/rules/50_vpn_concentrator_rules.xml
XML | 59 lines | 31 code | 10 blank | 18 comment | 0 complexity | 588f4686286a9e2c6ab7fc8acb50ad80 MD5 | raw file
1<!-- @(#) $Id: vpn_concentrator_rules.xml,v 1.5 2010/03/04 20:12:33 dcid Exp $ 2 - 3 - Official Cisco VPN Concentrator rules for OSSEC. 4 - 5 - Copyright (C) 2009 Trend Micro Inc. 6 - All rights reserved. 7 - 8 - This program is a free software; you can redistribute it 9 - and/or modify it under the terms of the GNU General Public 10 - License (version 2) as published by the FSF - Free Software 11 - Foundation. 12 - 13 - License details: http://www.ossec.net/en/licensing.html 14 --> 15 16 17<!-- For more info: 18 - http://www.ossec.net/wiki/index.php/Cisco_VPN_Concentrator 19 --> 20 21 22<group name="syslog,cisco_vpn,"> 23 <rule id="14200" level="0"> 24 <decoded_as>cisco-vpn-concentrator</decoded_as> 25 <description>Grouping of Cisco VPN concentrator rules</description> 26 </rule> 27 28 <rule id="14201" level="3"> 29 <if_sid>14200</if_sid> 30 <id>^IKE/52$</id> 31 <description>VPN authentication successful.</description> 32 <group>authentication_success,</group> 33 </rule> 34 35 <rule id="14202" level="5"> 36 <if_sid>14200</if_sid> 37 <id>^AUTH/5$|^AUTH/9$|^IKE/167$|^PPP/9$|^SSH/33$|^PSH/23$</id> 38 <description>VPN authentication failed.</description> 39 <group>authentication_failed,</group> 40 </rule> 41 42 <rule id="14203" level="4"> 43 <if_sid>14200</if_sid> 44 <id>^HTTP/47$|^SSH/16$</id> 45 <options>alert_by_email</options> 46 <description>VPN Admin authentication successful.</description> 47 <group>authentication_success,</group> 48 </rule> 49 50 <rule id="14251" level="10" frequency="8" timeframe="240"> 51 <if_matched_sid>14202</if_matched_sid> 52 <same_source_ip /> 53 <description>Multiple VPN authentication failures.</description> 54 <group>authentication_failures,</group> 55 </rule> 56</group> <!-- SYSLOG,vpn_concentrator --> 57 58 59<!-- EOF -->