2 - Official PIX rules for OSSEC.
4 - Copyright (C) 2009 Trend Micro Inc.
7 - This program is a free software; you can redistribute it
8 - and/or modify it under the terms of the GNU General Public
9 - License (version 2) as published by the FSF - Free Software
12 - License details: http://www.ossec.net/en/licensing.html
17 - http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/syslog/logsev.htm
18 - http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_61/config/sysmgmt.htm
22 <group name="syslog,pix,">
23 <rule id="4300" level="0">
24 <decoded_as>pix</decoded_as>
25 <description>Grouping of PIX rules</description>
28 <rule id="4310" level="5">
31 <description>PIX alert message.</description>
34 <rule id="4311" level="5">
37 <description>PIX critical message.</description>
40 <rule id="4312" level="4">
43 <description>PIX error message.</description>
46 <rule id="4313" level="4">
49 <description>PIX warning message.</description>
52 <rule id="4314" level="0">
55 <description>PIX notification/informational message.</description>
58 <rule id="4315" level="0">
61 <description>PIX debug message.</description>
64 <rule id="4321" level="9">
67 <description>Failed login attempt at the PIX firewall.</description>
68 <group>authentication_failed,</group>
71 <rule id="4322" level="3">
74 <description>Privilege changed in the PIX firewall.</description>
77 <rule id="4323" level="3">
80 <description>Successful login to the PIX firewall.</description>
81 <group>authentication_success,</group>
84 <rule id="4324" level="9">
87 <description>Password mismatch while running 'enable' </description>
88 <description>on the PIX.</description>
89 <group>authentication_failed,</group>
92 <rule id="4325" level="8">
95 <description>ARP collision detected by the PIX.</description>
98 <rule id="4326" level="8">
101 <description>Attempt to connect from a blocked (shunned) IP.</description>
102 <group>access_denied,</group>
105 <rule id="4327" level="8">
106 <if_sid>4313</if_sid>
108 <description>Connection limit exceeded.</description>
111 <rule id="4330" level="8">
112 <if_sid>4310</if_sid>
113 <id>^1-106021|^1-106022</id>
114 <description>Attack in progress detected by the PIX.</description>
117 <rule id="4331" level="8">
118 <if_sid>4311</if_sid>
119 <id>^2-106012|^2-106017|^2-106020</id>
120 <description>Attack in progress detected by the PIX.</description>
123 <rule id="4332" level="8">
124 <if_sid>4313</if_sid>
126 <description>Attack in progress detected by the PIX.</description>
129 <!-- Grouping of attack in progress messages. The three above
130 - will never be alerted, but this one instead.
132 <rule id="4333" level="8">
133 <if_sid>4330, 4331, 4332</if_sid>
134 <description>Attack in progress detected by the PIX.</description>
138 <rule id="4334" level="5">
139 <if_sid>4314</if_sid>
141 <description>AAA (VPN) authentication failed.</description>
142 <group>authentication_failed,</group>
145 <rule id="4335" level="3">
146 <if_sid>4314</if_sid>
148 <description>AAA (VPN) authentication successful.</description>
149 <group>authentication_success,</group>
152 <rule id="4336" level="8">
153 <if_sid>4314</if_sid>
155 <description>AAA (VPN) user locked out.</description>
156 <group>authentication_failed,</group>
159 <rule id="4337" level="8">
160 <if_sid>4312</if_sid>
162 <description>The PIX is disallowing new connections.</description>
163 <group>service_availability,</group>
166 <rule id="4338" level="8">
167 <if_sid>4310</if_sid>
168 <id>^1-105005|^1-105009|^1-105043</id>
169 <match>Failed|Lost Failover</match>
170 <description>Firewall failover pair communication problem.</description>
171 <group>service_availability,</group>
174 <rule id="4339" level="8">
175 <if_sid>4314</if_sid>
177 <description>Firewall configuration deleted.</description>
178 <group>config_changed,</group>
181 <rule id="4340" level="8">
182 <if_sid>4314</if_sid>
183 <id>^5-111005|^5-111004|^5-111002|^5-111007</id>
184 <description>Firewall configuration changed.</description>
185 <group>config_changed,</group>
188 <rule id="4341" level="3">
189 <if_sid>4314</if_sid>
190 <id>^5-111008|^7-111009</id>
191 <description>Firewall command executed (for accounting only).</description>
194 <rule id="4342" level="8">
195 <if_sid>4314</if_sid>
196 <id>^5-502101|^5-502102</id>
197 <description>User created or modified on the Firewall.</description>
198 <group>adduser,account_changed,</group>
201 <rule id="4380" level="10" frequency="6" timeframe="360">
202 <if_matched_sid>4310</if_matched_sid>
203 <description>Multiple PIX alert messages.</description>
206 <rule id="4381" level="10" frequency="6" timeframe="360">
207 <if_matched_sid>4311</if_matched_sid>
208 <description>Multiple PIX critical messages.</description>
211 <rule id="4382" level="10" frequency="8" timeframe="120">
212 <if_matched_sid>4312</if_matched_sid>
213 <description>Multiple PIX error messages.</description>
214 <group>system_error,</group>
217 <rule id="4383" level="10" frequency="8" timeframe="120">
218 <if_matched_sid>4313</if_matched_sid>
219 <description>Multiple PIX warning messages.</description>
222 <rule id="4385" level="10" frequency="8" timeframe="240" ignore="90">
223 <if_matched_sid>4333</if_matched_sid>
225 <description>Multiple attack in progress messages.</description>
228 <rule id="4386" level="10" frequency="8" timeframe="240">
229 <if_matched_sid>4334</if_matched_sid>
230 <description>Nultiple AAA (VPN) authentication failures.</description>
231 <group>authentication_failures,</group>
233 </group> <!-- SYSLOG,PIX -->