'[Os-sim-commits] agent/etc/agent/plugins cisco-pix.cfg,1.3,1.4'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       os-sim-commits
Subject:    [Os-sim-commits] agent/etc/agent/plugins cisco-pix.cfg,1.3,1.4
From:       Dominique Karg <dkarg () users ! sourceforge ! net>
Date:       2009-01-23 10:09:57
Message-ID: E1LQIz7-000661-2d () 23jxhf1 ! ch3 ! sourceforge ! com
[Download RAW message or body]

Update of /cvsroot/os-sim/agent/etc/agent/plugins
In directory 23jxhf1.ch3.sourceforge.com:/tmp/cvs-serv23428

Modified Files:
	cisco-pix.cfg 
Log Message:
Cisco pix plugin update, thanks a ton shihao


Index: cisco-pix.cfg
===================================================================
RCS file: /cvsroot/os-sim/agent/etc/agent/plugins/cisco-pix.cfg,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- cisco-pix.cfg	12 Dec 2007 10:24:18 -0000	1.3
+++ cisco-pix.cfg	23 Jan 2009 10:09:55 -0000	1.4
@@ -1,78 +1,95 @@
-;; cisco-pix
-;; plugin_id: 1514
-;; 
-;; $Id$
-;;
-;; TODO: test plugin with the following sample logs:
-;;       http://www.ossec.net/wiki/index.php/Cisco_PIX
-;;
-
-[DEFAULT]
-plugin_id=1514
-
-[config]
-type=detector
-enable=yes
-
-source=log
-location=/var/log/syslog
-create_file=false
-
-process=
-start=no
-stop=no
-startup=
-shutdown=
-
-[cisco-pix-rule1]
-# May 20 2006 01:00:00 saravana: %PIX-6-302013: 
-# Built outbound TCP connection 31174132 
-# for outside:212.37.223.35/80 (212.37.223.35/80) 
-# to inside:192.168.1.1/52648 (64.211.150.166/54508)
-#
-# Mar 29 2004 09:56:03: %PIX-6-106015:
-# Deny TCP (no connection)
-# from 192.168.0.2/2796 to 192.168.80.1/1719
-# flags SYN ACK on interface inside
-#
-# Jun 26 14:49:15 ossim-devel: %PIX-6-302016: 
-# Teardown UDP connection 1042068 
-# for outside:192.168.20.45/53 to inside:192.168.20.208/37989 
-# duration 0:02:10 bytes 185
-event_type=event
-regexp=(?P<date>\SYSLOG_DATE)\s*(?P<sensor>[^:]*):.*?(PIX|ASA)-\d-(?P<sid>\d+):.*?(from|src|for \
inside|for outside|src inside|src \
outside).*?(?P<src>\IPv4)(\/(?P<sport>\d+))?.*?(dst|to inside|to outside|dst \
                inside|dst outside).*?(?P<dst>\IPv4)(\/(?P<dport>\d+))?
-date={$date}
-sensor={$sensor}
-plugin_sid={$sid}
-src_ip={$src}
-src_port={$sport}
-dst_ip={$dst}
-dst_port={$dport}
-
-
-[cisco-pix-rule2]
-# Nov 23 08:06:28 192.168.0.1 Nov 23 2007 08:08:37: %PIX-5-710005: UDP request
-# discarded from 192.195.10.21/6809 to laboratorio:192.195.10.255/6809 
-# 
-# Nov 23 07:07:49 192.168.0.1 Nov 23 2007 07:09:59: %PIX-5-106100: access-list
-# Windows_access_in denied tcp Windows-Dev2/192.116.200.40(3418) ->
-# dmz/192.4.125(168) hit-cnt 1 first hit [0x90a9a2f9, 0x0]
-#
-# Nov 23 08:27:25 192.168.0.1 Nov 23 2007 08:29:34: %PIX-4-313005: No
-# matching connection for ICMP error message: icmp src outside:192.12.11.254
-# dst serversdmz:192.1.4.8 (type 3, code 1) on outside interface.  Original IP
-# payload: tcp src 192.1.4.8/40934 dst 192.12.11.254/6000.
-#
-# Nov 23 11:09:33 192.168.0.1 Nov 23 2007 11:11:42: %PIX-4-106023: Deny tcp src
-# outside:192.192.20.20/80 dst inside:192.4.1.6/2319 by access-group
-# "outside_access_in" [0x0, 0x0] 
-
-event_type=event
-regexp="\SYSLOG_DATE\s+(?P<sensor>[^\s]*)\s+(?P<date>\SYSLOG_WY_DATE):.*?(PIX|ASA)-\d \
-(?P<sid>\d+):.*?(?P<src>\IPv4)(\/(?P<sport>\d+))?.*?(?P<dst>\IPv4)(\/(?P<dport>\d+))?"
                
-date={normalize_date($date)}
-sensor={resolv($sensor)}
-plugin_sid={$sid}
-src_ip={$src}
-src_port={$sport}
-dst_ip={$dst}
-dst_port={$dport}
+;; cisco-pix
+;; plugin_id: 1514
+;; 
+;; MODIFICATION BY: shihao 2009/01/04 
+;;
+;; $Id$
+;;
+;; TODO: test plugin with the following sample logs:
+;;       http://www.ossec.net/wiki/index.php/Cisco_PIX
+;;
+
+[DEFAULT]
+plugin_id=1514
+
+[config]
+type=detector
+enable=yes
+
+source=log
+location=/var/log/syslog
+create_file=false
+
+process=
+start=no
+stop=no
+startup=
+shutdown=
+
+# use {translate($n)} for translations
+[translation]
+# for some reason,you should change "saravana" to 
+# your ossim-server command line header,"192.168.
+# 0.226" to your ossim-server ip. 
+saravana=		192.168.0.226
+
+[cisco-pix-rule1]
+# May 20 2006 01:00:00 saravana: %PIX-6-302013: 
+# Built outbound TCP connection 31174132 
+# for outside:212.37.223.35/80 (212.37.223.35/80) 
+# to inside:192.168.1.1/52648 (64.211.150.166/54508)
+#
+# Mar 29 2004 09:56:03: %PIX-6-106015:
+# Deny TCP (no connection)
+# from 192.168.0.2/2796 to 192.168.80.1/1719
+# flags SYN ACK on interface inside
+#
+#########################################################
+# THE FOLLOWING LOG IS A FULL LOG WHEN I TEST THE REGEXP
+#########################################################
+# Jan  5 11:35:38 saravana python: %PIX-6-302016:
+# Teardown UDP  connection 1042068 for outside:
+# 192.168.20.45/53 to  inside:192.168.20.208/37989 
+# duration 0:02:10 bytes 185
+event_type=event
+#regexp=(?P<date>\SYSLOG_DATE)\s*(?P<sensor>[^:]*):.*?(PIX|ASA)-\d-(?P<sid>\d+):.*?(from|src|for \
inside|for outside|src inside|src \
outside).*?(?P<src>\IPv4)(\/(?P<sport>\d+))?.*?(dst|to inside|to outside|dst \
inside|dst outside).*?(?P<dst>\IPv4)(\/(?P<dport>\d+))? \
+regexp=(\w{3}\s+\d{1,2}(\s+\d+|)?\s+\d{2}:\d{2}:\d{2})(\s+(\S+)|)?(\s+\S+|\s+)?(:|)?\ \
s+%\w+-\d-(\d+)(:|)?\s+.*?(:|\s+)?(\d+\.\d+\.\d+\.\d+)(/(\d+|)|\s+).*?(:|\s+)+(\d+\.\d+\.\d+\.\d+)(/(\w+)|)
 +date={normalize_date($1)}
+sensor={translate($4)}
+plugin_sid={$7}
+src_ip={$10}
+src_port={$12}
+dst_ip={$14}
+dst_port={$16}
+
+
+[cisco-pix-rule2]
+# Nov 23 08:06:28 192.168.0.1 Nov 23 2007 08:08:37: %PIX-5-710005: UDP request
+# discarded from 192.195.10.21/6809 to laboratorio:192.195.10.255/6809 
+# 
+# Nov 23 07:07:49 192.168.0.1 Nov 23 2007 07:09:59: %PIX-5-106100: access-list
+# Windows_access_in denied tcp Windows-Dev2/192.116.200.40(3418) ->
+# dmz/192.4.125(168) hit-cnt 1 first hit [0x90a9a2f9, 0x0]
+#
+# Nov 23 08:27:25 192.168.0.1 Nov 23 2007 08:29:34: %PIX-4-313005: No
+# matching connection for ICMP error message: icmp src outside:192.12.11.254
+# dst serversdmz:192.1.4.8 (type 3, code 1) on outside interface.  Original IP
+# payload: tcp src 192.1.4.8/40934 dst 192.12.11.254/6000.
+#
+#########################################################
+# THE FOLLOWING LOG IS A FULL LOG WHEN I TEST THE REGEXP
+#########################################################
+#
+# Nov 23 11:09:33 192.168.0.1 Nov 23 2007 11:11:42: %PIX-4-106023: Deny tcp src
+## outside:192.192.20.20/80 dst inside:192.4.1.6/2319 by access-group
+# "outside_access_in" [0x0, 0x0] 
+event_type=event
+# regexp="\SYSLOG_DATE\s+(?P<sensor>[^\s]*)\s+(?P<date>\SYSLOG_WY_DATE):.*?(PIX|ASA)- \
\d-(?P<sid>\d+):.*?(?P<src>\IPv4)(\/(?P<sport>\d+))?.*?(?P<dst>\IPv4)(\/(?P<dport>\d+))?"
 +regexp=\w{3}\s+\d{1,2}\s+\d\d:\d\d:\d\d\s+([^\s]*)\s+(\w+\s+\d{1,2}\s\d{4}\s+\d\d:\d \
\d:\d\d):.*?(PIX|ASA)-\d-(\d+):.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\(|/)(\d+)(\)|).*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\(|/)(\d+)(\)|)
 +date={normalize_date($2)}
+sensor={$1}
+plugin_sid={$4}
+src_ip={$5}
+src_port={$7}
+dst_ip={$9}
+dst_port={$11}


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Os-sim-commits mailing list
Os-sim-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/os-sim-commits


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic