/rules/50_vpn_concentrator_rules.xml

https://bitbucket.org/oscarschneider/ossec-rules · XML · 59 lines · 31 code · 10 blank · 18 comment · 0 complexity · 588f4686286a9e2c6ab7fc8acb50ad80 MD5 · raw file 

    

  1. <!-- @(#) $Id: vpn_concentrator_rules.xml,v 1.5 2010/03/04 20:12:33 dcid Exp $
    2. 

  2.   -
    3. 

  3.   -  Official Cisco VPN Concentrator rules for OSSEC.
    4. 

  4.   -
    5. 

  5.   -  Copyright (C) 2009 Trend Micro Inc.
    6. 

  6.   -  All rights reserved.
    7. 

  7.   -
    8. 

  8.   -  This program is a free software; you can redistribute it
    9. 

  9.   -  and/or modify it under the terms of the GNU General Public
    10. 

  10.   -  License (version 2) as published by the FSF - Free Software
    11. 

  11.   -  Foundation.
    12. 

  12.   -
    13. 

  13.   -  License details: http://www.ossec.net/en/licensing.html
    14. 

  14.   -->
    15. 

  15.   
    16. 

  16. 

  17. <!-- For more info:
    18. 

  18.   - http://www.ossec.net/wiki/index.php/Cisco_VPN_Concentrator
    19. 

  19.   -->
    20. 

  20. 

  21. 

  22. <group name="syslog,cisco_vpn,">
    23. 

  23.   <rule id="14200" level="0">
    24. 

  24.     <decoded_as>cisco-vpn-concentrator</decoded_as>
    25. 

  25.     <description>Grouping of Cisco VPN concentrator rules</description>
    26. 

  26.   </rule>
    27. 

  27. 

  28.   <rule id="14201" level="3">
    29. 

  29.     <if_sid>14200</if_sid>
    30. 

  30.     <id>^IKE/52$</id>
    31. 

  31.     <description>VPN authentication successful.</description>
    32. 

  32.     <group>authentication_success,</group>
    33. 

  33.   </rule>
    34. 

  34. 

  35.   <rule id="14202" level="5">
    36. 

  36.     <if_sid>14200</if_sid>
    37. 

  37.     <id>^AUTH/5$|^AUTH/9$|^IKE/167$|^PPP/9$|^SSH/33$|^PSH/23$</id>
    38. 

  38.     <description>VPN authentication failed.</description>
    39. 

  39.     <group>authentication_failed,</group>
    40. 

  40.   </rule>
    41. 

  41.   
    42. 

  42.   <rule id="14203" level="4">
    43. 

  43.     <if_sid>14200</if_sid>
    44. 

  44.     <id>^HTTP/47$|^SSH/16$</id>
    45. 

  45.     <options>alert_by_email</options>
    46. 

  46.     <description>VPN Admin authentication successful.</description>
    47. 

  47.     <group>authentication_success,</group>
    48. 

  48.   </rule>
    49. 

  49.   
    50. 

  50.   <rule id="14251" level="10" frequency="8" timeframe="240">
    51. 

  51.     <if_matched_sid>14202</if_matched_sid>
    52. 

  52.     <same_source_ip />
    53. 

  53.     <description>Multiple VPN authentication failures.</description>
    54. 

  54.     <group>authentication_failures,</group>
    55. 

  55.   </rule>
    56. 

  56. </group> <!-- SYSLOG,vpn_concentrator -->
    57. 

  57. 

  58. 

  59. <!-- EOF -->
    60.