/rules/50_vpn_concentrator_rules.xml
https://bitbucket.org/oscarschneider/ossec-rules · XML · 59 lines · 31 code · 10 blank · 18 comment · 0 complexity · 588f4686286a9e2c6ab7fc8acb50ad80 MD5 · raw file
- <!-- @(#) $Id: vpn_concentrator_rules.xml,v 1.5 2010/03/04 20:12:33 dcid Exp $
- -
- - Official Cisco VPN Concentrator rules for OSSEC.
- -
- - Copyright (C) 2009 Trend Micro Inc.
- - All rights reserved.
- -
- - This program is a free software; you can redistribute it
- - and/or modify it under the terms of the GNU General Public
- - License (version 2) as published by the FSF - Free Software
- - Foundation.
- -
- - License details: http://www.ossec.net/en/licensing.html
- -->
-
- <!-- For more info:
- - http://www.ossec.net/wiki/index.php/Cisco_VPN_Concentrator
- -->
- <group name="syslog,cisco_vpn,">
- <rule id="14200" level="0">
- <decoded_as>cisco-vpn-concentrator</decoded_as>
- <description>Grouping of Cisco VPN concentrator rules</description>
- </rule>
- <rule id="14201" level="3">
- <if_sid>14200</if_sid>
- <id>^IKE/52$</id>
- <description>VPN authentication successful.</description>
- <group>authentication_success,</group>
- </rule>
- <rule id="14202" level="5">
- <if_sid>14200</if_sid>
- <id>^AUTH/5$|^AUTH/9$|^IKE/167$|^PPP/9$|^SSH/33$|^PSH/23$</id>
- <description>VPN authentication failed.</description>
- <group>authentication_failed,</group>
- </rule>
-
- <rule id="14203" level="4">
- <if_sid>14200</if_sid>
- <id>^HTTP/47$|^SSH/16$</id>
- <options>alert_by_email</options>
- <description>VPN Admin authentication successful.</description>
- <group>authentication_success,</group>
- </rule>
-
- <rule id="14251" level="10" frequency="8" timeframe="240">
- <if_matched_sid>14202</if_matched_sid>
- <same_source_ip />
- <description>Multiple VPN authentication failures.</description>
- <group>authentication_failures,</group>
- </rule>
- </group> <!-- SYSLOG,vpn_concentrator -->
- <!-- EOF -->