[prev in list] [next in list] [prev in thread] [next in thread]
List: prelude-devel
Subject: [prelude-devel] last set of diffs
From: "Gene Gomez" <gegomez () tycoint ! com>
Date: 2003-12-10 20:04:35
Message-ID: 2105627524AD794F9BBD15A8E477FCF23E50F4 () mrfreeze ! itg ! sac ! tfs
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Here is the last set of "normalized" diffs. You'll notice that
portsentry.diff is missing; there were no changes required on that
ruleset.
There is still additional work to be done on the rulesets; in particular
I could go through and have most of them grab and log pid information,
and also standardize the severity levels. We also need a *lot* of log
samples (I put off doing a lot of regex validations due to the lack of
samples).
For now, however, I think this is a good first standardized ruleset.
Please send comments.
Gene R Gomez
Security/Systems Engineer
Tyco Fire & Security Internet Technology Group
[Attachment #5 (text/html)]
<html>
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 10 (filtered)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Here is the last set of “normalized”
diffs. You’ll notice that portsentry.diff is missing; there were no
changes required on that ruleset.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>There is still additional work to be done on the rulesets;
in particular I could go through and have most of them grab and log pid
information, and also standardize the severity levels. We also need a *<b><span
style='font-weight:bold'>lot</span></b>* of log samples (I put off doing a lot
of regex validations due to the lack of samples).</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>For now, however, I think this is a good first standardized
ruleset. Please send comments.</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Gene R Gomez</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Security/Systems Engineer</span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Tyco Fire & Security Internet Technology Group</span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'> </span></font></p>
</div>
</body>
</html>
["zyxel.diff" (application/octet-stream)]
--- oldruleset/zyxel.rules 2003-12-09 08:29:36.000000000 -0800
+++ ruleset/zyxel.rules 2003-12-10 11:34:58.000000000 -0800
@@ -42,6 +42,7 @@
regex=ZyXEL Communications Corp.: IP\[Src=([0-9\.]+) Dst=([0-9\.]+) ([A-Z]+) \
spo=([0-9A-Fa-f]+) dpo=([0-9A-Fa-f]+).*S(\d{2})>R(\d{2})(.)(.); \ class.name=ZyXEL \
ip access; \ + class.origin=vendor-specific; \
impact.completion = failed; \
impact.type = other; \
impact.severity = medium; \
@@ -55,12 +56,14 @@
target.node.address.category=ipv4-addr; \
target.node.address.address = $2; \
target.service.port = 0x$5; \
- target.service.protocol = $3;
+ target.service.protocol = $3; \
+ last
# Jul 19 14:44:13 192.168.1.1 ZyXEL Communications Corp.: IP[Src=192.168.1.33 \
Dst=202.132.154.1 ICMP]}S03>R01mF
regex=ZyXEL Communications Corp.: IP\[Src=([0-9\.]+) Dst=([0-9\.]+) \
([A-Z]+)\].*S(\d{2})>R(\d{2})(.)(.); \ class.name=ZyXEL ip access; \
+ class.origin=vendor-specific; \
impact.completion = failed; \
impact.type = other;\
impact.severity = medium; \
@@ -72,7 +75,8 @@
target.node.address; \
target.node.address.category=ipv4-addr; \
target.node.address.address = $2; \
- target.service.protocol = $3;
+ target.service.protocol = $3; \
+ last
# 4) PPP Log :
@@ -86,4 +90,5 @@
class.origin=vendor-specific; \
impact.type = other;\
impact.severity = low; \
- impact.description=$2 $1 connection;
+ impact.description=$2 $1 connection; \
+ last
["proftpd.diff" (application/octet-stream)]
--- oldruleset/proftpd.rules 2003-12-10 09:32:38.000000000 -0800
+++ ruleset/proftpd.rules 2003-12-10 10:36:49.000000000 -0800
@@ -23,51 +23,60 @@
# Jan 13 22:19:52 (none) proftpd[7804]: leroutier.net \
(193.249.231.232[193.249.231.232]) - PAM(leroutier): Authentication failure.
-regex=.*proftpd\[(\d+)\]: (\S+) \(([\d\.]+)\[(\d\.]+)\]\) - PAM\((\S+)\): \
Authentication failure.*; \
- class.name=proftpd - invalid password for user '$5'; \
+regex=proftpd\[\d+\]: [\w\-\.]+ \(([\d\.]+)\[[\d\.]+\]\) - PAM\(([\w\-\.]+)\): \
Authentication failure; \ + class.name=FTP logon failed; \
+ class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=user; \
impact.severity=medium; \
- impact.description= Someone tried to login to your FTP server as user '$5' but \
failed; \ + impact.description= Someone tried to login to your FTP server as user \
'$2' but failed; \ source.node.address; \
source.node.address.category=ipv4-addr; \
- source.node.address.address=$4; \
+ source.node.address.address=$1; \
source.service.protocol=tcp; \
target.service.port=21; \
target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$2; \
last;
# Jan 13 22:19:58 (none) proftpd[7805]: leroutier.net \
(193.249.231.232[193.249.231.232]) - no such user 'uh'
-regex=.*proftpd\[(\d+)\]: (\S+) \(([\d\.]+)\[(\d\.]+)\]\) - no such user '(\S+)'.*; \
\
- class.name=proftpd - no such user '$5'; \
+regex=proftpd\[\d+\]: [\w\-\.]+ \(([\d\.]+)\[[\d\.]+\]\) - no such user '(\S+)'; \
+ class.name=FTP logon failed; \
+ class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=user; \
impact.severity=medium; \
- impact.description= Someone tried to login to your FTP server as a non-existant \
user '$5' but failed; \ + impact.description= Someone tried to login to your FTP \
server as a non-existant user '$2' but failed; \ source.node.address; \
source.node.address.category=ipv4-addr; \
- source.node.address.address=$4; \
+ source.node.address.address=$1; \
source.service.protocol=tcp; \
target.service.port=21; \
target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$2; \
last;
# Jan 13 22:39:03 (none) proftpd[8023]: leroutier.net \
(193.249.231.232[193.249.231.232]) - USER rr: no such user found from 193.249.231.232 \
[193.249.231.232] to 81.91.66.90:21
-regex=.*proftpd\[(\d+)\]:.*[\(\[]([\d\.]+)[\)\]].* - USER (\S+): no such user found \
from .*([\d\.]+).* to ([\d\.]{7,}):(\d+).*; \
- class.name=proftpd - no such user; \
+regex=proftpd\[\d+\]: [\w\-\.]+ \(([\d\.]+)\[[\d\.]+\]\) - USER (\S+): no such user \
found from [\w\-\.]+ \[[\w\-\.]+\] to ([\w\-\.]+):(\d+); \ + class.name=FTP logon \
failed; \ + class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=user; \
impact.severity=medium; \
- impact.description= Someone tried to login to your FTP server as a non-existant \
user '$3' but failed; \ + impact.description= Someone tried to login to your FTP \
server as a non-existant user '$2' but failed; \ source.node.address; \
source.node.address.category=ipv4-addr; \
- source.node.address.address=$2; \
+ source.node.address.address=$1; \
source.service.protocol=tcp; \
target.node.address; \
target.node.address.category=ipv4-addr; \
- target.node.address.address=$5; \
- target.service.port=$6; \
+ target.node.address.address=$3; \
+ target.service.port=$4; \
target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$2; \
last;
["qpopper.diff" (application/octet-stream)]
--- oldruleset/qpopper.rules 2003-12-09 08:29:36.000000000 -0800
+++ ruleset/qpopper.rules 2003-12-10 10:36:17.000000000 -0800
@@ -24,18 +24,21 @@
# Jan 13 20:42:56 (none) popper[6754]: [AUTH] Failed attempted login to leroutier \
from host (www.leroutier.net) 81.91.66.90 # Jan 13 21:05:09 (none) popper[6950]: \
[AUTH] Failed attempted login to vegeta from host \
(Mix-Dijon-114-2-232.abo.wanadoo.fr) 193.249.231.232
-regex=.*popper\[(\d+)\]: \[AUTH\] Failed attempted login to (\S+) from host \
\((\S+)\) (\S+).*; \ +regex=popper\[\d+\]: \[AUTH\] Failed attempted login to (\S+) \
from host \([\w\-\.]+\) ([\d\.]+); \ class.name=qpopper - invalid password for this \
user; \ + class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=user; \
impact.severity=medium; \
- impact.description= Someone tried to login to your POP3 server as user '$2' but \
failed; \ + impact.description= Someone tried to login to your POP3 server as user \
'$1' but failed; \ source.node.address; \
source.node.address.category=ipv4-addr; \
- source.node.address.address=$4; \
+ source.node.address.address=$3; \
source.service.protocol=tcp; \
target.service.port=110; \
target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$1; \
last;
# Jan 13 20:42:31 (none) popper[6752]: tamere at www.leroutier.net (81.91.66.90): \
-ERR [AUTH] Password supplied for "tamere" is incorrect. @@ -43,16 +46,19 @@
# Jan 13 21:02:59 (none) popper[6936]: azerty at Mix-Dijon-114-2-232.abo.wanadoo.fr \
(193.249.231.232): -ERR [AUTH] Password supplied for "azerty" is incorrect. # Jan 13 \
21:05:09 (none) popper[6950]: vegeta at Mix-Dijon-114-2-232.abo.wanadoo.fr \
(193.249.231.232): -ERR [AUTH] Password supplied for "vegeta" is incorrect.
-regex=.*popper\[(\d+)\]: (\S+) at (\S+) \((\S+)\): -ERR \[AUTH\] Password supplied \
for "(\S+)" is incorrect.*; \ +regex=popper\[\d+\]: (\S+) at [\w\-\.]+ \(([\d\.]+)\): \
-ERR \[AUTH\] Password supplied for "\S+" is incorrect; \ class.name=qpopper - \
invalid password for user; \ + class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=user; \
impact.severity=medium; \
- impact.description= Someone tried to login to your POP3 server as user '$2' but \
failed; \ + impact.description= Someone tried to login to your POP3 server as user \
'$1' but failed; \ source.node.address; \
source.node.address.category=ipv4-addr; \
- source.node.address.address=$4; \
+ source.node.address.address=$2; \
source.service.protocol=tcp; \
target.service.port=110; \
target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$1; \
last;
["simple.diff" (application/octet-stream)]
--- oldruleset/simple.rules 2003-12-09 08:29:36.000000000 -0800
+++ ruleset/simple.rules 2003-12-10 10:42:46.000000000 -0800
@@ -120,50 +120,68 @@
include = nagios.rules;
include = wu-ftp.rules;
include = cisco.rules;
-#include = cisco-vpn.rules;
+include = cisco-vpn.rules;
include = cisco-pix.rules;
include = navce.rules;
-#include = exim.rules;
-#include = zyxel.rules;
-#include = ipfw.rules;
-#include = netfilter.rules;
-#include = grsecurity.rules;
+include = exim.rules;
+include = zyxel.rules;
+include = ipfw.rules;
+include = netfilter.rules;
+include = grsecurity.rules;
include = ssh.rules;
-#include = zywall.rules;
-#include = proftpd.rules;
-#include = qpopper.rules;
-#include = vpopmail.rules;
-#include = checkpoint.rules;
+include = zywall.rules;
+include = proftpd.rules;
+include = qpopper.rules;
+include = vpopmail.rules;
+include = checkpoint.rules;
include = ntsyslog.rules;
-#include = ipso.rules;
-#include = squid.rules;
-#include = portsentry.rules;
-#include = vigor.rules;
-#include = ipchains.rules;
+include = ipso.rules;
+include = squid.rules;
+include = portsentry.rules;
+include = vigor.rules;
+include = ipchains.rules;
+#Dec 9 18:47:10 devel5 sshd(pam_unix)[13189]: session opened for user root by (uid=0)
regex=session opened for user root; \
class.name=Root login; \
+ class.origin=vendor-specific; \
impact.completion = succeeded; \
impact.type = admin; \
- impact.severity = medium
+ impact.severity = medium; \
+ target.user.userid; \
+ target.user.userid.name=root; \
+ last
+# No log sample; please submit
regex=(PAM|pam)_unix\[([0-9]+)\][^(]+\(uid=([0-9]+)\) -> ([^ ]+); \
class.name=Authentication Failure; \
+ class.origin=vendor-specific; \
impact.completion = failed; \
impact.type = other; \
impact.severity = high; \
- impact.description=Process $1 attempted to change UID from $2 to $3
+ impact.description=Process $1 attempted to change UID from $2 to $3; \
+ source.user.userid; \
+ source.user.userid.number=$2; \
+ target.user.userid; \
+ target.user.userid.number=$3; \
+ last
+# No log sample; please submit
regex=entered promiscuous mode; \
class.name=Promiscuous mode detected; \
+ class.origin=vendor-specific; \
impact.completion = succeeded; \
impact.type = other; \
impact.severity = medium; \
- impact.description=A sniffer is probably running on this machine
+ impact.description=A sniffer is probably running on this machine; \
+ last
+# No log sample; please submit
regex=no such user; \
class.name=Invalid User; \
+ class.origin=vendor-specific; \
impact.completion = failed; \
impact.type = other; \
impact.severity = medium; \
- impact.description = Someone tried to log in using a non existing user
+ impact.description = Someone tried to log in using a non existing user; \
+ last
["squid.diff" (application/octet-stream)]
--- oldruleset/squid.rules 2003-12-09 08:29:36.000000000 -0800
+++ ruleset/squid.rules 2003-12-10 11:49:26.000000000 -0800
@@ -29,16 +29,21 @@
###
# starting squid
+# No log sample; please submit
regex=squid\[(\d+)\]: Starting Squid Cache version ([\w\.]+) for ([\w-]+)\.\.\.; \
class.name=Squid started; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=other; \
- impact.description=Squid version $2 was started with PID $1
+ impact.description=Squid version $2 was started with PID $1; \
+ last
# accepting connections - is the node address really relevant here (-> listen on \
0.0.0.0 for instance) ? +# No log sample; please submit
regex=([\w\.]+) squid\[([0-9]+)\]: Accepting HTTP connections at ([\d\.]+), port \
(\d+), FD (\d+)\.; \ class.name=Squid accepts HTTP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=other; \
@@ -50,10 +55,13 @@
target.service.port=$4; \
target.process.pid=$2; \
target.process.name=squid; \
- target.service.protocol=HTTP
+ target.service.protocol=HTTP; \
+ last
+# No log sample; please submit
regex=([\w\.]+) squid\[([0-9]+)\]: Accepting ICP messages at ([\d\.]+), port (\d+), \
FD (\d+)\.; \ class.name=Squid accepts ICP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=other; \
@@ -65,10 +73,13 @@
target.service.port=$4; \
target.process.pid=$2; \
target.process.name=squid; \
- target.service.protocol=ICP
+ target.service.protocol=ICP; \
+ last
+# No log sample; please submit
regex=([\w\.]+) squid\[([0-9]+)\]: Accepting HTCP messages on port (\d+), FD \
(\d+)\.; \ class.name=Squid accepts HTCP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=other; \
@@ -77,10 +88,13 @@
target.service.port=$3; \
target.process.pid=$2; \
target.process.name=squid; \
- target.service.protocol=HTCP
+ target.service.protocol=HTCP; \
+ last
+# No log sample, please submit
regex=([\w\.]+) squid\[([0-9]+)\]: Accepting WCCP messages on port (\d+), FD \
(\d+)\.; \ class.name=Squid accepts WCCP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=other; \
@@ -89,42 +103,59 @@
target.service.port=$3; \
target.process.pid=$2; \
target.process.name=squid; \
- target.service.protocol=WCCP
+ target.service.protocol=WCCP; \
+ last
# disabled services (do we really need this ?)
+# No log sample; please submit
regex=([\w\.]+) squid\[([0-9]+)\]: HTCP Disabled\.; \
+ class.name=Squid started without HTCP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.type=other; \
impact.description=Squid (PID $2) was invoked without the HTCP service; \
target.node.name=$1; \
target.process.pid=$2; \
- target.process.name=squid
+ target.process.name=squid; \
+ last
+# No log sample; please submit
regex=([\w\.]+) squid\[([0-9]+)\]: WCCP Disabled\.; \
+ class.name=Squid started without WCCP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.type=other; \
impact.description=Squid (PID $2) was invoked without the WCCP service; \
target.node.name=$1; \
target.process.pid=$2; \
- target.process.name=squid
+ target.process.name=squid; \
+ last
# another way (less verbose) to detect squid has started (found in /var/log/messages \
and /var/log/syslog, default Debian conf) +# No log sample; please submit
regex=([\w\.]+) squid\[([0-9]+)\]: Squid Parent: child process (\d+) started; \
+ class.name=Squid started; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.type=other; \
impact.description=Squid was started on $1 with pids $2 (parent) and $3 (child); \
target.node.name=$1; \
target.process.name=squid; \
- target.process.pid=$2
+ target.process.pid=$2; \
+ last
# squid exiting (/var/log/syslog and /var/log/messages format)
+# No log sample; please submit
regex=([\w\.]+) squid\[([0-9]+)\]: Squid Parent: child process (\d+) exited; \
+ class.name=Squid stopped; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.type=other; \
impact.description=Squid (pid $2) exited; \
target.node.name=$1; \
target.process.name=squid; \
- target.process.pid=$2
+ target.process.pid=$2; \
+ last
@@ -134,16 +165,21 @@
###
# starting
+# No log sample; please submit
regex=Starting Squid Cache version ([\w\.]+) for ([\w-]+)\.\.\.; \
class.name=Squid started; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=other; \
- impact.description=Squid version $1 was started
+ impact.description=Squid version $1 was started; \
+ last
-# accepting connections or disabled services
+# accepting connections or disabled servicesa
+# No log sample; please submit
regex=Accepting HTTP connections at ([\d\.]+), port (\d+), FD (\d+)\.; \
class.name=Squid accepts HTTP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=other; \
@@ -152,10 +188,13 @@
target.node.address.category=ipv4-addr; \
target.node.address.address=$1; \
target.service.port=$2; \
- target.service.protocol=HTTP
+ target.service.protocol=HTTP; \
+ last
+# No log sample; please submit
regex=Accepting ICP messages at ([\d\.]+), port (\d+), FD (\d+)\.; \
class.name=Squid accepts ICP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=other; \
@@ -164,54 +203,75 @@
target.node.address.category=ipv4-addr; \
target.node.address.address=$1; \
target.service.port=$2; \
- target.service.protocol=ICP
+ target.service.protocol=ICP; \
+ last
+# No log sample; please submit
regex=Accepting HTCP messages on port (\d+), FD (\d+)\.; \
class.name=Squid accepts HTCP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=other; \
impact.description=Squid listens for incoming HTCP messages on port $1, file \
descriptor #$2; \ target.service.port=$1; \
- target.service.protocol=HTCP
+ target.service.protocol=HTCP; \
+ last
+# No log sample; please submit
regex=Accepting WCCP messages on port (\d+), FD (\d+)\.; \
class.name=Squid accepts WCCP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=other; \
impact.description=Squid listens for incoming WCCP messages on port $1, file \
descriptor #$2; \ target.service.port=$1; \
- target.service.protocol=WCCP
+ target.service.protocol=WCCP; \
+ last
+# No log sample; please submit
regex=HTCP Disabled\.; \
+ class.name=Squid started without HTCP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.type=other; \
- impact.description=Squid was invoked without the HTCP service
+ impact.description=Squid was invoked without the HTCP service; \
+ last
+# No log sample; please submit
regex=WCCP Disabled\.; \
+ class.name=Squid started without WCCP; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.type=other; \
- impact.description=Squid was invoked without the WCCP service
+ impact.description=Squid was invoked without the WCCP service; \
+ last
+# No log sample; please submit
regex=Squid Parent: child process (\d+) exited; \
+ class.name=Squid stopped; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.type=other; \
impact.description=Squid (pid $2) exited; \
target.node.name=$1; \
target.process.name=squid; \
- target.process.pid=$2
+ target.process.pid=$2; \
+ last
# II. ACL log
# 1. From /var/log/squid/access.log
+# No log sample; please submit
regex=(\d+\.\d+\.\d+\.\d+) .*DENIED/(\d+) (.*); \
class.name=Squid acl violation attempt; \
+ class.origin=vendor-specific; \
impact.severity=medium; \
impact.completion=failed; \
impact.description=Host $1 tried to violate Squid ACL; \
source.node.address; \
source.node.address.category=ipv4-addr; \
- source.node.address.address=$2
-
+ source.node.address.address=$2; \
+ last
["ssh.diff" (application/octet-stream)]
--- oldruleset/ssh.rules 2003-12-09 08:29:36.000000000 -0800
+++ ruleset/ssh.rules 2003-12-10 11:14:29.000000000 -0800
@@ -34,8 +34,10 @@
# Logging succeed #
###################
-regex=sshd.+: Accepted (\S+) for root from (\S+) port (\d+)\s*(ssh2)?; \
+#Dec 8 14:45:17 itguxweb1 sshd[32112]: Accepted publickey for root from 12.34.56.78 port 56634 ssh2
+regex=sshd\[\d+\]: Accepted (\S+) for root from ([\d\.]+) port (\d+)\s*(ssh2)?; \
class.name=SSH Remote root logging; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=admin; \
@@ -48,10 +50,14 @@
# target.node.address.category=ipv46-addr; \
target.service.port=22; \
target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=root; \
last;
-regex=sshd.+: Accepted (\S+) for (?!root)(\S+) from (\S+) port (\d+)\s*(ssh2)?; \
+#Dec 10 10:33:19 itguxweb2 sshd[29738]: Accepted password for ekwong from 12.34.56.78 port 39852 ssh2
+regex=sshd\[\d+\]: Accepted (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+)\s*(ssh2)?; \
class.name=SSH Remote user logging; \
+ class.origin=vendor-specific; \
impact.severity=low; \
impact.completion=succeeded; \
impact.type=user; \
@@ -63,14 +69,19 @@
source.service.protocol=tcp; \
# target.node.address.category=ipv46-addr; \
target.service.port=22; \
- target.service.protocol=tcp;
+ target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$2; \
+ last
################
# Login failed #
################
-regex=sshd.+: Failed (\S+) for root from ([\d\.]+) port (\d+)\s*(ssh2)?; \
+#Dec 9 16:00:35 itguxweb2 sshd[24541]: Failed password for root from 12.34.56.78 port 1806
+regex=sshd\[\d+\]: Failed (\S+) for root from ([\d\.]+) port (\d+)\s*(ssh2)?; \
class.name=SSH Remote root logging failed; \
+ class.origin=vendor-specific; \
impact.severity=medium; \
impact.completion=failed; \
impact.type=admin; \
@@ -82,10 +93,15 @@
source.service.protocol=tcp; \
# target.node.address.category=ipv4-addr; \
target.service.port=22; \
- target.service.protocol=tcp;
+ target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=root; \
+ last
-regex=sshd.+: Failed (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+)\s*(ssh2)?; \
+#Dec 9 21:29:56 devel5 sshd[17554]: Failed password for akarade from 12.34.56.78 port 4214
+regex=sshd\[\d+\]: Failed (\S+) for (?!root)(\S+) from ([\d\.]+) port (\d+)\s*(ssh2)?; \
class.name=SSH Remote user logging failed; \
+ class.origin=vendor-specific; \
impact.severity=medium; \
impact.completion=failed; \
impact.type=user; \
@@ -97,14 +113,19 @@
source.service.protocol=tcp; \
# target.node.address.category=ipv4-addr; \
target.service.port=22; \
- target.service.protocol=tcp;
+ target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$2; \
+ last
##############################################
# Invalid (not existing) user tried to login #
##############################################
-regex=sshd.+: Illegal user (\S+) from (\S+); \
+#Dec 9 18:48:29 itguxweb2 sshd[29536]: Failed password for illegal user ROOT from 12.34.56.78 port 2886
+regex=sshd\[\d+\]: Illegal user (\S+) from (\S+); \
class.name=SSH Remote logging failed with an invalid user; \
+ class.origin=vendor-specific; \
impact.severity = medium; \
impact.completion=failed; \
impact.type=user; \
@@ -113,28 +134,38 @@
source.node.address.category=ipv4-addr; \
source.node.address.address=$2; \
target.service.port=22; \
- target.service.protocol=tcp;
+ target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$1; \
+ last
##################################################################################
# User listed in DenyGroups or DenyUsers (sshd_config directives) tried to login #
##################################################################################
-regex=sshd.+: User (\S+) not allowed because .*listed in (\w+); \
+# No log sample; please submit
+regex=sshd\[\d+\]: User (\S+) not allowed because .*listed in (\w+); \
class.name=SSH Remote logging failed with a denied user; \
+ class.origin=vendor-specific; \
impact.severity = medium; \
impact.completion=failed; \
impact.type=user; \
impact.description=User $1 failed to login because he is listed in $2; \
target.service.port=22; \
- target.service.protocol=tcp;
+ target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$1; \
+ last
##################################################################
# Sshd did not receive the identification string from the client #
# (maybe a ssh server recognition) #
##################################################################
-regex=sshd.+: Did not receive identification string from (\S+); \
+# No log sample; please submit
+regex=sshd\[\d+\]: Did not receive identification string from ([\d\.]+); \
class.name=SSH Server recognition; \
+ class.origin=vendor-specific; \
impact.severity = medium; \
impact.completion=failed; \
impact.type=recon; \
@@ -144,7 +175,8 @@
source.node.address.address=$1; \
source.service.protocol=tcp; \
target.service.port=22; \
- target.service.protocol=tcp;
+ target.service.protocol=tcp; \
+ last
#########################################################################
# Forbidden root logging #
@@ -152,8 +184,10 @@
# of the sshd_config file) #
#########################################################################
-regex=sshd.+: ROOT LOGIN REFUSED FROM (\w+); \
+# No log sample; please submit
+regex=sshd\[\d+\]: ROOT LOGIN REFUSED FROM (\w+); \
class.name=SSH Remote root logging forbidden; \
+ class.origin=vendor-specific; \
impact.severity = medium; \
impact.completion=failed; \
impact.type=admin; \
@@ -163,5 +197,8 @@
source.node.address.address=$1; \
source.service.protocol=tcp; \
target.service.port=22; \
- target.service.protocol=tcp;
+ target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=root; \
+ last
["vigor.diff" (application/octet-stream)]
--- oldruleset/vigor.rules 2003-12-09 08:29:36.000000000 -0800
+++ ruleset/vigor.rules 2003-12-10 11:16:24.000000000 -0800
@@ -27,7 +27,8 @@
#Apr 27 02:55:31 81.2.127.129 r00t3r: 295:34:52.730 lan @Group:Rule=0:10 b \
200.187.15.1,18775 -> 81.2.127.129,www PR tcp len 20 48 -S 895123185 0 16384 IN
regex=.* ([\w\-\.]+): \d+:\d+:\d+\.\d+ lan @Group:Rule=\d+:\d+ b ([\d\.]+),(\w+) -> \
([\d\.]+),(\w+) PR tcp len \d+ \d+ -\S+ \d+ \d+ \d+ IN; \
- class.name=Packet dropped by Vigor; \
+ class.name=TCP Packet dropped; \
+ class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=other; \
impact.severity=medium; \
@@ -48,7 +49,8 @@
#Apr 27 02:55:53 81.2.127.129 r00t3r: 295:35:14.930 lan @Group:Rule=0:10 b \
66.57.40.6,1295 -> 81.2.127.138,1434 PR udp len 20 404 IN
regex=.* ([\w\-\.]+): \d+:\d+:\d+\.\d+ lan @Group:Rule=\d+:\d+ b ([\d\.]+),(\w+) -> \
([\d\.]+),(\w+) PR udp len \d+ \d+ IN; \
- class.name=Packet dropped by Vigor; \
+ class.name=UDP Packet dropped; \
+ class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=other; \
impact.severity=medium; \
@@ -69,7 +71,8 @@
#Apr 27 00:38:25 81.2.127.129 r00t3r: 293:17:47.390 lan @Group:Rule=0:10 b \
66.112.44.26 -> 81.2.127.142 PR icmp len 20 28 icmp 8/0 IN
regex=.* ([\w\-\.]+): \d+:\d+:\d+\.\d+ lan @Group:Rule=\d+:\d+ b ([\d\.]+) -> \
([\d\.]+) PR icmp len \d+ \d+ icmp (\d+)/(\d+) IN; \
- class.name=Packet dropped by Vigor; \
+ class.name=ICMP Packet dropped; \
+ class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=other; \
impact.severity=medium; \
["vpopmail.diff" (application/octet-stream)]
--- oldruleset/vpopmail.rules 2003-12-09 08:29:36.000000000 -0800
+++ ruleset/vpopmail.rules 2003-12-10 11:21:26.000000000 -0800
@@ -25,32 +25,38 @@
# Feb 24 13:19:49 c vpopmail[9505]: vchkpw: vpopmail user not found \
temp@alexus.org:66.181.160.250 # Jan 14 17:30:13 spotk vpopmail[28425]: vchkpw: \
vpopmail user not found toto@:192.168.100.50
-regex=.*vpopmail\[(\d+)\]: vchkpw: vpopmail user not found (\S+):(\S+).*; \
+regex=vpopmail\[\d+\]: vchkpw: vpopmail user not found (\S+):([\d\.]+); \
class.name=vpopmail - no such user; \
+ class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=user; \
impact.severity=medium; \
- impact.description= Someone tried to log in to your POP3 server as a non-existant \
user '$2' but failed; \ + impact.description= Someone tried to log in to your POP3 \
server as a non-existant user '$1' but failed; \ source.node.address; \
source.node.address.category=ipv4-addr; \
- source.node.address.address=$3; \
+ source.node.address.address=$2; \
source.service.protocol=tcp; \
target.service.port=110; \
target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$1; \
last;
# Jan 14 17:24:54 spotk vpopmail[28359]: vchkpw: password fail \
xxx@spotk.net:127.0.0.1
-regex=.*vpopmail\[(\d+)\]: vchkpw: password fail (\S+):(\S+).*; \
+regex=vpopmail\[\d+\]: vchkpw: password fail (\S+):([\d\.]+); \
class.name=vpopmail - bad password for this user; \
+ class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=user; \
impact.severity=medium; \
- impact.description= Someone tried to log in to your POP3 server as user '$2' but \
failed; \ + impact.description= Someone tried to log in to your POP3 server as user \
'$1' but failed; \ source.node.address; \
source.node.address.category=ipv4-addr; \
- source.node.address.address=$3; \
+ source.node.address.address=$2; \
source.service.protocol=tcp; \
target.service.port=110; \
target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=$1; \
last;
["wu-ftp.diff" (application/octet-stream)]
--- oldruleset/wu-ftp.rules 2003-12-09 08:29:36.000000000 -0800
+++ ruleset/wu-ftp.rules 2003-12-10 11:30:21.000000000 -0800
@@ -31,7 +31,7 @@
#####
#Oct 28 20:38:47 www.tyco-training.stag ftpd[12781]: ANONYMOUS FTP LOGIN FROM \
p508ee95a.dip.t-dialin.net [80.142.233.90], Igpuser@home.com
-regex=([\w\-\.]+) ftpd.+ ANONYMOUS FTP LOGIN FROM .+ \[([\d\.)]+)\]; \
+regex=([\w\-\.]+) ftpd\[\d+\]: ANONYMOUS FTP LOGIN FROM [\w\-\.]+ \[([\d\.)]+)\], \
(\S+); \ class.name=Anonymous FTP logon; \
class.origin=vendor-specific; \
impact.completion=succeeded; \
@@ -44,10 +44,14 @@
source.service.protocol=tcp; \
target.service.port=21; \
target.service.protocol=tcp; \
+ target.user.userid; \
+ target.user.userid.name=anonymous; \
+ source.user.userid; \
+ source.user.userid.name=$3; \
last
#Oct 28 20:38:48 itguxweb2 ftpd[19188]: FTP LOGIN FAILED (cannot set guest \
privileges) for p508ee95a.dip.t-dialin.net [80.142.233.90], ftp
-regex=([\w\-\.]+) ftpd.+ FTP LOGIN FAILED \(([\w\s]+)\) for .+ \[([\d\.)]+)\]; \
+regex=([\w\-\.]+) ftpd\[\d+\]: FTP LOGIN FAILED \(([\w\s]+)\) for [\w\-\.]+ \
\[([\d\.)]+)\], (\S+); \ class.name=FTP logon failed; \
class.origin=vendor-specific; \
impact.completion=failed; \
@@ -60,4 +64,6 @@
source.service.protocol=tcp; \
target.service.port=21; \
target.service.protocol=tcp; \
+ source.user.userid; \
+ source.user.userid.name=$3; \
last
["zywall.diff" (application/octet-stream)]
--- oldruleset/zywall.rules 2003-12-09 08:29:36.000000000 -0800
+++ ruleset/zywall.rules 2003-12-10 11:32:56.000000000 -0800
@@ -30,8 +30,10 @@
# Specify a syslog server IP and log facility level
# Put "Set firewall log" field to "YES"
+# No log sample; please submit
regex=FW (\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\-\>(\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\|(UDP|TCP|ICMP|IGMP|GRE|ESP)(.*)\|(.*)\|B; \
\
- class.name=ZyWall firewall log; \
+ class.name=$5 packet blocked; \
+ class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=other; \
impact.severity=medium; \
@@ -45,10 +47,13 @@
target.node.address.address = $3; \
target.service.port = $4; \
target.service.protocol = $5; \
- impact.description=$5$6 packet blocked from $1 port $2 to $3 port $4 [$7];
+ impact.description=$5$6 packet blocked from $1 port $2 to $3 port $4 [$7]; \
+ last
+# No log sample; please submit
regex=FW (\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\-\>(\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\|(UDP|TCP|ICMP|IGMP|GRE|ESP)(.*)\|(.*)\|F; \
\
- class.name=ZyWall firewall log; \
+ class.name=$5 packet forwarded; \
+ class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=other; \
impact.severity=medium; \
@@ -62,10 +67,13 @@
target.node.address.address = $3; \
target.service.port = $4; \
target.service.protocol = $5; \
- impact.description=$5$6 packet forwarded from $1 port $2 to $3 port $4 [$7];
+ impact.description=$5$6 packet forwarded from $1 port $2 to $3 port $4 [$7]; \
+ last
+# No log sample; please submit
regex=FW (\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\-\>(\d+\.\d+\.\d+\.\d+)\s*[:]?(\d+)?\s*\|(UDP|TCP|ICMP|IGMP|GRE|ESP)(.*)\|(.*)\|N; \
\
- class.name=ZyWall firewall log; \
+ class.name=$5 packet matched; \
+ class.origin=vendor-specific; \
impact.completion=failed; \
impact.type=other; \
impact.severity=medium; \
@@ -79,7 +87,5 @@
target.node.address.address = $3; \
target.service.port = $4; \
target.service.protocol = $5; \
- impact.description=$5$6 packet matched from $1 port $2 to $3 port $4 [$7];
-
-
-
+ impact.description=$5$6 packet matched from $1 port $2 to $3 port $4 [$7]; \
+ last
["ntsyslog.diff" (application/octet-stream)]
--- oldruleset/ntsyslog.rules 2003-12-10 08:43:27.000000000 -0800
+++ ruleset/ntsyslog.rules 2003-12-10 08:43:04.000000000 -0800
@@ -36,6 +36,7 @@
# 1. Success events
# 1.a 515
+# No log sample; please submit
regex= security\[success\] 515 (.*) Logon Process Name:([\w\\]+); \
class.name=Windows Event ID [515]: Trusted logon process registration; \
class.origin=vendor-specific; \
@@ -47,6 +48,7 @@
last
# 1.b 528
+# No log sample; please submit
regex= security\[success\] 528 (.*) Successful Logon: User Name:([\w ]+) \
Domain:(.+) Logon ID:\((.*)\) Logon Type:(\d+) Logon Process:(\w+) .* Workstation \
Name:(\w+); \ class.name=Windows Event ID [528]: Successful logon; \
class.origin=vendor-specific; \
@@ -59,6 +61,7 @@
last
# 1.c 538
+# No log sample; please submit
regex= security\[success\] 538 (.*) User Logoff: User Name:([\w ]+) Domain:(.+) \
Logon ID:\((.*)\) Logon Type:(\d+); \ class.name=Windows Event ID [538]: User \
logoff; \ class.origin=vendor-specific; \
@@ -71,6 +74,7 @@
last
# 1.d 560
+# No log sample; please submit
regex= security\[success\] 560 (.*) Object Open: Object Server:([\w\s]+) Object \
Type:([\w\_]+) Object Name:(\w+) New Handle ID:(\d+) Operation ID:(.*) Process \
ID:(\d+) Primary User Name:(.*) Primary Domain:(.+) Primary Logon ID:(.*) Client \
User Name:([\w ]+) Client Domain:(.+) Client Logon ID:\((.*)\) .*; \ \
class.name=Windows Event ID [560]: Object open; \ class.origin=vendor-specific; \
@@ -84,6 +88,7 @@
last
# 1.e 562
+# No log sample; please submit
regex= security\[success\] 562 (.*) Handle Closed: Object Server:([\w\s]+) Handle \
ID:(\d+) Process ID:(\d+); \ class.name=Windows Event ID [562]: Handle closed; \
class.origin=vendor-specific; \
@@ -95,6 +100,7 @@
last
# 1.f 576
+# No log sample; please submit
regex= security\[success\] 576 (.*) Special privileges assigned to new logon: User \
Name:([\w ]+) Domain:(.+) Logon ID:\((.*)\) Assigned: ([\w\ ]+); \ \
class.name=Windows Event ID [576]: Privilege assigned to new logon; \ \
class.origin=vendor-specific; \ @@ -107,6 +113,7 @@
last
# 1.g 577
+# No log sample; please submit
regex= security\[success\] 577 (.*) Privileged Service Called: Server:(.+) \
Service:(.*) Primary User Name:([\w ]+) Primary Domain:(.+) Primary Logon \
ID:\((.*)\) Client User Name:(.+) Client Domain:(.+) Client Logon ID:(.+) \
Privileges:(.+); \ class.name=Windows Event ID [577]: Privileged service called; \
class.origin=vendor-specific; \
@@ -119,6 +126,7 @@
last
# 1.h
+# No log sample; please submit
regex= security\[success\] 643 (.*) Domain Policy Changed: Password Policy \
modified Domain:(.+) Domain ID: (.+) Caller User Name:(.+) Caller Domain:(.+) \
Caller Logon ID:\((.+)\) Privileges:(.+); \ class.name=Windows Event ID [643]: \
Password policy modified; \ class.origin=vendor-specific; \
@@ -131,6 +139,7 @@
last
# 1.i 680
+# No log sample; please submit
regex= security\[success\] 680 (.*) Account Used for Logon by: (.+) Account Name: \
(.+) Workstation: (.+); \ class.name=Windows Event ID [680]: Logon attempt; \
class.origin=vendor-specific; \
@@ -141,6 +150,7 @@
last
# 1.j 682
+# No log sample; please submit
regex= security\[success\] 682 (.*) Session reconnected to winstation: User \
Name:([\w ]+) Domain:(.+) Logon ID:\((.+)\) Session Name:(.+) Client Name:(.+) \
Client Address:(\d+\.\d+\.\d+\.\d+); \ class.name=Windows Event ID [682]: Session \
reconnected to winstation; \ class.origin=vendor-specific; \
@@ -156,6 +166,7 @@
last
# 1.k 683
+# No log sample; please submit
regex= security\[success\] 683 (.*) Session disconnected from winstation: User \
Name:([\w ]+) Domain:(.+) Logon ID:\((.+)\) Session Name:(.+) Client Name:(.+) \
Client Address:(\d+\.\d+\.\d+\.\d+); \ class.name=Windows Event ID [683]: Session \
disconnected from winstation; \ class.origin=vendor-specific; \
@@ -171,6 +182,7 @@
last
# 1.l other
+# No log sample; please submit
regex= security\[success\] (\d+); \
class.name=Windows Event ID [$1]; \
class.origin=vendor-specific; \
@@ -182,6 +194,7 @@
# 2. Failure events
# 2.a 529 or 534
+#Dec 10 00:23:37 webbrain.itg.sac.tfs security[failure] 529 NT AUTHORITY\SYSTEM \
Logon Failure: Reason:Unknown user name or bad password User Name:administrator \
Domain:ITG Logon Type:2 Logon Process:Advapi Authentication Package: \
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name:WEBBRAIN regex= \
security\[failure\] (\d+) (.+) Logon Failure: Reason:(.+) User Name:([\w ]+) \
Domain:(.+) Logon Type:(\d+) Logon Process:(\w+) Authentication Package:(.+) \
Workstation Name:(.+); \ class.name=Windows Event ID [$1]: Logon failure; \
class.origin=vendor-specific; \
@@ -195,6 +208,7 @@
last
# 2.b 578
+#Dec 9 17:42:49 testdb.itg.sac.tfs security[failure] 578 ITG\mzirion Privileged \
object operation: Object Server:Security Object Handle:4294967295 Process ID:3540 \
Primary User Name:TESTDB$ Primary Domain:ITG Primary Logon ID:(0x0,0x3E7) Client \
User Name:mzirion Client Domain:ITG Client Logon ID:(0x2,0x5E829351) \
Privileges:SeIncreaseBasePriorityPrivilege regex= security\[failure\] 578 (.+) \
Privileged object operation: Object Server:Security Object Handle:(\d+) Process \
ID:(\d+) Primary User Name:(.+) Primary Domain:(.+) Primary Logon ID:\(.*\) \
Client User Name:([\w ]+) Client Domain:(.+) Client Logon ID:\((.*)\) \
Privileges:(.+); \ class.name=Windows Event ID [578]: Privileged object operation; \
class.origin=vendor-specific; \
@@ -206,6 +220,7 @@
last
# 2.c 627
+#Dec 7 20:07:49 testdb.itg.sac.tfs security[failure] 627 NT AUTHORITY\SYSTEM \
Change Password Attempt: Target Account Name:TsInternetUser Target Domain:TESTDB \
Target Account ID: %{S-1-5-21-854245398-413027322-725345543-1000} Caller User \
Name:TESTDB$ Caller Domain:ITG Caller Logon ID:(0x0,0x3E7) Privileges:- regex= \
security\[failure\] 627 (.+) Change Password Attempt: Target Account Name:(.+) \
Target Domain:(.+) Target Account ID: (.+) Caller User Name:(.+) Caller \
Domain:(.+) Caller Logon ID:(\(.+\)) Privileges:(.+); \ class.name=Windows Event \
ID [627]: Change password attempt; \ class.origin=vendor-specific; \
@@ -218,6 +233,7 @@
target.user.userid.name=$2
# 2.d 681
+#Dec 10 08:20:07 mrfreeze.itg.sac.tfs security[failure] 681 NT AUTHORITY\SYSTEM The \
logon to account: tfslegalask@itg.sac.tfs by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 \
from workstation: MRFREEZE failed. The error code was: 3221225572 regex= \
security\[failure\] 681 (.+) The logon to account: (\w+) by:(.+) from workstation: \
(\w+) failed. The error code was: (\d+); \ class.name=Windows Event ID [681]: Logon \
failure; \ class.origin=vendor-specific; \
@@ -229,13 +245,16 @@
target.user.userid; \
target.user.userid.name=$2; \
last
+
# 2.e other
+# No log sample; please submit
regex= security\[failure\] (\d+); \
class.name=Windows Event ID [$1]; \
class.origin=vendor-specific; \
impact.severity=medium; \
impact.type=other; \
- impact.description=Security Failure message with identifier #$1
+ impact.description=Security Failure message with identifier #$1; \
+ last
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic