X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fpix_rules.xml;fp=debian%2Fossec-hids%2Fvar%2Fossec%2Frules%2Fpix_rules.xml;h=ab83089d36bafd46d2fd8a2a35c61143b660ec7b;hp=0000000000000000000000000000000000000000;hb=3f728675941dc69d4e544d3a880a56240a6e394a;hpb=927951d1c1ad45ba9e7325f07d996154a91c911b

diff --git a/debian/ossec-hids/var/ossec/rules/pix_rules.xml b/debian/ossec-hids/var/ossec/rules/pix_rules.xml
new file mode 100644
index 0000000..ab83089
--- /dev/null
+++ b/debian/ossec-hids/var/ossec/rules/pix_rules.xml
@@ -0,0 +1,237 @@
+<!-- @(#) $Id: ./etc/rules/pix_rules.xml, 2011/11/01 dcid Exp $
+
+  -  Official PIX rules for OSSEC.
+  -
+  -  Copyright (C) 2009 Trend Micro Inc.
+  -  All rights reserved.
+  -
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 2) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.ossec.net/en/licensing.html
+  -->
+
+
+<!-- For more info:
+  - http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/syslog/logsev.htm
+  - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_61/config/sysmgmt.htm
+  -->
+
+
+<group name="syslog,pix,">
+  <rule id="4300" level="0">
+    <decoded_as>pix</decoded_as>
+    <description>Grouping of PIX rules</description>
+  </rule>
+
+  <rule id="4310" level="5">
+    <if_sid>4300</if_sid>
+    <id>^1-</id>
+    <description>PIX alert message.</description>
+  </rule>
+
+  <rule id="4311" level="5">
+    <if_sid>4300</if_sid>
+    <id>^2-</id>
+    <description>PIX critical message.</description>
+  </rule>
+
+  <rule id="4312" level="4">
+    <if_sid>4300</if_sid>
+    <id>^3-</id>
+    <description>PIX error message.</description>
+  </rule>
+  
+  <rule id="4313" level="4">
+    <if_sid>4300</if_sid>
+    <id>^4-</id>
+    <description>PIX warning message.</description>
+  </rule>
+
+  <rule id="4314" level="0">
+    <if_sid>4300</if_sid>
+    <id>^5-|^6-</id>
+    <description>PIX notification/informational message.</description>
+  </rule>
+  
+  <rule id="4315" level="0">
+    <if_sid>4300</if_sid>
+    <id>^7-</id>
+    <description>PIX debug message.</description>
+  </rule>
+  
+  <rule id="4321" level="9">
+    <if_sid>4314</if_sid>
+    <id>^6-605004</id>
+    <description>Failed login attempt at the PIX firewall.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="4322" level="3">
+    <if_sid>4314</if_sid>
+    <id>^5-502103</id>
+    <description>Privilege changed in the PIX firewall.</description>
+  </rule>
+
+  <rule id="4323" level="3">
+    <if_sid>4314</if_sid>
+    <id>^6-605005</id>
+    <description>Successful login to the PIX firewall.</description>
+    <group>authentication_success,</group>
+  </rule>
+
+  <rule id="4324" level="9">
+    <if_sid>4314</if_sid>
+    <id>^6-308001</id>
+    <description>Password mismatch while running 'enable' </description>
+    <description>on the PIX.</description>
+    <group>authentication_failed,</group>
+  </rule>
+
+  <rule id="4325" level="8">
+    <if_sid>4313</if_sid>
+    <id>^4-405001</id>
+    <description>ARP collision detected by the PIX.</description>
+  </rule> 
+
+  <rule id="4326" level="8">
+    <if_sid>4313</if_sid>
+    <id>^4-401004</id>
+    <description>Attempt to connect from a blocked (shunned) IP.</description>
+    <group>access_denied,</group>
+  </rule> 
+
+  <rule id="4327" level="8">
+    <if_sid>4313</if_sid>
+    <id>^4-710004</id>
+    <description>Connection limit exceeded.</description>
+  </rule> 
+  
+  <rule id="4330" level="8">
+    <if_sid>4310</if_sid>
+    <id>^1-106021|^1-106022</id>
+    <description>Attack in progress detected by the PIX.</description>
+  </rule>
+  
+  <rule id="4331" level="8">
+    <if_sid>4311</if_sid>
+    <id>^2-106012|^2-106017|^2-106020</id>
+    <description>Attack in progress detected by the PIX.</description>
+  </rule>
+   
+  <rule id="4332" level="8">
+    <if_sid>4313</if_sid>
+    <id>^4-4000</id>
+    <description>Attack in progress detected by the PIX.</description>
+  </rule>
+
+  <!-- Grouping of attack in progress messages. The three above
+    -  will never be alerted, but this one instead.
+    -->
+  <rule id="4333" level="8">
+    <if_sid>4330, 4331, 4332</if_sid>
+    <description>Attack in progress detected by the PIX.</description>
+    <group>ids,</group>
+  </rule>
+
+  <rule id="4334" level="5">
+    <if_sid>4314</if_sid>
+    <id>^6-113005</id>
+    <description>AAA (VPN) authentication failed.</description>
+    <group>authentication_failed,</group>
+  </rule>
+ 
+  <rule id="4335" level="3">
+    <if_sid>4314</if_sid>
+    <id>^6-113004</id>
+    <description>AAA (VPN) authentication successful.</description>
+    <group>authentication_success,</group>
+  </rule>
+  
+  <rule id="4336" level="8">
+    <if_sid>4314</if_sid>
+    <id>^6-113006</id>
+    <description>AAA (VPN) user locked out.</description>
+    <group>authentication_failed,</group>
+  </rule>
+  
+  <rule id="4337" level="8">
+    <if_sid>4312</if_sid>
+    <id>^3-201008</id>
+    <description>The PIX is disallowing new connections.</description>
+    <group>service_availability,</group>
+  </rule>
+
+  <rule id="4338" level="8">
+    <if_sid>4310</if_sid>
+    <id>^1-105005|^1-105009|^1-105043</id>
+    <match>Failed|Lost Failover</match>
+    <description>Firewall failover pair communication problem.</description>
+    <group>service_availability,</group>
+  </rule>
+
+  <rule id="4339" level="8">
+    <if_sid>4314</if_sid>
+    <id>^5-111003</id>
+    <description>Firewall configuration deleted.</description>
+    <group>config_changed,</group>
+  </rule>
+  
+  <rule id="4340" level="8">
+    <if_sid>4314</if_sid>
+    <id>^5-111005|^5-111004|^5-111002|^5-111007</id>
+    <description>Firewall configuration changed.</description>
+    <group>config_changed,</group>
+  </rule>
+
+  <rule id="4341" level="3">
+    <if_sid>4314</if_sid>
+    <id>^5-111008|^7-111009</id>
+    <description>Firewall command executed (for accounting only).</description>
+  </rule>
+  
+  <rule id="4342" level="8">
+    <if_sid>4314</if_sid>
+    <id>^5-502101|^5-502102</id>
+    <description>User created or modified on the Firewall.</description>
+    <group>adduser,account_changed,</group>
+  </rule>
+  
+  <rule id="4380" level="10" frequency="6" timeframe="360">
+    <if_matched_sid>4310</if_matched_sid>
+    <description>Multiple PIX alert messages.</description>
+  </rule>
+  
+  <rule id="4381" level="10" frequency="6" timeframe="360">
+    <if_matched_sid>4311</if_matched_sid>
+    <description>Multiple PIX critical messages.</description>
+  </rule>
+  
+  <rule id="4382" level="10" frequency="8" timeframe="120">
+    <if_matched_sid>4312</if_matched_sid>
+    <description>Multiple PIX error messages.</description>
+    <group>system_error,</group>
+  </rule>
+  
+  <rule id="4383" level="10" frequency="8" timeframe="120">
+    <if_matched_sid>4313</if_matched_sid>
+    <description>Multiple PIX warning messages.</description>
+  </rule>
+
+  <rule id="4385" level="10" frequency="8" timeframe="240" ignore="90">
+    <if_matched_sid>4333</if_matched_sid>
+    <same_source_ip />
+    <description>Multiple attack in progress messages.</description>
+  </rule>
+
+  <rule id="4386" level="10" frequency="8" timeframe="240">
+    <if_matched_sid>4334</if_matched_sid>
+    <description>Multiple AAA (VPN) authentication failures.</description>
+    <group>authentication_failures,</group>
+  </rule>
+</group> <!-- SYSLOG,PIX -->
+
+
+<!-- EOF -->