rpms/sec/devel 001_init.sec, NONE, 1.1 amavisd.sec, NONE, 1.1 bsd-MONITOR.sec, NONE, 1.1 bsd-PHYSMOD.sec, NONE, 1.1 bsd-USERACT.sec, NONE, 1.1 clamav.sec, NONE, 1.1 conf.README, NONE, 1.1 cvs.sec, NONE, 1.1 dameware.sec, NONE, 1.1 dbi-example.sec, NONE, 1.1 general.sec, NONE, 1.1 hp-openview.sec, NONE, 1.1 labrea.sec, NONE, 1.1 mpd.sec, NONE, 1.1 pix-security.sec, NONE, 1.1 pix-url.sec, NONE, 1.1 portscan.sec, NONE, 1.1 sec.init, NONE, 1.1 sec.logrotate, NONE, 1.1 sec.spec, NONE, 1.1 sec.sysconfig, NONE, 1.1 snort.sec, NONE, 1.1 snortsam.sec, NONE, 1.1 ssh-brute.sec, NONE, 1.1 ssh.sec, NONE, 1.1 syslog-ng.txt, NONE, 1.1 vtund.sec, NONE, 1.1 windows.sec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
Chris Petersen (xris)
fedora-extras-commits at redhat.com
Fri Sep 1 20:54:01 UTC 2006
Author: xris
Update of /cvs/extras/rpms/sec/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv4323/devel
Modified Files:
.cvsignore sources
Added Files:
001_init.sec amavisd.sec bsd-MONITOR.sec bsd-PHYSMOD.sec
bsd-USERACT.sec clamav.sec conf.README cvs.sec dameware.sec
dbi-example.sec general.sec hp-openview.sec labrea.sec mpd.sec
pix-security.sec pix-url.sec portscan.sec sec.init
sec.logrotate sec.spec sec.sysconfig snort.sec snortsam.sec
ssh-brute.sec ssh.sec syslog-ng.txt vtund.sec windows.sec
Log Message:
auto-import sec-2.3.3-4 on branch devel from sec-2.3.3-4.src.rpm
--- NEW FILE 001_init.sec ---
### Logfile & global variable initialization
type = Single
ptype = RegExp
pattern = (SEC_STARTUP|SEC_RESTART|SEC_SHUTDOWN)
desc = SEC internal message
action = assign %mailto root at localhost; \
assign %logfile /var/log/sec; \
shellcmd /bin/echo -e -- "\n%t %s : $0\n" >> %logfile; \
add SECPROD %t "starting : %s / $0"
### Daily SEC report
type = Calendar
time = 44 4 * * *
desc = Daily report
action = add SECPROD %t "Mailing report : '%s' to %mailto"; \
report SECPROD /bin/mail -s "SEC REPORT: %s" %mailto
--- NEW FILE amavisd.sec ---
#Amavisd events
#Sep 4 15:43:02 xxxxx clamd[581]: /var/amavisd/amavis-20050904T153955-46858/parts/part-00001: HTML.Phishing.Bank-1 FOUND
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+clamd\[\d+\]: .*amavis-200\d+.*: (.*) FOUND
desc=$0
action=add GENERAL_REPORT CLAMD: $2 on $1
#Sep 4 00:02:46 xxxxx amavis[57825]: (57825-12) TROUBLE in check_mail: creating_partsdir FAILED: DBD::mysql::st execute failed: L
ost connection to MySQL server during query at (eval 53) line 238, <GEN7> line 1789.
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+amavis\[\d+\]: .* TROUBLE .*
desc=$0
action=add GENERAL_REPORT AMAVISD: $1: %s
--- NEW FILE bsd-MONITOR.sec ---
#
# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
#
# SEC rules to pick up disruptive monitoring
# events.
#
#Logs involving syslogd disabled or unusual promiscuous mode (MONITOR)
#----------------------------------------------------------------------
#Nov 15 20:02:48 foohost syslogd: exiting on signal 15
#Nov 22 02:00:02 foohost syslogd: restart
#Nov 11 15:58:55 foohost /kernel: de0: promiscuous mode enabled
#Nov 11 15:58:57 foohost /kernel: de0: promiscuous mode disabled
#
#
# Syslog Exit
# -----------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: exiting on signal (\d+)
desc=$0
action=write - MONITOR: $1 syslog exit on signal $2 at %t
#
# Syslog Restart
# ---------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: restart
desc=$0
action=write - MONITOR: $1 syslog restart at %t
#
# Syslog Exit
# -----------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+) promiscuous mode (\S+)
desc=$0
action=write - MONITOR: $1 $2 promiscuous mode $3 at %t
#
# Swapspace failure
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+kernel: swap_pager_getswapspace\(\S\): .*
desc=$0
action=pipe '$1 GET SWAP FAILURE: %s' /usr/bin/mail -s "SWAP SPACE FAIL on $1" alerts at yourdomain.com
--- NEW FILE bsd-PHYSMOD.sec ---
#
# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
#
# PHYSMOD.conf - Events concerning physical modifications
# to the system.
#
#
#Logs involving physical modifications (PHYSMOD)
#------------------------------------------------
#Nov 14 21:11:19 foohost /kernel: pccard: card inserted, slot 0
#Nov 14 22:28:09 foohost /kernel: pccard: card removed, slot 0
#Nov 12 19:46:31 foohost /kernel: de0: link down: cable problem?
#Nov 12 19:46:42 foohost /kernel: de0: autosense failed: cable problem?
#Oct 18 06:26:37 foohost pccardd[49]: ep0: 3Com Corporation (/3C589/) inserted.
#Oct 18 06:26:42 foohost pccardd[49]: pccardd started
#
#
# PCMCIA Card Insertion, Removal
# --------------------------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: pccard: card (\S+), slot (\d+)
desc=$0
action=write - PHYSMOD: $1 pccard: card $2 in slot $3 at %t
#
# PCMCIA Card Daemon
# --------------------------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+pccardd\[\d+\]: (.*)
desc=$0
action=write - PHYSMOD: $1 pccardd: $2 at %t
#
# Cabling Problem
# ----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+)\s+(.*?:) cable problem
desc=$0
action=write - PHYSMOD: $1 cable problem on $2, text: $3 at %t
--- NEW FILE bsd-USERACT.sec ---
#
# From http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
#
# Events concerning user activities.
#
#Logs involving logins, change of UID and privilege escalations (USERACT)
#-------------------------------------------------------------------------
#Nov 14 12:14:58 foohost sshd[3388]: fatal: Timeout before authentication for 192.168.1.1
#Nov 14 19:58:34 foohost sshd[6597]: Bad protocol version identification '^B^S^D^Q^L' from 192.168.1.100
#Oct 18 06:16:53 foohost sshd[131]: Accepted keyboard-interactive/pam for jpb from 192.168.1.1 port 1077 ssh2
#Nov 14 12:55:29 foohost sshd[3425]: Accepted keyboard-interactive/pam for jpb from fe80::2c0:4fff:fe18:13fd%ep0 port 27492 ssh2
#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2
#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2, mysql
#Oct 18 03:20:46 foohost login: 2 LOGIN FAILURES ON ttyv0
#Oct 18 02:52:04 foohost login: ROOT LOGIN (root) ON ttyv1
#Oct 18 06:11:11 foohost login: login on ttyv0 as root
#Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0
#Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3
#Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0
#
#
# sshd Problems
# --------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
desc=$0
action=write - USERACT: $1 sshd $2 problem, text: $3 at %t
#
# sshd Accepted
# --------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: Accepted (.*)
desc=$0
action=write - USERACT: $1 sshd accepted login, text: $2 at %t
#
# login FAILURES
# ---------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+login: (.*?FAILURE.)(.*?ON) (.*)
desc=$0
action=write - USERACT: $1 login $2 on $4 at %t
#
# su bad
# -----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (BAD SU) (\S+) to (\S+) on (\S+)
desc=$0
action=write - USERACT: $1 su: $2 $3 to $4 on $5 at %t
#Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0
#Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3
#Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0
#
#
# su good to root
# -----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (\S+) to root on (\S+)
desc=$0
action=write - USERACT: $1 su: $2 to ROOT on $4 at %t
--- NEW FILE clamav.sec ---
#Detects Clamav syslogs and reports them in a general report
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+clamd\[\d+\]: .*amavis-200\d+.*: (.*) FOUND
desc=$0
action=add GENERAL_REPORT CLAMD: $2 on $1
--- NEW FILE conf.README ---
This is the SEC configuration directory. Because SEC usage varies so widely
from user to user, this Fedora Extras package is configured by default to not
run.
The commented-out default settings in /etc/sysconfig/sec will load any file in
this directory with a .sec suffix. Please look through the example files
included in /etc/sec/examples/ and install the ones you want here (taking into
account that the examples are generic and some of them may need to be tweaked
to work with your setup). You should also read the SEC man page so you have
at least a basic understanding of the SEC configuration commands.
--- NEW FILE cvs.sec ---
#Jul 31 19:54:21 xxxx xinetd[2088]: START: cvspserver pid=16385 from=xx.xx.xx.xx
type=single
desc = cvsp server connection start
ptype=regexp
pattern=([A-z._0-9-]*) xinetd\[\d+\]: START: cvspserver pid=\d+ from=(\d+\.\d+\.\d+\.\d+)
action=add GENERAL_REPORT CVS Connection from $2 on $1
#Aug 5 10:38:29 xxxx cvs: password mismatch for username in /usr/local/cvsroot: PMOv/9hZsf6v. vs. PMMlzZLYrbthY
type=single
ptype=regexp
pattern=([A-z._0-9-]*) cvs: password mismatch for (.*) in (.*)
desc = cvs login failure
action=pipe '$1 $2 CVS Login Failure: User $2 from $3' /usr/bin/mail -s '$1 $2 CVS Login Failure: $2 from $3' alerts at yourdomain.com
#Aug 5 10:38:49 xxxx cvs: attempt to root from account: username
type=single
ptype=regexp
pattern=([A-z._0-9-]*) cvs: attempt to root from account: (.*)
desc = cvs login to root attempt
action=pipe ' $1 $2 CVS Login to Root Attempt: User $2 ' /usr/bin/mail -s '$1 CVS Login to Root Failure: $2' alerts at yourdomain.com
#Aug 5 10:42:37 xxxx cvs: login failure (for /usr/local/cvsroot)
type=single
ptype=regexp
pattern=([A-z._0-9-]*) cvs: login failure \(for /usr/local/cvsroot\)
desc = cvs login failure
action=pipe '$1 $2 CVS Login Failure ' /usr/bin/mail -s '$1 CVS Login Failure' alerts at yourdomain.com
--- NEW FILE dameware.sec ---
#Dameware Connect
type=single
ptype=regexp
pattern=([A-z._0-9-]*) DMWRCS: (.*) Connect: (.*)
desc = Dameware Connect
action=add WINDOWS_REPORT DAMEWARE CONNECT: %s; \
pipe 'DAMEWARE Connect -- : %s' /usr/bin/mail -s 'DAMEWARE CONNECT' alerts at yourdomain.com
#Dameware Disconnect
type=single
ptype=regexp
pattern=([A-z._0-9-]*) DMWRCS: (.*) Disconnect: (.*)
desc = Dameware Disconnect
action=add WINDOWS_REPORT DAMEWARE DISCONNECT: %s
--- NEW FILE dbi-example.sec ---
# to use perl packages, like DBI, you need to start SEC with the *-intevents* flag.
# this rule gets run against the messages file to log events to a central DB.
# not so much for the rule itself, but an example using DBI:
# Submitted by Jason Chambers
type=Single
ptype=RegExp
pattern=^(\S+\s+\S+\s+\S+)\s+(\S+)\s+(\S+:)\s+(\S+\s+\S+\s+\S+\s+)?(\S+)\s+:\s+\S+\s+;\s+(\S+)\s+;\s+(\S+)\s+;\s+(.*)
desc=update db log
action=assign %H $2;\
assign %Z $5;\
assign %U $6;\
assign %R $7;\
assign %C $8;\
assign %N %u;\
assign %I 0;\
eval %I (require DBI);\
eval %D (exit(1) unless %I;\
$COMMAND = "%C";\
my $DBH = DBI->connect('DBI:mysql:/DBname/:/DBhost/', '/DBuser/', '/DBpass/');\
my $SQL = " SQL statement";\
$DBH->do($SQL);\
);
--- NEW FILE general.sec ---
# General log events, unix systems. From various sources
#
# Bad su
# -----------
#
type=Single
ptype=RegExp
desc=$0
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: BAD SU (\S+) to (\S+) on (\S+)
action=pipe '$2 failed SU to $3 on $1 at %t' /usr/bin/mail -s "USER: $2 Failed SU on $1" alerts at email.com
type=Single
ptype=RegExp
desc=$0
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: BAD SU (\S+) to (\S+) on (\S+)
action=pipe '$2 failed SU to $3 on $1 at %t' /usr/bin/mail -s "USER: $2 Failed SU on $1" alerts at email.com
# MONITOR.conf - SEC rules to pick up disruptive monitoring
# events.
#
#Logs involving syslogd disabled or unusual promiscuous mode (MONITOR)
#----------------------------------------------------------------------
#Nov 15 20:02:48 foohost syslogd: exiting on signal 15
#Nov 22 02:00:02 foohost syslogd: restart
#Nov 11 15:58:55 foohost /kernel: de0: promiscuous mode enabled
#Nov 11 15:58:57 foohost /kernel: de0: promiscuous mode disabled
#
#
# Syslog Exit
# -----------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: exiting on signal (\d+)
desc=$0
action=write - MONITOR: $1 syslog exit on signal $2 at %t
#
# Syslog Restart
# ---------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: restart
desc=$0
action=write - MONITOR: $1 syslog restart at %t
#
# Syslog Exit
# -----------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+) promiscuous mode (\S+)
desc=$0
action=write - MONITOR: $1 $2 promiscuous mode $3 at %t
#
# sshd Problems
# --------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
desc=$0
action=write - USERACT: $1 sshd $2 problem, text: $3 at %t
#
# sshd Accepted
# --------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: Accepted (.*)
desc=$0
action=write - USERACT: $1 sshd accepted login, text: $2 at %t
#
# login FAILURES
# ---------------
#
#type=Single
#ptype=RegExp
#pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+login: (.*?FAILURE.)(.*?ON) (.*)
#desc=$0
#action=write - USERACT: $1 login $2 on $4 at %t
#SSH Auth failure on bsd 5
#type=Single
#ptype=RegExp
#pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: error: PAM: authentication error for (/S+) from (/S+)
#desc=$0
#action=pipe 'SSHD: 1 $1 2 $2 3 $3 to 4 $4 on 5 $5 at %t' /usr/bin/mail -s "SSHD: $1 $2 $3 to $4 on $5 at %t'
#
# su bad
# -----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (BAD SU) (\S+) to (\S+) on (\S+)
desc=$0
action=pipe 'USER: $1 SU: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t'
#Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0
#Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3
#Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0
#
#
# su good to root
# -----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (\S+) to root on (\S+)
desc=$0
action=pipe 'USER: $1 GOOD SU: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t'
#action=write - USERACT: $1 su: $2 to ROOT on $4 at %t
#
# Cabling Problem
# ----------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+)\s+(.*?:) cable problem
desc=$0
action=event 0 $1 PHYSMOD:ORANGE cable problem on $2, text: $3 at %t
# USERACT - Events concerning user activities.
#
# Sample BSD logs involving logins, change of UID and privilege escalations.
#---------------------------------------------------------------------------
#Nov 14 12:14:58 foohost sshd[3388]: fatal: Timeout before authentication for 192.168.1.1
#Nov 14 19:58:34 foohost sshd[6597]: Bad protocol version identification '^B^S^D^Q^L' from 192.168.1.100
#Oct 18 06:16:53 foohost sshd[131]: Accepted keyboard-interactive/pam for foouser from 192.168.1.1 port 1077 ssh2
#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2
#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2, mysql
#Oct 18 03:20:46 foohost login: 2 LOGIN FAILURES ON ttyv0
#Oct 18 02:52:04 foohost login: ROOT LOGIN (root) ON ttyv1
#Oct 18 06:11:11 foohost login: login on ttyv0 as root
#Nov 10 19:40:03 foohost su: foouser to root on /dev/ttyp0
#Nov 18 09:37:38 foohost su: BAD SU foouser to root on /dev/ttyp3
#Nov 22 12:26:44 foohost su: BAD SU goodboy to root on /dev/ttyp0
#
#
# sshd Problems
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
desc=$0
action=pipe 'USER: $1 su: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t'
#action=event 0 $1 USERACT:YELLOW sshd $2 problem, text: $3 at %t
#
# login FAILURES
# ---------------
# ORANGE
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+(sshd|login): (.*?FAILURE.)(.*?ON) (.*)
desc=$0
action=pipe 'USER: $1: Login Failure $2 on $4 at %t' /usr/bin/mail -s "USER: $1 su: $2 $3 to $4 on $5 at %t'
#action=event 0 $1 USERACT:YELLOW login $2 on $4 at %t
# NETWACT - SEC rules to pick up suspicious network events.
#
# Sample BSD logs involving odd or suspicious network activity.
#--------------------------------------------------------------
#Jun 3 17:46:24 foohost named[38298]: client 10.12.127.176#3714: request has invalid signature: tsig verify failure
#Apr 14 16:23:08 foohost /kernel: arp: 10.10.152.12 moved from 00:90:27:37:35:cf to 00:d0:59:aa:61:11 on de0
#Apr 1 11:23:39 sixshooter /kernel: Limiting closed port RST response from 368 to 200 packets per second
#
# named Dynamic DNS Update rejection
# ----------------------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+named\[\d+\]: client (\S+): request has invalid signature:(.*)
desc=$0
action=pipe 'NET: $1 dyndns attempt from $2' /usr/bin/mail -s "NET: $1 dyndns attempt from $2, text: $3 at %t"
#
# MAC address moved
# -----------------
# ORANGE
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: arp: (\S+) moved from (\S+) to (\S+) on (\S+)
desc=$0
action=pipe 'NET: $1 arp moved on $2' /usr/bin/mail -s "NET: $1 arp moved on $2 from: $3 to $4 on $5 at %t"
#
# DoS RST rate limit
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: Limiting closed port RST response from (\d+) to (\d+)
desc=$0
action=pipe 'NET: $1 RST limit enforced: $2 to $3 at %t' /usr/bin/mail =s "NET: $1 RST limit enforced: $2 to $3"
# COMPROM - SEC rules to pick up potential system compromise events.
#
# Sample BSD logs involving potential system compromise.
#-------------------------------------------------------
#May 25 18:09:55 foohost ntpd[1325]: ntpd exiting on signal 11
#Jul 21 18:33:16 foohost /kernel: pid 55454 (ftpd), uid 1001: exited on signal 8
#Apr 9 12:57:06 foohost /kernel: pid 28039 (telnet), uid 0: exited on signal 3 (core dumped)
#
# ntpd crash
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+ntpd\[\d+\]: ntpd exiting on signal (\d+)
desc=$0
action=pipe 'CRASH: $1 ntpd crashed on signal $2 at %t' /usr/bin/mail -s "CRASH: $1 ntpd crashed"
#
# Process crash
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: pid \d+ \(\S+\), uid (\d+): exited on signal (\d+)
desc=$0
action=pipe 'CRASH: $1 $2 crashed on signal $4, uid $3 at %t' /usr/bin/mail -s "CRASH: $1 $2 crashed"
# PROCESS - SEC rules to pick up suspicious process events.
#
# Sample BSD logs involving unusual processes.
#---------------------------------------------
#Mar 23 08:05:52 foohost thttpd[126]: thttpd/2.25b 29dec2003 starting on port 8090
#
# Suspicious processes
# --------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+(thttpd)\[(\d+)\]:(.*)
desc=$0
action=pipe 'SUSPROC: $1 suspicious process $2 pid $3, text: $4 at %t' /usr/bin/mail -s "SUSPROC: $1 suspicious process $2"
# SHUTRST - SEC rules to pick up system shutdown, restart events.
#
# Sample BSD logs involving system shutdown and reset.
#-----------------------------------------------------
#Mar 6 16:28:13 foohost reboot: rebooted by foouser
#Jul 15 17:35:49 foohost halt: halted by root
#Mar 6 16:29:17 foohost /kernel: Copyright (c) 1992-2003 The FreeBSD Project.
#
# Reboot message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+reboot: rebooted by (\S+)
desc=$0
action=pipe 'REBOOT: $1 rebooted by $2' /usr/bin/mail -s "REBOOT: $1 rebooted by $2"
#
# Halt message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+halt: halted by (\S+)
desc=$0
action=pipe 'HALT: $1 halted by $2' /usr/bin/mail -s "HALT: $1 halted by $2"
#
# Restart message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: Copyright \(c\) (\S+) The FreeBSD Project
desc=$0
action=pipe 'RESTART: $1 restart message at %t' /usr/bin/mail -s "RESTART: $1 restart message"
--- NEW FILE hp-openview.sec ---
################################################################
# Sample SEC ruleset for HP OpenView ITO
################################################################
# process Cisco linkDown/linkUp trap events received from
# HP OpenView ITO trap template through itostream plugin
# Submitted by Risto Vaarandi
type=PairWithWindow
ptype=RegExp
pattern=node=(\S+).*msg_text=cisco linkdown trap on interface (\S+)
desc=CISCO $1 INTERFACE $2 DOWN
action=event %s;
continue2=TakeNext
ptype2=RegExp
pattern2=node=$1.*msg_text=cisco linkup trap on interface $2
desc2=CISCO %1 INTERFACE %2 BOUNCE
action2=event %s;
window=20
type=SingleWithSuppress
continue=TakeNext
ptype=RegExp
pattern=CISCO (\S+) INTERFACE (\S+) DOWN
desc=cisco $1 interface $2 down
action=reset +1 %s
window=60
type=Pair
ptype=RegExp
pattern=CISCO (\S+) INTERFACE (\S+) DOWN
desc=cisco $1 interface $2 down
action=shellcmd /home/opc_op/cisco_msg.sh $1 $2 major down
ptype2=RegExp
pattern2=node=$1.*msg_text=cisco linkup trap on interface $2
desc2=cisco %1 interface %2 up
action2=shellcmd /home/opc_op/cisco_msg.sh %1 %2 normal up
window=86400
type=SingleWith2Thresholds
ptype=RegExp
pattern=CISCO (\S+) INTERFACE (\S+) BOUNCE
desc=cisco $1 interface $2 is unstable
action=shellcmd /home/opc_op/cisco_msg.sh $1 $2 major unstable
window=3600
thresh=10
desc2=cisco $1 interface $2 is stable again
action2=shellcmd /home/opc_op/cisco_msg.sh $1 $2 normal stable
window2=10800
thresh2=0
#
# the cisco_msg.sh script:
#
##!/bin/sh
#
#NODE=$1
#IF=$2
#SEV=$3
#TEXT=$4
#
## use snmpget utility from Net-SNMP package
#IFNAME=`/usr/bin/snmpget -c public -OQv $NODE .1.3.6.1.2.1.2.2.1.2.$IF`
#DESCR=`/usr/bin/snmpget -c public -OQv $NODE .1.3.6.1.4.1.9.2.2.1.1.28.$IF`
#
#MSG=`echo "Interface $IFNAME ($DESCR) $TEXT" | sed s/\"/\'/g`
#
#/opt/OV/bin/OpC/opcmsg node=$NODE app=cisco obj=if \
# sev=$SEV msg_grp=Network msg_text="$MSG"
#
# process APC ups "not online" trap events received from
# HP OpenView ITO trap template through itostream plugin
type=SingleWithScript
ptype=RegExp
pattern=node=(\S+).*msg_text=APC ups not online
script=/home/opc_op/check_apc.sh $1
desc=APC ups is not online!
action=shellcmd /opt/OV/bin/OpC/opcmsg node=$1 app=APC obj=state \
msg_grp=UPS sev=critical msg_text='%s'
#
# the check_apc.sh script
#
##!/bin/sh
#
## sleep for a few seconds and check if the UPS error is still present;
## if it is, exit with 0, otherwise exit with 1
#
#UPS=$1
#sleep 5
#
## use snmpget utility from Net-SNMP package
#STATUS=`/usr/bin/snmpget -c public -OQve $UPS .1.3.6.1.4.1.318.1.1.1.4.1.1.0`
#
## According to the APC Powernet MIB the variable .1.3.6.1.4.1.318.1.1.1.4.1.1
## takes the the following values: unknown(1), onLine(2), onBattery(3),
## onSmartBoost(4), timedSleeping(5), softwareBypass(6), off(7), rebooting(8),
## switchedBypass(9), hardwareFailureBypass(10), sleepingUntilPowerReturn(11),
## and onSmartTrim(12), where onLine(2) is the normal state for the UPS
#
#if [ $STATUS -eq 2 ]
#then
# exit 1
#else
# exit 0
#fi
#
--- NEW FILE labrea.sec ---
#Labrea tarpit events
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Initial Connect \(tarpitting\): (\d+\.\d+\.\d+\.\d+\s\d+) \-> \d+\.\d+\.\d+\.\d+\s(.*)
desc=$0
action=add TARPIT_REPORT %t: $1 New Tarpitted Connect from $2 on port $3
#type=Single
#ptype=RegExp
#pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Additional Activity: (\d+\.\d+\.\d+\.\d+) \d+ \-> \d+\.\d+\.\d+\.\d+ (\d+)*
#desc=$0
#action=add TARPIT_REPORT %t: %s;
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+LaBrea: Responded to a PING: (d+\.\d+\.\d+\.\d+) \d+ \-> \d+\.\d+\.\d+\.\d+
desc=$0
action=add TARPIT_REPORT %t: PING Sweep from $@ on $3
#Send hourly tarpit report
type=Calendar
time=0 8,12,20 * * *
desc=Sending tarpit report...
action=report TARPIT_REPORT \
/usr/bin/mail -s 'Tarpits: Tarpit Victim report' alerts at yourdomain.com; \
delete TARPIT_REPORT
--- NEW FILE mpd.sec ---
type=single
desc = mpd connection start
ptype=regexp
pattern=([A-z._0-9-]*) mpd: PPTP connection from (\d+\.\d+\.\d+\.\d+):\d+
action=add GENERAL_REPORT MPD Start from $2 on $1
type=single
ptype=regexp
pattern=([A-z._0-9-]*) mpd: Name: (.*)
desc = mpd user auth
action=add GENERAL_REPORT MPD User $2 Auth on $1
type=Single
ptype=RegExp
pattern=([A-z._0-9-]*) mpd: pptp\d: killing connection with (\d+\.\d+\.\d+\.\d+):\d+
desc=mpd connection end
action=add GENERAL_REPORT MPD Connection end from $2 on $1
--- NEW FILE pix-security.sec ---
####################################################################
# SEC ruleset for Cisco PIX 6.x, 7.x
####################################################################
# Process various events from PIX syslog output
#
# Submitted by Chris Sawall
# email: sawall -[at]- gmail -[dot]- com
# Last Updated: 5/20/05
# ------------------------------------------------------------------
# Watch for weird failures - possible trojan/worm
# ------------------------------------------------------------------
# Watch for 10 denies within 10 seconds. Especially useful to monitor
# for certain trojans and mass mailers
#
type=SingleWithThreshold
ptype=RegExp
pattern=\s*.*Deny\s+(\w+)\s+src.*:(.*)/.*:(.*)/(\b2\d\b).*$
desc=Unusual Failures:$1 $4/$2 -> $3
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
window=10
thresh=10
# Monitor for occurrances of certain variant of PHEL trojan destined
# for two different class C networks
#
type=Single
continue=dontcont
ptype=RegExp
pattern=(212\.147\.14[12]\.)
desc=Possible PHEL Trojan (1)
action=create phel_$1; add phel_$1 Local Time = %t; add phel_$1 $0; report phel_$1 /bin/mail -s "%s" email01 at domain.com; delete phel_$1
# ------------------------------------------------------------------
# Watch for firewall failovers
# ------------------------------------------------------------------
# Firewall failures/failovers
# Works for PIX 7.x
# Failure of secondary (standby) firewall while primary is active
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=takenext
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Primary\).*$
desc=Secondary firewall for $1 - failure/reload
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
# Failure of secondary (standby) firewall while primary is active
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=takenext
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Secondary\).*$
desc=Primary firewall for $1 - failure/reload
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
# Failure of secondary (active), primary assumes active
# Works for PIX 7.x
#
# The first "desc" and "action" don't really do anything here. But SEC requires them to be present.
# $1 is the IP address of the primary firewall
#
type=Pair
continue=dontcont
ptype=RegExp
pattern=PIX-1-102001:\s+\(Primary\).*$
desc=$0
action=logonly
ptype2=RegExp
pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Primary\).*Peer state Standby Ready
desc2=Secondary (was active) firewall ($1) has failed. Primary is now active.
action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
window=5
# Failure of primary (active), secondary assumes active
# Works for PIX 7.x
#
# The first "desc" and "action" don't really do anything here. But SEC requires them to be present.
# $1 is the IP address of the primary firewall
#
type=Pair
continue=dontcont
ptype=RegExp
pattern=PIX-1-102001:\s+\(Secondary\).*$
desc=$0
action=logonly
ptype2=RegExp
pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Secondary\).*Peer state Standby Ready
desc2=Primary firewall ($1) has failed. Secondary is now active.
action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
window=5
# ------------------------------------------------------------------
# Watch for firewall reloads
# ------------------------------------------------------------------
# Manual reload of PIX
# Works for PIX 6.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX reload.*$
desc=$1 has been manually rebooted
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com ; delete ffo_$1
# Manual reload of PIX
# Works for PIX 7.x
#
# $1 is the IP address of the primary firewall
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Orderly reload.*Reload reason:\s(\S+)
desc=$1 has been manually rebooted, reason: $2
action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
# ------------------------------------------------------------------
# Watch for SSH logins/failures on firewalls
# ------------------------------------------------------------------
# Suppress emails concerning pixbkup account
# In this case, the pixbkup acct is used to backup the PIX firewalls
# Keeping email alerts to a minimum, this skips past these alerts
#
type=Suppress
continue=dontcont
ptype=RegExp
pattern=pixbkup
# Successful Admin SSH session
# Works for PIX 6.x
#
# Monitor for successful SSH connections to the PIX firewall
# $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'.*to\s(\d+\.\d+\.\d+\.\d+)\/0.*SSH
desc=Admin Auth to $1.$2 -> $3 from $4
action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
# Successful Admin SSH session
# Works for PIX 7.x
#
# Monitor for successful SSH connections to the PIX firewall
# $1 & $2 make up the IP of the firewall, $3 is the user account and $4 the source IP addr
#
type=Single
continue=dontcont
ptype=RegExp
pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'\sfrom\s(\d+\.\d+\.\d+\.\d+)\/0.*/22.*$
desc=Admin Auth to $1.$2 -> $3 from $4
action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
# Failed Admin SSH session
# Works for PIX 6.x
#
# Monitor for failed SSH attempts to the PIX firewalls
# $1 is the user acct
#
type=Single
continue=takenext
ptype=RegExp
pattern=Authentication failed.*\'(\S+)\'.*SSH
desc=Admin Auth FAILED -> $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
# Failed Admin SSH session
# Works for PIX 7.x
#
# Monitor for failed SSH attempts to the PIX firewalls
# $1 is the user acct
#
type=Single
continue=takenext
ptype=RegExp
pattern=Authentication failed.*\'(\S+)\'.*/22.*$
desc=Admin Auth FAILED -> $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
# Normal SSH termination
# Works for both PIX 6.x and 7.x
#
# $1 is the IP of the firewall and $2 is the user acct
#
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*\"(\S+)\".*terminated normally
desc=ADMIN END $1 -> $2
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
# SSH session timeout or abnormal termination
# Works for PIX 6.x
# May work for PIX 7.x - not tested but PIX-6-315011 is the same for 6 and 7.
#
# $1 is the IP of the firewall
#
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*disconnected by SSH server
desc=Firewall session END - timeout $1
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
# ------------------------------------------------------------------
# Watch for firewall commands
# ------------------------------------------------------------------
# Admin executed "write mem"
# Works for both PIX 6.x and 7.x
#
# $1 is the IP of the firewall
type=Single
ptype=RegExp
pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*write\sm.*
desc=User wrote config to memory -> $1
action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01 at domain.com; delete fwcmd_$1
# Watch for HIGH CPU Utilization
# Works for PIX 6.x
#
type=Single
ptype=RegExp
pattern=PIX-.-211003
desc=HIGH CPU Utilization
action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01 at domain.com; delete fwcmd_$1
--- NEW FILE pix-url.sec ---
####################################################################
# SEC ruleset for Monitoring Keywords
####################################################################
# This particular ruleset was designed to monitor PIX syslog traffic
# and watch for keywords in URL traffic. Starting SEC must include
# the -intevents option.
#
# Currently tested for PIX 6.x
#
# Submitted by Chris Sawall
# email: sawall -[at]- gmail -[dot]- com
# Last Updated: 5/20/05
# Wait for SEC to start up or be restarted and then read in two lists
# of words. The first being a list of words to watch for and alert on,
# the second list being a list of exclusions for a suppression rule.
#
type=Single
ptype=PerlFunc
pattern=sub { if(($_[0] eq "SEC_STARTUP") || ($_[0] eq "SEC_RESTART")) { @words=`cat /root/watch4badwords`; chomp(@words); $list=join('|', @words); @ewords=`cat /root/watch4excludes`; chomp(@ewords); $excludes=join('|', @ewords);} }
desc=$0
context=SEC_INTERNAL_EVENT
action=write - Set word list variable;
# ------------------------------------------------------------------
# Scan for certain URLs
# ------------------------------------------------------------------
# Monitor and match on keywords from the exclusions file and
# suppress reporting on them.
#
type=Suppress
continue=dontcont
ptype=PerlFunc
pattern=sub {($_[0] =~ /($excludes)/) }
# Monitor for keywords and send an email alert
#
type=Single
ptype=PerlFunc
pattern=sub {($_[0] =~ /($list)/) }
desc=Inappropriate word in URL
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
#
# Examples of "watch4badwords" and "watch4excludes"
#
# File should be a return delimited file. The
# script read the file in literally and creates
# an OR statement by putting a pipe (|) between
# all of the keywords.
#
# Be careful on what words are being monitored.
# The word virgin also finds virginia and alerts
# on it.
#
# The following are examples of things that work:
#
# ----> watch4badwords
#
# \bvirgin\b
# \byoung girl\b
# \b[Pp]layboy\b
# pr0n
# hardcore
#
# ----> watch4excludes
#
# \b10\.10\.2\.4\b
# \bcherry tree\b
# cnn.com
#
--- NEW FILE portscan.sec ---
################################################################
# Sample SEC ruleset for "PORTSCAN FROM ip1 TO ip2:port" events
################################################################
# process "PORTSCAN FROM ip1 TO ip2:port" events, and if a certain
# source host has scanned the same destination port on more than
# 10 distinct destination hosts during 60 seconds, raise an alarm
type=Single
ptype=RegExp
pattern=PORTSCAN FROM (\S+) TO \S+:(\d+)
context=!HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$2
continue=TakeNext
desc=Horizontal port sweep started from source $1 to target port $2
action=eval %o ( $portscans{"$1:$2"} = {} ); \
create HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$2 60 \
eval %o ( delete $portscans{"$1:$2"} )
type=Single
ptype=RegExp
pattern=PORTSCAN FROM (\S+) TO (\S+):(\d+)
context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3
continue=TakeNext
desc=Scanned destination IP: $2
action=eval %o ( $portscans{"$1:$3"}->{$2} = 1 ); \
add HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 %t: %s;\
set HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 60 \
eval %o ( delete $portscans{"$1:$3"} )
type=Single
ptype=RegExp
pattern=PORTSCAN FROM (\S+) TO (\S+):(\d+)
context=HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \
&& =( scalar(keys(%{$portscans{"$1:$3"}})) > 10 )
continue=DontCont
desc=$1 has scanned more than 10 destinations
action=report HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \
mail -s 'Horizontal port sweep from $1 target port $3' root at localhost; \
delete HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3; \
eval %o ( delete $portscans{"$1:$3"} )
--- NEW FILE sec.init ---
#!/bin/bash
#
# sec This starts and stops SEC
#
# chkconfig: - 26 74
# description: Simple Event Correlator script to filter log file entries
# processname: /usr/bin/sec
# config: /etc/sysconfig/sec
# pidfile: /var/run/sec.pid
#
# Source function library.
. /etc/rc.d/init.d/functions
# Default to a clean return value
RETVAL=0
# Program we'll be executing
EXEC='/usr/bin/sec'
prog='sec'
[ -f $EXEC ] || exit 0
# Source the config
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
# No options defined means that sec can't run
[ -z "$SEC_ARGS" ] && exit 0
# And away we go...
start() {
for n in `seq 0 $((${#SEC_ARGS[*]} - 1))`; do
echo -n $"Starting $prog instance "$(($n + 1))": "
daemon $EXEC ${SEC_ARGS[$n]}
RETVAL=$?
[ $RETVAL -ne 0 ] && return $RETVAL
done
touch /var/lock/subsys/$prog
return $RETVAL
}
stop() {
echo -n $"Stopping $prog: "
killproc $prog
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
return $RETVAL
}
reload() {
echo -n $"Reloading configuration: "
killproc $prog -HUP
RETVAL=$?
echo
return $RETVAL
}
restart() {
stop
start
}
dump() {
echo -n $"Dumping state in /tmp/sec.dump: "
killproc $prog -USR1
RETVAL=$?
echo
return $RETVAL
}
sec_status() {
status $prog
}
case "$1" in
start|stop|reload|restart|dump)
$1
;;
status)
sec_status
;;
*)
echo $"Usage: $0 {start|stop|reload|restart|dump|status}"
exit 2
esac
--- NEW FILE sec.logrotate ---
/var/log/sec {
missingok
notifempty
sharedscripts
postrotate
/sbin/service sec reload 2> /dev/null > /dev/null || true
endscript
}
--- NEW FILE sec.spec ---
# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169345
#
# Specfile for SEC, the simple event correlator
#
Name: sec
Version: 2.3.3
Release: 4%{?dist}
Summary: SEC (simple event correlator)
Group: System Environment/Daemons
License: GPL
URL: http://www.estpak.ee/~risto/sec/
################################################################################
Source0: http://dl.sourceforge.net/simple-evcorr/%{name}-%{version}.tar.gz
Source1: sec.sysconfig
Source2: sec.init
Source3: sec.logrotate
# Example files and configuration info
Source100: conf.README
Source101: http://www.estpak.ee/~risto/sec/examples/syslog-ng.txt
Source102: 001_init.sec
Source103: http://www.bleedingsnort.com/sec/amavisd.sec
Source104: http://www.bleedingsnort.com/sec/bsd-MONITOR.sec
Source105: http://www.bleedingsnort.com/sec/bsd-PHYSMOD.sec
Source106: http://www.bleedingsnort.com/sec/bsd-USERACT.sec
Source107: http://www.bleedingsnort.com/sec/clamav.sec
Source108: http://www.bleedingsnort.com/sec/cvs.sec
Source109: http://www.bleedingsnort.com/sec/dameware.sec
Source110: http://www.bleedingsnort.com/sec/dbi-example.sec
Source111: http://www.bleedingsnort.com/sec/general.sec
Source112: http://www.bleedingsnort.com/sec/hp-openview.sec
Source113: http://www.bleedingsnort.com/sec/labrea.sec
Source114: http://www.bleedingsnort.com/sec/mpd.sec
Source115: http://www.bleedingsnort.com/sec/pix-security.sec
Source116: http://www.bleedingsnort.com/sec/pix-url.sec
Source117: http://www.bleedingsnort.com/sec/portscan.sec
Source118: http://www.bleedingsnort.com/sec/snort.sec
Source119: http://www.bleedingsnort.com/sec/snortsam.sec
Source120: http://www.bleedingsnort.com/sec/ssh-brute.sec
Source121: http://www.bleedingsnort.com/sec/ssh.sec
Source122: http://www.bleedingsnort.com/sec/vtund.sec
Source123: http://www.bleedingsnort.com/sec/windows.sec
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildArch: noarch
################################################################################
Requires(post): chkconfig
Requires(postun): initscripts
Requires(preun): initscripts, chkconfig
# The init script uses arrays, so we need bash
Requires: bash
# Not required specifically by SEC, but our examples use it so we might as well
# create a requirement for logrotate.
Requires: logrotate
# Some alternate names for the package that users might search for
Provides: simple-evcorr
Provides: sec.pl
################################################################################
%description
SEC is an open source and platform independent event correlation tool that
was designed to fill the gap between commercial event correlation systems and
homegrown solutions that usually comprise a few simple shell scripts.
SEC accepts input from regular files, named pipes, and standard input, and can
thus be employed as an event correlator for any application that is able to
write its output events to a file stream.
################################################################################
%prep
%setup -q
# Install some handy tools
mkdir tools/
mv itostream.c \
convert.pl \
tools/
# Replace some tags in the config files
sed -i -e 's/@@NAME@@/%{name}/' \
%{SOURCE1} \
%{SOURCE2} \
%{SOURCE3}
# Fix the bindir in case a user wants it put in a different location
sed -i -e 's#/usr/bin/sec#%{_bindir}/sec#' \
%{SOURCE2}
################################################################################
%install
rm -rf $RPM_BUILD_ROOT
# Create the directories we'll need
install -d -m 755 $RPM_BUILD_ROOT%{_initrddir}
install -d -m 755 $RPM_BUILD_ROOT%{_localstatedir}/log
install -d -m 755 $RPM_BUILD_ROOT%{_localstatedir}/run
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/examples
# Install SEC and its associated files
install -D -p -m 755 sec.pl $RPM_BUILD_ROOT%{_bindir}/sec
install -D -p -m 644 sec.pl.man $RPM_BUILD_ROOT%{_mandir}/man1/sec.1
install -p -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/sec
install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/sec
install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_initrddir}/sec
# Install the example config files and readme
install -p -m 644 %{SOURCE100} \
$RPM_BUILD_ROOT%{_sysconfdir}/%{name}/README
install -p -m 644 %{SOURCE101} \
$RPM_BUILD_ROOT%{_sysconfdir}/%{name}/examples/syslog-ng.sec
install -p -m 644 %{SOURCE102} \
%{SOURCE103} \
%{SOURCE104} \
%{SOURCE105} \
%{SOURCE106} \
%{SOURCE107} \
%{SOURCE108} \
%{SOURCE109} \
%{SOURCE110} \
%{SOURCE111} \
%{SOURCE112} \
%{SOURCE113} \
%{SOURCE114} \
%{SOURCE115} \
%{SOURCE116} \
%{SOURCE117} \
%{SOURCE118} \
%{SOURCE119} \
%{SOURCE120} \
%{SOURCE121} \
%{SOURCE122} \
%{SOURCE123} \
$RPM_BUILD_ROOT%{_sysconfdir}/%{name}/examples/
# Replace all "email.com" in sample scripts with an actual fake domain: example.com
grep -rl 'email.com' $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/ \
| xargs sed -i -e 's/email.com/example.com/g'
# Create ghost files so rpm doesn't complain about them being gone
touch $RPM_BUILD_ROOT%{_localstatedir}/log/sec
touch $RPM_BUILD_ROOT%{_localstatedir}/run/sec.pid
################################################################################
%post
if [ $1 = 1 ]; then
/sbin/chkconfig --add sec
fi
%preun
if [ $1 = 0 ]; then
/sbin/service sec stop > /dev/null 2>&1 || :
/sbin/chkconfig --del sec
fi
%postun
if [ $1 = 1 ]; then
/sbin/service sec condrestart
fi
%clean
rm -rf $RPM_BUILD_ROOT
################################################################################
%files
%defattr(-,root,root,-)
%doc ChangeLog COPYING README tools/
%config(noreplace) %{_sysconfdir}/sysconfig/sec
%config(noreplace) %verify (not md5 size mtime) %{_sysconfdir}/logrotate.d/sec
%{_sysconfdir}/%{name}
%{_bindir}/sec
%{_initrddir}/sec
%{_mandir}/man1/*
%ghost %verify (not md5 size mtime) %{_localstatedir}/log/sec
%ghost %verify (not md5 size mtime) %{_localstatedir}/run/sec.pid
################################################################################
%changelog
* Mon Jun 12 2006 Chris Petersen <rpm at forevermore.net> 2.3.3-4
- Change group to keep rpmlint happy
- Fix permissions on the logrotate script
* Thu Jun 08 2006 Chris Petersen <rpm at forevermore.net> 2.3.3-3
- Clean up spec
- Add ghost file entries for the default logfile and pid
- Add logrotate script
- Add more bleedingsnort examples
- Add pid to sec.sysconfig and completely rewrite to handle multiple instances
- Fix download URL
- Fix echo log command in 001_init.sec
- Rewrite sysV init script to handle multiple instances (based loosely on vsftpd)
* Mon May 01 2006 Didier Moens <Didier.Moens at dmbr.UGent.be> 2.3.3-2
- Change init script to not start by default in any runlevel
* Fri Apr 28 2006 Didier Moens <Didier.Moens at dmbr.UGent.be> 2.3.3-1
- Upgrade to upstream 2.3.3
- Add status to init script
* Thu Sep 22 2005 Didier Moens <Didier.Moens at dmbr.UGent.be> 2.3.2-4
- Update Source locations
* Thu Sep 22 2005 Didier Moens <Didier.Moens at dmbr.UGent.be> 2.3.2-3
- Change permissions on /usr/bin/sec
* Thu Sep 22 2005 Didier Moens <Didier.Moens at dmbr.UGent.be> 2.3.2-2
- Create initial startup rulesets
- Add examples
- Refine init script
* Wed Sep 21 2005 Didier Moens <Didier.Moens at dmbr.UGent.be> 2.3.2-1
- First build
--- NEW FILE sec.sysconfig ---
#
# Because SEC usage varies so widely from user to user, it is configured by
# default to not run. Please read `sec --help` for valid options to use in
# this configuration directive, or use the sample defaults included below.
#
# If you would like to run multiple instances of sec in order to track more
# than one log file, you can use also use $SEC_OPTIONS as an array.
#
# Also, please don't forget to read the sec man page or look at the
# configuration options for /etc/sec/.
#
#
# Default:
#
# SEC_ARGS="-detach -conf=/etc/sec/*.sec -input=/var/log/messages -log=/var/log/sec -intevents -pid=/var/run/sec.pid"
#
#
# For Multiple instances of SEC, use something like:
#
# SEC_ARGS[0]="-detach -conf=/etc/sec/sys/*.sec -input=/var/log/messages -log=/var/log/sec -intevents -pid=/var/run/sec.sys.pid"
#
# SEC_ARGS[1]="-detach -conf=/etc/sec/mail/*.sec -input=/var/log/messages -log=/var/log/sec -intevents -pid=/var/run/sec.mail.pid"
#
--- NEW FILE snort.sec ---
####################################################################
# Sample SEC ruleset for Snort IDS
####################################################################
# ------------------------------------------------------------------
# Handle portscans
# ------------------------------------------------------------------
# For every completed portscan, add an entry to the PORTSCAN_REPORT;
# also generate a meta-event ACTIVITY_FROM for the IP
type=Single
ptype=RegExp
pattern=End of portscan from (([\d\.]+).*)
desc=Portscan from $1
action=add PORTSCAN_REPORT %t: %s; event ACTIVITY_FROM_$2: %s
# ------------------------------------------------------------------
# Recognize snort alert message and generate corresponding SEC event
# ------------------------------------------------------------------
# recognize snort alert message; also generate
# a meta-event ACTIVITY_FROM for the IP
type=Single
ptype=RegExp
pattern=snort(?:\[\d+\])?: \[[0-9:]+\] (.+|!Malware|!MALWARE) \[(.+)\] \[.*Priority: (\d+)\]: \S+ ([\d\.]+):?\d* -> ([\d\.]+):?\d*
desc=PRIORITY $3 INCIDENT FROM $4 TO $5: $1 [$2]
action=event %s; event ACTIVITY_FROM_$4: $1
## Detect if it's an unwanted event in snort
#type=Single
#ptype=RegExp
#pattern=(MALWARE|Malware)
#desc=$0
#action=create UNWANTED_EVENT
# ------------------------------------------------------------------
# Handle priority 1 incidents
# ------------------------------------------------------------------
# Detect the beginning of priority 1 attack from a certain source IP,
# and send a warning e-mail message that a new attack has begun;
# also create a context for storing a detailed information about the attack
type=Single
ptype=RegExp
pattern=PRIORITY 1 INCIDENT FROM (\S+) TO \S+: .+
context=ATTACK_FROM_$1
continue=TakeNext
desc=Priority 1 attack started from $1
action=create ATTACK_FROM_$1; add ALERT_REPORT %t: %s; pipe '%t: %s'
# For every priority 1 incident, add an entry to the context by its IP;
# if the IP has been quiet for 5 minutes, report the whole attack
type=Single
ptype=RegExp
pattern=PRIORITY 1 INCIDENT FROM (\S+) TO (\S+): (.+)
context=ATTACK_FROM_$1
continue=TakeNext
desc=Priority 1 incident from $1 to $2: $3
action=add ATTACK_FROM_$1 %t: %s; \
set ATTACK_FROM_$1 300 ( report ATTACK_FROM_$1 \
/usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1 (report)' alerts at email.com )
# ------------------------------------------------------------------
# Handle incidents by thresholding
# ------------------------------------------------------------------
# Count how many _certain type_ of incidents are coming from one source
# if the threshold has been crossed, reset the counting operation started
# by the next rule, in order to avoid duplicate alerts for the same IP
type=SingleWithThreshold
ptype=RegExp
pattern=PRIORITY (\d+) INCIDENT FROM (\S+) TO \S+: (.+)
continue=TakeNext
desc=Snort has seen >= 30 priority $1 incidents from $2: $3
action=add ALERT_REPORT %t: %s; \
reset +1 Snort has seen >= 150 incidents from $2; \
create TURNOFF_$2 3600
thresh=30
window=3600
# Count how many incidents come from one source
type=SingleWithThreshold
ptype=RegExp
pattern=PRIORITY \d+ INCIDENT FROM (\S+) TO \S+: .+
context=!TURNOFF_$1
desc=Snort has seen >= 150 incidents from $1
action=add ALERT_REPORT %t: %s
thresh=150
window=7200
# ------------------------------------------------------------------
# Report IPs that have been active for some time
# ------------------------------------------------------------------
# Set up activity contexts for the IP; if the IP has been active for 2 hours,
# and there have been no gaps longer than 30 minutes, report its activities
type=Single
ptype=RegExp
pattern=ACTIVITY_FROM_(\S+):
context=!ACTIVITY_LIST_FOR_$1
continue=TakeNext
desc=Create activity contexts for $1
action=create ACTIVITY_LIST_FOR_$1_LIFETIME; \
create ACTIVITY_LIST_FOR_$1 7200 ( report ACTIVITY_LIST_FOR_$1 \
/usr/bin/mail -s 'SNORT: $1 has been active for 2 hours' alerts at email.com; \
delete ACTIVITY_LIST_FOR_$1_LIFETIME )
# Add the activity event to the context of a given IP, and extend
# the lifetime of activity contexts for 30 minutes for the IP
type=Single
ptype=RegExp
pattern=ACTIVITY_FROM_(\S+): (.*)
context=ACTIVITY_LIST_FOR_$1
desc=Activity from $1: $2
action=add ACTIVITY_LIST_FOR_$1 %t: %s; \
set ACTIVITY_LIST_FOR_$1_LIFETIME 1800 ( delete ACTIVITY_LIST_FOR_$1 )
# ------------------------------------------------------------------
# Send reports every day at 9:00 am
# ------------------------------------------------------------------
# send daily report about regular alerts
type=Calendar
time=0 12 * * *
desc=Sending alert report...
action=report ALERT_REPORT \
/usr/bin/mail -s 'SNORT: Hourly alert report' alerts at email.com; \
delete ALERT_REPORT
# send daily report about portscans
type=Calendar
time=0 9 * * *
desc=Sending portscan report...
action=report PORTSCAN_REPORT \
/usr/bin/mail -s 'SNORT: daily portscan report' alerts at email.com; \
delete PORTSCAN_REPORT
--- NEW FILE snortsam.sec ---
type=single
ptype=regexp
pattern=([A-Za-z0-9._-]+) root: (.*) snortsam, Error: Could not bind socket.
desc = $0
action=pipe '$1 Snortsam Bind Failed -- NEEDS ATTENTION!: %s' /usr/bin/mail -s "Snortsam Bind Failure: NEEDS ATTENTION on $1" alerts at yourdomain.com
type=single
ptype=regexp
pattern=([A-Za-z0-9._-]+) root: (.*), email, Error: \[email\] Did not receive a response waiting for banner on mail server at (.*)
desc = $0
action=add SNORTSAM_REPORT $1 Couldn't email through $3 : %s
type=single
ptype=regexp
pattern=([A-Za-z0-9._-]+) snortsam, Extending block for host ([A-z._0-9-]*) completely for (.*)
desc = $0
action=add SNORTSAM_REPORT $1 Extending Block for $3 for $4
#type=single
#ptype=regexp
#pattern=([A-Za-z0-9._-]+)snortsam\[([0-9]+)\]: [*], [:0-9]+, -, ipf, (.*) Failed
#desc = Snortsam ipf error
#action=pipe '$1 Snortsam IPF Command Failed' /usr/bin/mail -s "%s" alerts at yourdomain.com
##action=add SNORTSAM_REPORT ERROR $1 IPF Command Failure: $2
type=single
ptype=regexp
pattern=([A-Za-z0-9._-]+) root: (.*) snortsam, Starting to listen for Snort alerts.
desc = $0
action=add SNORTSAM_REPORT $1 Snortsam Startup: %s
#type=single
#ptype=regexp
#pattern=([A-Za-z0-9._-]+) root: (.*) snortsam, Removing (.*) complete block for host (.*).
#desc = $0
#action=add SNORTSAM_REPORT $1 Snortsam Removing Block: %s
#type=single
#ptype=regexp
#pattern=([A-Za-z0-9._-]+) root: (.*) snortsam, Blocking host (.*) completely for (.*) \((Sig_ID: \d+\))\.
#desc = $0
#action=add SNORTSAM_REPORT $1 Snortsam Block: %s
type=single
ptype=regexp
pattern=([A-Za-z0-9._-]+) root: (.*) ipf, Error: Command (.*) Failed
desc = $0
action=pipe '$1 Snortsam IPF Command Failed: $1 $2 $3' /usr/bin/mail -s "Snortsam IPF Command Failed on $1" alerts at yourdomain.com
type=single
ptype=regexp
pattern=([A-Za-z0-9._-]+) root: (.*) snortsam, Snortsam Station .* using wrong password, trying to resync.
desc = $0
action=pipe '$1 Snortsam Password Failure: $1' /usr/bin/mail -s "Snortsam Password Failure on $1" alerts at yourdomain.com
#Send hourly snortsam report
type=Calendar
time=0 * * * *
desc=Sending snortsam report...
action=report SNORTSAM_REPORT \
/usr/bin/mail -s 'SNORTSAM report' alerts at yourdomain.com; \
delete SNORTSAM_REPORT
--- NEW FILE ssh-brute.sec ---
################## ssh brute force attack blocker
# This sec ruleset monitors syslog messages for indications that an ssh brute-force
# login attack is underway. The trigger is an ssh login failure.
#
# If 4 additional syslog messages about ssh login failures from the same
# source address are received within next 1 minute, an iptables firewall
# rule is added to block access from the source IP.
#
# After that, the correlation operation waits until no ssh login failure
# syslog messages from the source IP have been received from the router
# during the last 2 hours, and then the iptables rule is removed. By
# definition, once the IP is blocked, there will be no more connection
# attempt failures logged by ssh (ie., packets will be dropped by the kernel
# before they reach the syslog daemon), so the rule will be flushed after
# 2 hours.
#
# Vulnerabilities of this ruleset are:
# DoS attack: if the attacker is aware of this ruleset, they could
# spoof a series of victim IP addresses (for example, the
# AOL proxy address), thus causing the server running sec
# to deny service to the victim.
#
# persistent firewall rules:
# if the sec daemon crashes or is restarted, any existing rules
# will not be removed after 2hours
#
# window=60 # sliding window (1 minute) for initial event match
# thresh=4 # number of events (ssh login failures from a given IP) that must
# # occur within the window period in order to trigger the action
#
# window2=7200 # sliding window (2 hours) for the second event match
# thresh2=0
###############
# RCSversion="$Header: /home/bergman/RCS/ssh_block.sec,v 1.3 2006/05/02 04:18:44 bergman Exp bergman $"
#
# Representative log file entries:
# Aug 28 04:43:03 10.1.1.18 sshd(pam_unix)[22344]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=www.ace.ne.jp
# Aug 28 04:43:03 host sshd[22568]: Failed password for illegal user library from 210.230.187.218 port 55019 ssh2
# Aug 28 04:42:28 www.somehost.net sshd[9395]: Failed password for illegal user mysql from 210.230.187.218 port 52857 ssh2
# Aug 28 04:42:28 host sshd[22509]: Failed password for root from 210.230.187.218 port 52960 ssh2
# Aug 28 04:42:32 www.somehost.net sshd[9397]: Failed password for illegal user oracle from 210.230.187.218 port 53212 ssh2
# Aug 28 04:42:32 host sshd[22510]: Failed password for illegal user admin from 2 10.230.187.218 port 53243 ssh2
#
type=SingleWith2Thresholds
ptype=RegExp
pattern=sshd.*: authentication failure[ ;].* rhost=(\S+)
desc=Multiple failed ssh authentication attempts from $1
action=logonly ; shellcmd ( /usr/local/sbin/ipt-add -I FORWARD -s $1 -p tcp --dport 22 -j DROP ; /usr/local/sbin/ipt-add -I INPUT -s $1 -p tcp --dport 22 -j DROP )
window=60
thresh=4
desc2=Pruning iptables firewall rule blocking ssh from $1
action2=logonly ; shellcmd ( /sbin/iptables -D FORWARD -s $1 -p tcp --dport 22 -j DROP ; /sbin/iptables -D INPUT -s $1 -p tcp --dport 22 -j DROP )
window2=7200
thresh2=0
type=SingleWith2Thresholds
ptype=RegExp
pattern=sshd.*: Failed password for.* user .* from (\S+)
desc=Multiple ssh password failures from $1
action=logonly ; shellcmd ( /usr/local/sbin/ipt-add -I FORWARD -s $1 -p tcp --dport 22 -j DROP ; /usr/local/sbin/ipt-add -I INPUT -s $1 -p tcp --dport 22 -j DROP )
window=60
thresh=4
desc2=Pruning iptables firewall rule blocking ssh from $1
action2=logonly ; shellcmd ( /sbin/iptables -D FORWARD -s $1 -p tcp --dport 22 -j DROP ; sleep 2; /sbin/iptables -D INPUT -s $1 -p tcp --dport 22 -j DROP ; sleep 2)
window2=7200
thresh2=0
--- NEW FILE ssh.sec ---
# a ruleset to accumulate errors from a parent and child sshd process
# into a single context. This allows reporting of the authenticated
# user information with the error's generated by the child sshd process.
# note handling of deferred reporting until after tie events received
# is still in flux. My old rules hanlded it by resubmitting all the
# events, but it didn't handle the parent defered reporting
# events. This way is cleaner, but not tested very well.
type=single
continue=dontcont
ptype=Nregexp
pattern=sshd|SSHD
desc=filter out non-sshd events
action=none
type=single
continue=dontcont
ptype=TValue
pattern=TRUE
desc=guard for already handled
action=logonly
context = [EVENT_PROCESSED]
type=single
continue=takenext
ptype=TValue
pattern=TRUE
desc=We will handle.
action=create EVENT_PROCESSED
## Recognize the start of an ssh session
# link parent and child event contexts.
#
#type=PairWithWindow
#continue=takenext
#desc=Recognize ssh session start for $1[$2]
#ptype=regexp
#pattern=([A-Za-z0-9._-]+) sshd\[([0-9]+)\]: \[[^]]+\] Connection from ([0-9.]+) port [0-9]+
#action=pipe session_log_$1_$2 \
# /usr/bin/mail -s "ssh failed to generate tie event for $1" alerts at email.com
#desc2=Link parent and child contexts
#ptype2=regexp
#pattern2=$1 [A-z0-9]+\[[0-9]+\]: \[[^]]+\] SSHD child process +([0-9]+) spawned by $2
#action2=copy session_log_%1_$1 %b; \
# delete session_log_%1_$1; \
# alias session_log_%1_%2 session_log_%1_$1; \
# add session_log_%1_$1 $0; \
# event 0 "sshd: Report %1_$1 if needed"; \
# alias session_log_owner_%1_%2 session_log_owner_%1_$1 ;\
# create tie_event_received_%1_%2 ;\
# alias tie_event_received_%1_%2 tie_event_received_%1_$1 ;\
# delete ssh_tie_event_needed_%1
#window=60
## recognize login event and save username for later use
type=single
desc=Start login timer
ptype=regexp
pattern=([A-Za-z0-9._-]+) sshd\[([0-9]+)\]: \[[^]]+\] Accepted (publickey|password) for ([A-z0-9_-]+) from [0-9.]+ port [0-9]+ (.*)
action=add session_log_$1_$2 $0; add session_log_owner_$1_$2 $4
# handle logout
type=single
desc=Recognize ssh session end
ptype=regexp
pattern=([A-Za-z0-9._-]+) sshd\[([0-9]+)\]: \[[^]]+\] Closing connection to ([0-9.]+)
action= delete session_log_$1_$2; delete session_log_owner_$1_$2; \
delete tie_event_received_$1_$2
## ignore ssh IPV6 errors.
#
# Example input:
# Nov 3 06:34:25 corphost sshd[5961]: [ID 800047 auth.error] error: \
# connect_to ::1 port 5910: Network is unreachable
#
type=suppress
desc = ignore IPV6 errors from ssh
ptype=regexp
pattern=sshd\[[0-9]+\]: \[ID 800047 auth.error\] error: connect_to ::1 port [0-9]+: Network is unreachable
# because the tie command can come after critical errors are reported,
# we provide a way to generate a report on demand.
type=single
desc=Report immediate on request.
ptype=regexp
pattern=^sshd: Report (.*) if needed$
context = session_log_report_$1
action= report session_log_$1 /usr/bin/mailx -s "sshd error on $1" alerts at email.com ;\
delete session_log_report_$1
type=suppress
desc=Discard report immediate event on request.
ptype=regexp
pattern=^sshd: Report (.*) if needed$
# INSERT IMMEDIATE REPORT RULES HERE
# rules that should report problems immediately should go here.
# e.g. channel_setup_fwd_listener: cannot listen to port: 1521
# where port is < 1024, or is some other well known port indicating
# possible hacking.
#
# We have five possible cases:
# Event is from parent process and no info from child process is needed.
# Report normally.
# Event is from parent process and info from child process is needed,
# and tie event received (context tie_event_received_<host>_<pid>
# exists). Report normally.
# Event is from parent process and info from child process is needed,
# but tie event not received (context tie_event_received_<host>_<pid>
# does not exist).
# Report using child event as trigger.
# Event that has to be reported is from the child process and
# we have received the tie event (context
# tie_event_received_<host>_<pid> exists). Just report normally.
# Event that has to be reported is from the child process and
# we haven't received the tie event (context
# tie_event_received_<host>_<pid> does not exist). Defer reporting
# until after tie event by setting context
# session_log_report_<hostname>_<child pid>.
#
# We may need two rules for each event if the event can come before the tie
# event. One rule checks to see if the context ssh_tie_event_needed_$1
# where $1 is the reporting host. If so then it needs to set the context
# session_log_report_<host>_<pid> if generated by the child process.
# Note we get a less specific report this way. It should be retooled
# to generate a context that the report rule can simply obsolete.
# These events are generated by the child.
type=single
continue=takenext
desc = record ssh channel_setup_fwd_listener error for $1 port < 1025
ptype=regexp
pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]: \[ID 800047 auth.error\] error: channel_setup_fwd_listener: cannot listen to port: ([0-9]*)
context = $3 < 1025 && ! tie_event_received_$1_$2
action = add session_log_$1_$2 $0 ; \
create session_log_report_$1_$2
type=single
continue=takenext
desc = record ssh channel_setup_fwd_listener error for $1 port < 1025
ptype=regexp
pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]: \[ID 800047 auth.error\] error: channel_setup_fwd_listener: cannot listen to port: ([0-9]*)
context = $3 < 1025 && tie_event_received_$1_$2
action = add session_log_$1_$2 $0 ; \
report session_log_report_$1_$2 \
/usr/bin/mailx -s "sshd bind < 1025 on $1" alerts at email.com
# end immediate rules here
## report/record ssh bind errors.
# Record ssh bind errors in the session log. Don't report unless
# we have more than 5 of them in a 10 minute period. Then go and
# find out why they are occurring. Probably a frustrated user
# getting the -L options wrong.
#
# We record all events until a 10 minute period has passed with no
# events. If the threshold is exceeded, then we report all events
# recorded during the 10 minute rolling window.
#
# We also group channel_setup_fwd_listener with this.
#
# Example input:
# Nov 4 23:36:38 example sshd[1131]: [ID 800047 auth.error] error: bind: \
# Address already in use
#
type=single
continue=takenext
desc = record ssh bind error for $1
ptype=regexp
pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]: \[ID 800047 auth.error\] error: bind: Address already in use
action = add session_log_$1_$2 $0 ; \
set ssh_port_forward_errors_$1_$2 600
type=singlewiththreshold
ptype=regexp
pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]: \[ID 800047 auth.error\] error: bind: Address already in use
context = ssh_port_forward_errors_$1_$2
desc = send report on ssh forward errors if pass threshold (bind)
action = report session_log_$1_$2 \
/usr/bin/mailx -s "ssh port forward errors host $1" alerts at email.com; \
delete ssh_port_forward_errors_$1_$2
thresh=5
window=600
# Similar idea to ssh bind errors except on
# channel_setup_fwd_listener errors. If we have more than 5
# of them in a 10 minute period, go and find out why they are occurring.
# Probably a frustrated user getting the -L options wrong.
#
# We record all events until a 10 minute period has passed with no
# events. If the threshold is exceeded, then we report all events
# recorded during the 10 minute rolling window.
#
# Example input:
# Nov 4 23:36:38 example sshd[1131]: [ID 800047 auth.error] error: \
# channel_setup_fwd_listener: cannot listen to port: 1521
#
type=single
continue=takenext
desc = record ssh channel_setup_fwd_listener error for $1
ptype=regexp
pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]: \[ID 800047 auth.error\] error: channel_setup_fwd_listener: cannot listen to port:
action = add session_log_$1_$2 $0 ; \
set ssh_channel_setup_errors_$1_$2 600
type=singlewiththreshold
ptype=regexp
pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]: \[ID 800047 auth.error\] error: channel_setup_fwd_listener: cannot listen to port:
context = ssh_channel_setup_errors_$1_$2
desc = send report on ssh channel setup errors
action = report session_log_$1_$2 \
/usr/bin/mailx -s "ssh port forward errors host $1" alerts at email.com ; \
delete ssh_channel_setup_errors_$1_$2
thresh=5
window=600
# Gather random sshd errors and report after 5 minutes
#
# This could have been set up a number of different ways, but I have one
# rule to create the context only when it doesn't exist, and another rule
# that adds to the context. The create rule also sets the 5 minute timeout
# that will cause the event store to be delivered when it is deleted.
#
# Example input:
# Nov 3 09:48:56 example sshd[7871]: [ID 800047 auth.crit] fatal: \
# Timeout before authentication for 37.117.12.201
#
type=single
continue = takenext
ptype=regexp
pattern=([A-Za-z0-9._-]+) sshd\[([0-9]+)\]:
desc = create context to report ssh errors for host $1 pid $2 in 5 minutes
context = ! session_log_5min_timer_$1_$2
action = create session_log_5min_timer_$1_$2 300 report session_log_$1_$2 \
/usr/bin/mailx -s "ssh errors for host $1 pid $2" alerts at email.com
type=single
continue = dontcont
ptype=regexp
pattern=([A-Za-z0-9._-]*) sshd\[([0-9]+)\]:
desc = gather ssh errors for host $1
action = add session_log_$1_$2 $0
# Remove the handled context if we reach this point.
type=single
continue=dontcont
ptype=TValue
pattern=TRUE
desc=delete EVENT_PROCESSED
action=delete EVENT_PROCESSED
--- NEW FILE syslog-ng.txt ---
################################################################
# SEC ruleset for syslog-ng (contributed by Peter Straka)
################################################################
#date host proces[pid]: [ID number facility.level] txt
################################################################
# internal
################################################################
# setings parameters for next use
#
# %A,%B,%C,%D = parameters
# %F = output file for write
# %E = email list
# %M = mail program
################################################################
#rule beno#1
type=Single
ptype=RegExp
pattern=(SEC_STARTUP|SEC_RESTART|SEC_SHUTDOWN)
context=SEC_INTERNAL_EVENT
desc=SEC internal
action=shellcmd /bin/echo -- %t %s $0;\
assign %F /tmp/sec.out;\
assign %E root at localhost;\
assign %M /bin/mail -s "SEC production event";\
add OUT %t "starting";\
################################################################
# statistics
################################################################
#rule beno#2
type=Single
continue=TakeNext
ptype=RegExp
pattern=\s(\S+)\s(\S+)\[\d+\]\:\s\[ID \d+ (\S+)\.(\S+)\]\s
desc=log level and facility counter + host and proces counter
action= assign %A $1;\
assign %B $2;\
assign %C $3;\
assign %D $4;\
eval %Z ($host{"%A"}++; $proces{"%B"}++; $facility{"%C"}++; $level{"%D"}++;);
#rule beno#3
#write statistics and null counters every hour
type=Calendar
time=0 * * * *
desc=log level and facility counter + host and proces counter
action=eval %Z (\
my @ret; \
push(@ret,"*******************************\n***** LEVEL:\n");\
foreach $x (keys %level) {push(@ret,sprintf "%%s=%d\n",$x,$level{$x}) if $level{$x}; $level{$x}=0}; \
push(@ret,"\n***** FACILITY:\n");\
foreach $x (keys %facility) {push(@ret,sprintf "%%s=%d\n",$x,$facility{$x}) if $facility{$x}; $facility{$x}=0}; \
push(@ret,"\n***** HOSTS:\n");\
foreach $x (keys %host) {push(@ret,sprintf "%%s=%d\n",$x,$host{$x}) if $host{$x}; $host{$x}=0}; \
push(@ret,"\n***** PROCES:\n");\
foreach $x (keys %proces) {push(@ret,sprintf "%%s=%d\n",$x,$proces{$x}) if $proces{$x}; $proces{$x}=0}; \
push(@ret,"\n********************************************************\n");\
return "@ret"); \
write %F %t %Z; \
add STAT %Z; \
report STAT %M %E; \
delete STAT ;
################################################################
# hourly statistics
################################################################
#rule beno#4
type=Single
continue=TakeNext
ptype=RegExp
pattern=\S+\s+\d+\s+(\d+)\:\d+\:\d+\s
desc=hourly counter
action=assign %A H$1;\
eval %Z ($hour{%A}++;);
#rule beno#5
#write statistics and null counters at midnight
type=Calendar
time=25 16 * * *
desc=hourly counter
action=eval %Z (\
my @ret; \
push(@ret,"*******************************\n");\
foreach $x (keys %hour) {push(@ret,sprintf "%%s:00=%d\n",$x,$hour{$x});$hour{$x}=0}; \
push(@ret,"\n********************************************************\n");\
return "@ret"); \
write %F %t %Z; \
add HOUR_STAT %Z; \
report HOUR_STAT %M %E; \
delete HOUR_STAT
--- NEW FILE vtund.sec ---
#VTUN Events
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\[\d+\]: Session (\S+)\[\S\] opened
desc=$0
action=add GENERAL_REPORT %t: %s;
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\[\d+\]: BlowFish encryption initialized
desc=$0
action=add GENERAL_REPORT %t: VTUN Tunnel Opened on $1
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\[\d+\]: VTun client ver\s+(.*)
desc=$0
action=add GENERAL_REPORT %t: VTUN Server Started on $1 version $2
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\[\d+\]: Connecting to (.*)
desc=$0
action=add GENERAL_REPORT VTUN %s
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\[\d+\]: Denied connection from (\d+\.\d+\.\d+\.\d+):\d+
desc=$0
action=add GENERAL_REPORT %t: VTUN Connection DENIED by $1 from $2
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\[\d+\]: Connection denied by (.*)
desc=$0
action=add GENERAL_REPORT %t: VTUN Connection DENIED by $2 for $1
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\[\d+\]: Exit
desc=$0
action=add GENERAL_REPORT %t: VTUN Exit on $1
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\[\d+\]: Can't resolv server address: (.*)
desc=$0
action=add GENERAL_REPORT %t: VTUN Cannot Resolve Target $2 on $1
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\[\d+\]: Session (/S+) closed
desc=$0
action=add GENERAL_REPORT %t: VTUN Session $2 Closed on $1
#Send 12 hours vtun report
type=Calendar
time=0 0,12 * * *
desc=Sending vtun report...
action=report VTUN_REPORT \
/usr/bin/mail -s 'VTUN: VTUN Report' alerts at yourdomain.com; \
delete VTUN_REPORT0
--- NEW FILE windows.sec ---
#Windows events
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+ESE: N/A: Information Store \(\d+\) Online defragmentation (.*)
desc=$0
action=add GENERAL_REPORT EXCHANGE DEFRAG%t: %s;
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+Userenv: NT AUTHORITY\\SYSTEM: Windows cannot determine the user or computer name\. Return value \(1326\).
desc=$0
action=add GENERAL_REPORT %t: %s
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+Security: \\Everyone: User Account Locked Out: Target Account Name: (\S+) .*
desc=$0
action=pipe '$1 Windows Account Lockout: %s' /usr/bin/mail -s "Windows Account Locked on $1" alerts at yourdomain.com
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+Security: \\Everyone: User Account Changed: (/S+)\. .*
desc=$0
action=pipe '$1 Windows Account Change: %s' /usr/bin/mail -s "Windows Account Changed on $1: $2" alerts at yourdomain.com
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+NetBT: N\/A: A duplicate name has been detected on the TCP network\. .*
desc=$0
action=pipe '$1 Duplicate Netbios Name Detected: %s' /usr/bin/mail -s "Duplicate Netbios Name on $1" alerts at yourdomain.com
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/sec/devel/.cvsignore,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- .cvsignore 1 Sep 2006 20:49:05 -0000 1.1
+++ .cvsignore 1 Sep 2006 20:54:01 -0000 1.2
@@ -0,0 +1 @@
+sec-2.3.3.tar.gz
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/sec/devel/sources,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sources 1 Sep 2006 20:49:05 -0000 1.1
+++ sources 1 Sep 2006 20:54:01 -0000 1.2
@@ -0,0 +1 @@
+1b714a7dbb71e165327886a329f6d1e0 sec-2.3.3.tar.gz
More information about the scm-commits
mailing list