/rules/50_vpn_concentrator_rules.xml

 1<!-- @(#) $Id: vpn_concentrator_rules.xml,v 1.5 2010/03/04 20:12:33 dcid Exp $
 2  -
 3  -  Official Cisco VPN Concentrator rules for OSSEC.
 4  -
 5  -  Copyright (C) 2009 Trend Micro Inc.
 6  -  All rights reserved.
 7  -
 8  -  This program is a free software; you can redistribute it
 9  -  and/or modify it under the terms of the GNU General Public
10  -  License (version 2) as published by the FSF - Free Software
11  -  Foundation.
12  -
13  -  License details: http://www.ossec.net/en/licensing.html
14  -->
15  
16
17<!-- For more info:
18  - http://www.ossec.net/wiki/index.php/Cisco_VPN_Concentrator
19  -->
20
21
22<group name="syslog,cisco_vpn,">
23  <rule id="14200" level="0">
24    <decoded_as>cisco-vpn-concentrator</decoded_as>
25    <description>Grouping of Cisco VPN concentrator rules</description>
26  </rule>
27
28  <rule id="14201" level="3">
29    <if_sid>14200</if_sid>
30    <id>^IKE/52$</id>
31    <description>VPN authentication successful.</description>
32    <group>authentication_success,</group>
33  </rule>
34
35  <rule id="14202" level="5">
36    <if_sid>14200</if_sid>
37    <id>^AUTH/5$|^AUTH/9$|^IKE/167$|^PPP/9$|^SSH/33$|^PSH/23$</id>
38    <description>VPN authentication failed.</description>
39    <group>authentication_failed,</group>
40  </rule>
41  
42  <rule id="14203" level="4">
43    <if_sid>14200</if_sid>
44    <id>^HTTP/47$|^SSH/16$</id>
45    <options>alert_by_email</options>
46    <description>VPN Admin authentication successful.</description>
47    <group>authentication_success,</group>
48  </rule>
49  
50  <rule id="14251" level="10" frequency="8" timeframe="240">
51    <if_matched_sid>14202</if_matched_sid>
52    <same_source_ip />
53    <description>Multiple VPN authentication failures.</description>
54    <group>authentication_failures,</group>
55  </rule>
56</group> <!-- SYSLOG,vpn_concentrator -->
57
58
59<!-- EOF -->