/rules/50_vpn_concentrator_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 59 lines · 31 code · 10 blank · 18 comment · 0 complexity · 588f4686286a9e2c6ab7fc8acb50ad80 MD5 · raw file

  1. <!-- @(#) $Id: vpn_concentrator_rules.xml,v 1.5 2010/03/04 20:12:33 dcid Exp $
  2. -
  3. - Official Cisco VPN Concentrator rules for OSSEC.
  4. -
  5. - Copyright (C) 2009 Trend Micro Inc.
  6. - All rights reserved.
  7. -
  8. - This program is a free software; you can redistribute it
  9. - and/or modify it under the terms of the GNU General Public
  10. - License (version 2) as published by the FSF - Free Software
  11. - Foundation.
  12. -
  13. - License details: http://www.ossec.net/en/licensing.html
  14. -->
  15. <!-- For more info:
  16. - http://www.ossec.net/wiki/index.php/Cisco_VPN_Concentrator
  17. -->
  18. <group name="syslog,cisco_vpn,">
  19. <rule id="14200" level="0">
  20. <decoded_as>cisco-vpn-concentrator</decoded_as>
  21. <description>Grouping of Cisco VPN concentrator rules</description>
  22. </rule>
  23. <rule id="14201" level="3">
  24. <if_sid>14200</if_sid>
  25. <id>^IKE/52$</id>
  26. <description>VPN authentication successful.</description>
  27. <group>authentication_success,</group>
  28. </rule>
  29. <rule id="14202" level="5">
  30. <if_sid>14200</if_sid>
  31. <id>^AUTH/5$|^AUTH/9$|^IKE/167$|^PPP/9$|^SSH/33$|^PSH/23$</id>
  32. <description>VPN authentication failed.</description>
  33. <group>authentication_failed,</group>
  34. </rule>
  35. <rule id="14203" level="4">
  36. <if_sid>14200</if_sid>
  37. <id>^HTTP/47$|^SSH/16$</id>
  38. <options>alert_by_email</options>
  39. <description>VPN Admin authentication successful.</description>
  40. <group>authentication_success,</group>
  41. </rule>
  42. <rule id="14251" level="10" frequency="8" timeframe="240">
  43. <if_matched_sid>14202</if_matched_sid>
  44. <same_source_ip />
  45. <description>Multiple VPN authentication failures.</description>
  46. <group>authentication_failures,</group>
  47. </rule>
  48. </group> <!-- SYSLOG,vpn_concentrator -->
  49. <!-- EOF -->