPLETED match=SE match=!User regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* Group log=event:Cisco-VPN_Concentrator_Phase_1_Completed dstip:$2 type:system NEXT id=2126 name=This Cisco VPN Concentrator has received a remote proxy host information. match=IKE match=RPT match=Group [ match=lo match=ce match=ed match=Received remote IP Proxy Subnet data in ID Payload match=rem match=!User regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* Group log=event:Cisco-VPN_Concentrator_Received_Remote_Proxy dstip:$2 type:system NEXT id=2127 name=This Cisco VPN Concentrator has received a local IP proxy subnet data message. match=IKE match=RPT match=Group [ match=lo match=ce match=ed match=] Received local Proxy Host data in ID Payload: match=cal match=!User regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* Group log=event:Cisco-VPN_Concentrator_Received_Local_Proxy dstip:$2 type:system NEXT id=2128 name=This Cisco VPN Concentrator has configured a remote IKE peer. match=IKE match=RPT match=Group [ match=ed match=] IKE Remote Peer configured for match=!User regex=RPT=([0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* Group log=event:Cisco-VPN_Concentrator_IKE_Remote_Peer dstip:$2 type:system