Sophie

Sophie

distrib > Mandriva > 2010.2 > i586 > media > contrib-release-src > by-pkgid > f419db9e0a33558a981504f72042bf17 > files > 10

sec-2.5.3-1mdv2010.1.src.rpm

# General log events, unix systems. From various sources
#
#   Bad su 
# ----------- 
#
type=Single
ptype=RegExp 
desc=$0 
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: BAD SU (\S+) to (\S+) on (\S+)
action=pipe '$2 failed SU to $3 on $1 at %t' /usr/bin/mail -s "USER: $2 Failed SU on $1" alerts@email.com

type=Single
ptype=RegExp
desc=$0
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: BAD SU (\S+) to (\S+) on (\S+)
action=pipe '$2 failed SU to $3 on $1 at %t' /usr/bin/mail -s "USER: $2 Failed SU on $1" alerts@email.com 


# MONITOR.conf - SEC rules to pick up disruptive monitoring
# events.
#
#Logs involving syslogd disabled or unusual promiscuous mode (MONITOR)
#----------------------------------------------------------------------
#Nov 15 20:02:48 foohost syslogd: exiting on signal 15
#Nov 22 02:00:02 foohost syslogd: restart
#Nov 11 15:58:55 foohost /kernel: de0: promiscuous mode enabled
#Nov 11 15:58:57 foohost /kernel: de0: promiscuous mode disabled
#

#
# Syslog Exit
# -----------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: exiting on signal (\d+)
desc=$0
action=write - MONITOR: $1 syslog exit on signal $2 at %t

#
# Syslog Restart
# ---------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: restart
desc=$0
action=write - MONITOR: $1 syslog restart at %t

#
# Syslog Exit
# -----------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+) promiscuous mode (\S+)
desc=$0
action=write - MONITOR: $1 $2 promiscuous mode $3 at %t


#
# sshd Problems
# --------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
desc=$0
action=write - USERACT: $1 sshd $2 problem, text: $3 at %t

#
# sshd Accepted
# --------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: Accepted (.*)
desc=$0
action=write - USERACT: $1 sshd accepted login, text: $2 at %t

#
# login FAILURES
# ---------------
#
#type=Single
#ptype=RegExp
#pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+login: (.*?FAILURE.)(.*?ON) (.*)
#desc=$0
#action=write - USERACT: $1 login $2 on $4 at %t


#SSH Auth failure on bsd 5
#type=Single
#ptype=RegExp
#pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: error: PAM: authentication error for (/S+) from (/S+)
#desc=$0
#action=pipe 'SSHD: 1 $1 2 $2 3 $3 to 4 $4 on 5 $5 at %t' /usr/bin/mail -s "SSHD: $1 $2 $3 to $4 on $5 at %t'

#
# su  bad
# -----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (BAD SU) (\S+) to (\S+) on (\S+)
desc=$0
action=pipe 'USER: $1 SU: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t'

#Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0
#Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3
#Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0
#
#
# su  good to root
# -----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (\S+) to root on (\S+)
desc=$0
action=pipe 'USER: $1 GOOD SU: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t'   
#action=write - USERACT: $1 su: $2 to ROOT on $4  at %t

#
# Cabling Problem
# ----------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+)\s+(.*?:) cable problem
desc=$0
action=event 0 $1 PHYSMOD:ORANGE  cable problem on $2, text: $3 at %t



# USERACT - Events concerning user activities.
#
# Sample BSD logs involving logins, change of UID and privilege escalations.
#---------------------------------------------------------------------------
#Nov 14 12:14:58 foohost sshd[3388]: fatal: Timeout before authentication for 192.168.1.1
#Nov 14 19:58:34 foohost sshd[6597]: Bad protocol version identification '^B^S^D^Q^L' from 192.168.1.100
#Oct 18 06:16:53 foohost sshd[131]: Accepted keyboard-interactive/pam for foouser from 192.168.1.1 port 1077 ssh2
#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2
#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2, mysql
#Oct 18 03:20:46 foohost login: 2 LOGIN FAILURES ON ttyv0
#Oct 18 02:52:04 foohost login: ROOT LOGIN (root) ON ttyv1
#Oct 18 06:11:11 foohost login: login on ttyv0 as root
#Nov 10 19:40:03 foohost su: foouser to root on /dev/ttyp0
#Nov 18 09:37:38 foohost su: BAD SU foouser to root on /dev/ttyp3
#Nov 22 12:26:44 foohost su: BAD SU goodboy to root on /dev/ttyp0
#

#
# sshd Problems
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
desc=$0
action=pipe 'USER: $1 su: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t'   
#action=event 0 $1 USERACT:YELLOW  sshd $2 problem, text: $3 at %t

#
# login FAILURES
# ---------------
# ORANGE
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+(sshd|login): (.*?FAILURE.)(.*?ON) (.*)
desc=$0
action=pipe 'USER: $1: Login Failure $2 on $4 at %t' /usr/bin/mail -s "USER: $1 su: $2 $3 to $4 on $5 at %t'   
#action=event 0 $1 USERACT:YELLOW  login $2 on $4 at %t


# NETWACT - SEC rules to pick up suspicious network events.
#
# Sample BSD logs involving odd or suspicious network activity.
#--------------------------------------------------------------
#Jun  3 17:46:24 foohost named[38298]: client 10.12.127.176#3714: request has invalid signature: tsig verify failure
#Apr 14 16:23:08 foohost /kernel: arp: 10.10.152.12 moved from 00:90:27:37:35:cf to 00:d0:59:aa:61:11 on de0
#Apr  1 11:23:39 sixshooter /kernel: Limiting closed port RST response from 368 to 200 packets per second


#
# named Dynamic DNS Update rejection
# ----------------------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+named\[\d+\]: client (\S+): request has invalid signature:(.*)
desc=$0
action=pipe 'NET: $1 dyndns attempt from $2' /usr/bin/mail -s "NET: $1 dyndns attempt from $2, text: $3 at %t"

#
# MAC address moved
# -----------------
# ORANGE
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: arp: (\S+) moved from (\S+) to (\S+) on (\S+)
desc=$0
action=pipe 'NET: $1 arp moved on $2' /usr/bin/mail -s "NET: $1 arp moved on $2 from: $3 to $4 on $5 at %t"

#
# DoS RST rate limit
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: Limiting closed port RST response from (\d+) to (\d+)
desc=$0
action=pipe 'NET: $1 RST limit enforced: $2 to $3 at %t' /usr/bin/mail =s "NET: $1 RST limit enforced: $2 to $3"



# COMPROM - SEC rules to pick up potential system compromise events.
#
# Sample BSD logs involving potential system compromise.
#-------------------------------------------------------
#May 25 18:09:55 foohost ntpd[1325]: ntpd exiting on signal 11
#Jul 21 18:33:16 foohost /kernel: pid 55454 (ftpd), uid 1001: exited on signal 8
#Apr  9 12:57:06 foohost /kernel: pid 28039 (telnet), uid 0: exited on signal 3 (core dumped)

#
# ntpd crash
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+ntpd\[\d+\]: ntpd exiting on signal (\d+)
desc=$0
action=pipe 'CRASH: $1 ntpd crashed on signal $2 at %t' /usr/bin/mail -s "CRASH: $1 ntpd crashed"

#
# Process crash
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: pid \d+ \(\S+\), uid (\d+): exited on signal (\d+)
desc=$0
action=pipe 'CRASH: $1 $2 crashed on signal $4, uid $3 at %t' /usr/bin/mail -s "CRASH: $1 $2 crashed"



# PROCESS - SEC rules to pick up suspicious process events.
#
# Sample BSD logs involving unusual processes.
#---------------------------------------------
#Mar 23 08:05:52 foohost thttpd[126]: thttpd/2.25b 29dec2003 starting on port 8090

#
# Suspicious processes
# --------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+(thttpd)\[(\d+)\]:(.*) 
desc=$0
action=pipe 'SUSPROC: $1 suspicious process  $2 pid $3, text: $4 at %t' /usr/bin/mail -s "SUSPROC: $1 suspicious process  $2"



# SHUTRST - SEC rules to pick up system shutdown, restart events.
#
# Sample BSD logs involving system shutdown and reset.
#-----------------------------------------------------
#Mar  6 16:28:13 foohost reboot: rebooted by foouser 
#Jul 15 17:35:49 foohost halt: halted by root
#Mar  6 16:29:17 foohost /kernel: Copyright (c) 1992-2003 The FreeBSD Project.

#
# Reboot message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+reboot: rebooted by (\S+)
desc=$0
action=pipe 'REBOOT: $1 rebooted by $2' /usr/bin/mail -s "REBOOT: $1 rebooted by $2"

#
# Halt message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+halt: halted by (\S+)
desc=$0
action=pipe 'HALT: $1 halted by $2' /usr/bin/mail -s "HALT: $1 halted by $2"

#
# Restart message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: Copyright \(c\) (\S+) The FreeBSD Project
desc=$0
action=pipe 'RESTART: $1 restart message at %t' /usr/bin/mail -s "RESTART: $1 restart message"

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional