Sat Oct 3 07:52:17 UTC 2009

Author: stefansf

Update of /cvs/pkgs/rpms/sec/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29848/F-12

Modified Files:
	.cvsignore amavisd.sec bsd-MONITOR.sec bsd-PHYSMOD.sec 
	bsd-USERACT.sec conf.README cvs.sec dameware.sec 
	hp-openview.sec labrea.sec pix-security.sec pix-url.sec 
	portscan.sec sec.init sec.logrotate sec.spec snort.sec 
	snortsam.sec sources ssh-brute.sec ssh.sec vtund.sec 
	windows.sec 
Added Files:
	bsd-general.sec bsd-mpd.sec cisco-syslog.sec import.log 
	pix-general.sec 
Removed Files:
	001_init.sec clamav.sec dbi-example.sec general.sec mpd.sec 
	syslog-ng.txt 
Log Message:
- New upstream release
- SPEC file cleanup
- Init script cleanup
- Removed some examples because of licensing issues. Upstream has clarified
  and changed most of the license tags to GPLv2. Additionally, upstream
  will include the examples in the next release.
- Removed a provide statement since a period was in the name and no other
  package required that special name.

--- NEW FILE bsd-general.sec ---
# General log events, unix systems. From various sources
#
# Copyright (C) 2003-2009 Jim Brown
# This is free software. You may redistribute copies of it under the terms of 
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
#
#   Bad su 
# ----------- 
#
type=Single
ptype=RegExp 
desc=$0 
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: BAD SU (\S+) to (\S+) on (\S+)
action=pipe '$2 failed SU to $3 on $1 at %t' /usr/bin/mail -s "USER: $2 Failed SU on $1" alerts at example.com

type=Single
ptype=RegExp
desc=$0
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: BAD SU (\S+) to (\S+) on (\S+)
action=pipe '$2 failed SU to $3 on $1 at %t' /usr/bin/mail -s "USER: $2 Failed SU on $1" alerts at example.com 


# MONITOR.conf - SEC rules to pick up disruptive monitoring
# events.
#
#Logs involving syslogd disabled or unusual promiscuous mode (MONITOR)
#----------------------------------------------------------------------
#Nov 15 20:02:48 foohost syslogd: exiting on signal 15
#Nov 22 02:00:02 foohost syslogd: restart
#Nov 11 15:58:55 foohost /kernel: de0: promiscuous mode enabled
#Nov 11 15:58:57 foohost /kernel: de0: promiscuous mode disabled
#

#
# Syslog Exit
# -----------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: exiting on signal (\d+)
desc=$0
action=write - MONITOR: $1 syslog exit on signal $2 at %t

#
# Syslog Restart
# ---------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+syslogd: restart
desc=$0
action=write - MONITOR: $1 syslog restart at %t

#
# Syslog Exit
# -----------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+) promiscuous mode (\S+)
desc=$0
action=write - MONITOR: $1 $2 promiscuous mode $3 at %t


#
# sshd Problems
# --------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
desc=$0
action=write - USERACT: $1 sshd $2 problem, text: $3 at %t

#
# sshd Accepted
# --------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: Accepted (.*)
desc=$0
action=write - USERACT: $1 sshd accepted login, text: $2 at %t

#
# login FAILURES
# ---------------
#
#type=Single
#ptype=RegExp
#pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+login: (.*?FAILURE.)(.*?ON) (.*)
#desc=$0
#action=write - USERACT: $1 login $2 on $4 at %t


#SSH Auth failure on bsd 5
#type=Single
#ptype=RegExp
#pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: error: PAM: authentication error for (/S+) from (/S+)
#desc=$0
#action=pipe 'SSHD: 1 $1 2 $2 3 $3 to 4 $4 on 5 $5 at %t' /usr/bin/mail -s "SSHD: $1 $2 $3 to $4 on $5 at %t' alerts at example.com

#
# su  bad
# -----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (BAD SU) (\S+) to (\S+) on (\S+)
desc=$0
action=pipe 'USER: $1 SU: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t' alerts at example.com

#Nov 10 19:40:03 foohost su: jpb to root on /dev/ttyp0
#Nov 18 09:37:38 foohost su: BAD SU jpb to root on /dev/ttyp3
#Nov 22 12:26:44 foohost su: BAD SU badboy to root on /dev/ttyp0
#
#
# su  good to root
# -----------------
#
type=Single
ptype=RegExp
pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+su: (\S+) to root on (\S+)
desc=$0
action=pipe 'USER: $1 GOOD SU: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t' alerts at example.com  
#action=write - USERACT: $1 su: $2 to ROOT on $4  at %t

#
# Cabling Problem
# ----------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: (\S+)\s+(.*?:) cable problem
desc=$0
action=event 0 $1 PHYSMOD:ORANGE  cable problem on $2, text: $3 at %t



# USERACT - Events concerning user activities.
#
# Sample BSD logs involving logins, change of UID and privilege escalations.
#---------------------------------------------------------------------------
#Nov 14 12:14:58 foohost sshd[3388]: fatal: Timeout before authentication for 192.168.1.1
#Nov 14 19:58:34 foohost sshd[6597]: Bad protocol version identification '^B^S^D^Q^L' from 192.168.1.100
#Oct 18 06:16:53 foohost sshd[131]: Accepted keyboard-interactive/pam for foouser from 192.168.1.1 port 1077 ssh2
#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2
#Nov 15 04:02:24 foohost login: 1 LOGIN FAILURE ON ttyp2, mysql
#Oct 18 03:20:46 foohost login: 2 LOGIN FAILURES ON ttyv0
#Oct 18 02:52:04 foohost login: ROOT LOGIN (root) ON ttyv1
#Oct 18 06:11:11 foohost login: login on ttyv0 as root
#Nov 10 19:40:03 foohost su: foouser to root on /dev/ttyp0
#Nov 18 09:37:38 foohost su: BAD SU foouser to root on /dev/ttyp3
#Nov 22 12:26:44 foohost su: BAD SU goodboy to root on /dev/ttyp0
#

#
# sshd Problems
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+sshd\[\d+\]: (fatal|Bad)(.*)
desc=$0
action=pipe 'USER: $1 su: $2 $3 to $4 on $5 at %t' /usr/bin/mail -s "USERACT: $1 su: $2 $3 to $4 on $5 at %t' alerts at example.com   
#action=event 0 $1 USERACT:YELLOW  sshd $2 problem, text: $3 at %t

#
# login FAILURES
# ---------------
# ORANGE
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+(sshd|login): (.*?FAILURE.)(.*?ON) (.*)
desc=$0
action=pipe 'USER: $1: Login Failure $2 on $4 at %t' /usr/bin/mail -s "USER: $1 su: $2 $3 to $4 on $5 at %t' alerts at example.com   
#action=event 0 $1 USERACT:YELLOW  login $2 on $4 at %t


# NETWACT - SEC rules to pick up suspicious network events.
#
# Sample BSD logs involving odd or suspicious network activity.
#--------------------------------------------------------------
#Jun  3 17:46:24 foohost named[38298]: client 10.12.127.176#3714: request has invalid signature: tsig verify failure
#Apr 14 16:23:08 foohost /kernel: arp: 10.10.152.12 moved from 00:90:27:37:35:cf to 00:d0:59:aa:61:11 on de0
#Apr  1 11:23:39 sixshooter /kernel: Limiting closed port RST response from 368 to 200 packets per second


#
# named Dynamic DNS Update rejection
# ----------------------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+named\[\d+\]: client (\S+): request has invalid signature:(.*)
desc=$0
action=pipe 'NET: $1 dyndns attempt from $2' /usr/bin/mail -s "NET: $1 dyndns attempt from $2, text: $3 at %t" alerts at example.com

#
# MAC address moved
# -----------------
# ORANGE
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: arp: (\S+) moved from (\S+) to (\S+) on (\S+)
desc=$0
action=pipe 'NET: $1 arp moved on $2' /usr/bin/mail -s "NET: $1 arp moved on $2 from: $3 to $4 on $5 at %t" alerts at example.com

#
# DoS RST rate limit
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: Limiting closed port RST response from (\d+) to (\d+)
desc=$0
action=pipe 'NET: $1 RST limit enforced: $2 to $3 at %t' /usr/bin/mail =s "NET: $1 RST limit enforced: $2 to $3" alerts at example.com



# COMPROM - SEC rules to pick up potential system compromise events.
#
# Sample BSD logs involving potential system compromise.
#-------------------------------------------------------
#May 25 18:09:55 foohost ntpd[1325]: ntpd exiting on signal 11
#Jul 21 18:33:16 foohost /kernel: pid 55454 (ftpd), uid 1001: exited on signal 8
#Apr  9 12:57:06 foohost /kernel: pid 28039 (telnet), uid 0: exited on signal 3 (core dumped)

#
# ntpd crash
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+ntpd\[\d+\]: ntpd exiting on signal (\d+)
desc=$0
action=pipe 'CRASH: $1 ntpd crashed on signal $2 at %t' /usr/bin/mail -s "CRASH: $1 ntpd crashed" alerts at example.com

#
# Process crash
# ------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: pid \d+ \(\S+\), uid (\d+): exited on signal (\d+)
desc=$0
action=pipe 'CRASH: $1 $2 crashed on signal $4, uid $3 at %t' /usr/bin/mail -s "CRASH: $1 $2 crashed" alerts at example.com



# PROCESS - SEC rules to pick up suspicious process events.
#
# Sample BSD logs involving unusual processes.
#---------------------------------------------
#Mar 23 08:05:52 foohost thttpd[126]: thttpd/2.25b 29dec2003 starting on port 8090

#
# Suspicious processes
# --------------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+(thttpd)\[(\d+)\]:(.*) 
desc=$0
action=pipe 'SUSPROC: $1 suspicious process  $2 pid $3, text: $4 at %t' /usr/bin/mail -s "SUSPROC: $1 suspicious process  $2" alerts at example.com



# SHUTRST - SEC rules to pick up system shutdown, restart events.
#
# Sample BSD logs involving system shutdown and reset.
#-----------------------------------------------------
#Mar  6 16:28:13 foohost reboot: rebooted by foouser 
#Jul 15 17:35:49 foohost halt: halted by root
#Mar  6 16:29:17 foohost /kernel: Copyright (c) 1992-2003 The FreeBSD Project.

#
# Reboot message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+reboot: rebooted by (\S+)
desc=$0
action=pipe 'REBOOT: $1 rebooted by $2' /usr/bin/mail -s "REBOOT: $1 rebooted by $2" alerts at example.com

#
# Halt message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+halt: halted by (\S+)
desc=$0
action=pipe 'HALT: $1 halted by $2' /usr/bin/mail -s "HALT: $1 halted by $2" alerts at example.com

#
# Restart message
# --------------
#
type=Single
ptype=RegExp
pattern=^\S+\s+\d+\s+\S+\s+(\S+)\s+/kernel: Copyright \(c\) (\S+) The FreeBSD Project
desc=$0
action=pipe 'RESTART: $1 restart message at %t' /usr/bin/mail -s "RESTART: $1 restart message" alerts at example.com



--- NEW FILE bsd-mpd.sec ---
#############################################################################
# BSD mpd events
#
# Copyright (C) 2003-2009 Matt Jonkman
# This is free software. You may redistribute copies of it under the terms of 
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
#############################################################################

type=single
desc = mpd connection start
ptype=regexp
pattern=([A-z._0-9-]*) mpd: PPTP connection from (\d+\.\d+\.\d+\.\d+):\d+
action=add GENERAL_REPORT MPD Start from $2 on $1

type=single
ptype=regexp
pattern=([A-z._0-9-]*) mpd:  Name: (.*)
desc = mpd user auth
action=add GENERAL_REPORT MPD User $2 Auth on $1

type=Single
ptype=RegExp
pattern=([A-z._0-9-]*) mpd: pptp\d: killing connection with (\d+\.\d+\.\d+\.\d+):\d+
desc=mpd connection end
action=add GENERAL_REPORT MPD Connection end from $2 on $1


--- NEW FILE cisco-syslog.sec ---
#############################################################################
# SEC rules for processing Cisco syslog messages
#
# Copyright (C) 2008-2009 Omer Ben-Shalom, Risto Vaarandi
# This is free software. You may redistribute copies of it under the terms of 
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
#############################################################################

# ----- Process system configuration events -----

# System configuration events
# suppressed because we don't care about it
#
type=suppress
ptype=substr
pattern=%SYS-5-CONFIG_I:
desc=device configuration

# System configuration sync to standby router
# suppressed because we don't care about it
#
type=suppress
ptype=substr
pattern=%PFINIT-SP-5-CONFIG_SYNC:
desc=config sync

# ----- Process reload and restart events -----

# Looks for a reload 
# 
type=single
continue=takeNext
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SYS-5-RELOAD: (.*)
desc=(WARNING) reload requested for $1
action=pipe '%s details:$2' mail -s 'cisco event' root at example.com

# Looks for a reload followed by a restart event
# 
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SYS-5-RELOAD:
desc=(CRITICAL) $1 RELOAD_PROBLEM
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=($1).*?%SYS-5-RESTART:
desc2=(NOTICE) $1 RELOAD_OK
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=300

# Looks for a restart without reload command
# 
type=single
ptype=regexp
pattern=(\S+) \d+:.*?%SYS-5-RESTART:
desc=(CRITICAL) $1 restart without reload command
action=pipe '%s' mail -s 'cisco event' root at example.com

# ----- process SNMP authentication failure events -----

# this rule handles the SNMP authentication failures
# only one notification is sent for each source that is doing this per day
#
type=singleWithSuppress
ptype=regexp
pattern=(\S+) \d+:.*?%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host (\S+)
desc=(WARNING) Auth fail coming from $2
action=pipe '%s' mail -s 'cisco event' root at example.com
window=86400

# ----- process OSPF neighbor change events -----

# This rule handles OSPF neighbor changes
#
type=single
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%OSPF-5-ADJCHG:.*?Nbr (\S+) on (\S+) from (\S+) to (\S+), (.*)
desc=(MINOR) OSPF adjacency change: Router $1 reports that the neighbor on $3 ($2) changed from state $4 to state $5 detail:$6
action=event %s; pipe '%s' mail -s 'cisco event' root at example.com

# This rule escalates to CRITICAL if there are more than 5 neighbor changes 
# in 5 seconds
# 
type=SingleWithThreshold
ptype=substr
pattern=(MINOR) OSPF adjacency change
desc=(CRITICAL) More than 5 OSPF neighbor changes in 5 seconds
action=pipe '%s' mail -s 'cisco event' root at example.com
thresh=5
window=5

# ----- process HSRP events -----

# This rule assembles together all HSRP events
# 
type=single
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%STANDBY-6-STATECHANGE: (\S+).*?state (\S+) -> (\S+)
desc=HSRP change for $1 interface $2 - changed from $3 to $4
action=add HSRP_$1 %t: %s; set HSRP_$1 5 (report HSRP_$1 mail -s 'cisco events' root at example.com)

# ----- process duplex mismatch events -----

# this rule handles the duplex mismatch event
# only one notification is sent for each port that has duplex mismatch 
# reported per day
#
type=singleWithSuppress
ptype=regexp
pattern=(\S+) \d+:.*?%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on (not \S+) \((.*?)\), with (\S+) (\S+) \((.*?)\)
desc=(WARNING) Duplex mismatch between $1 port $2 ($3), other side is $4 port $5 ($6)
action=pipe '%s' mail -s 'cisco event' root at example.com
window=86400

# ----- process link down and link up events -----

# This rule deals with link down events
# 
type=PairWithWindow
ptype=RegExp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%LINK-3-UPDOWN: Interface (\S+), changed state to down
desc=(MINOR) $1 INTERFACE $2 DOWN and not up in one minute
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=RegExp
pattern2=($1)\s+\d+:.*?%LINK-3-UPDOWN: Interface ($2), changed state to up
desc2=(WARNING) %1 INTERFACE %2 BOUNCE
action2=event %s
window=60

# when the first bounce event is seen, create a reporting trigger 
#
type=Single
continue=TakeNext
ptype=regexp
pattern=(\S+) INTERFACE \S+ BOUNCE
context=!INTERFACE_BOUNCE_WAIT_$1
desc=interface bounce summary event for router $1
action=create INTERFACE_BOUNCE_WAIT_$1 10 (report INTERFACE_BOUNCE_$1 mail -s 'cisco events' root at example.com; delete INTERFACE_BOUNCE_$1)

# accumulate all interface bounce events into a context
#
type=Single
ptype=regexp
pattern=(\S+) INTERFACE (\S+) BOUNCE
desc=interface bounce for router $1 interface $2 detected
action=add INTERFACE_BOUNCE_$1 %t: %s

# ----- process line protocol down and line protocol up events -----

# This rule deals with protocol up/down events
#
type=PairWithWindow
ptype=RegExp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%LINEPROTO-5-UPDOWN: Line protocol on Interface (\S+), changed state to down
desc=(MINOR) $1 INTERFACE $2 line protocol DOWN and not up in one minute
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=RegExp
pattern2=($1)\s+\d+:.*?%LINEPROTO-5-UPDOWN: Line protocol on Interface ($2), changed state to up
desc2=(WARNING) %1 INTERFACE %2 line protocol BOUNCE
action2=event %s
window=60

# when the first bounce event is seen, create a reporting trigger 
#
type=Single
continue=TakeNext
ptype=regexp
pattern=(\S+) INTERFACE \S+ line protocol BOUNCE
context=!LINE_PROTOCOL_BOUNCE_WAIT_$1
desc=line protocol bounce for router $1
action=create LINE_PROTOCOL_BOUNCE_WAIT_$1 10 (report LINE_PROTOCOL_BOUNCE_$1 mail -s 'cisco events' root at example.com; delete LINE_PROTOCOL_BOUNCE_$1)

# accumulate all line protocol bounce events into a context
#
type=Single
ptype=regexp
pattern=(\S+) INTERFACE (\S+) line protocol BOUNCE
desc=line protocol bounce for router $1 interface $2 detected
action=add LINE_PROTOCOL_BOUNCE_$1 %t: %s

# ----- process late collision events -----

# Late collision alerts 
# 
type=SingleWithThreshold
ptype=RegExp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%PM_SCP-SP-4-LCP_FW_ABLC: Late collision message from module (\d+), port:(\d+)
desc=(MINOR) Multiple late collision events on $1 module $2 port $3
action=pipe '%s' mail -s 'cisco event' root at example.com
window=3600
thresh=5

# ----- process host flap events -----

# host flapping on single vlan 
# 
type=SingleWithThreshold
continue=TakeNext
ptype=RegExp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C4K_EBM-4-HOSTFLAPPING: Host (\S+) in vlan (\S+) is flapping between port (\S+) and port (\S+)
desc=(MINOR) multiple hosts flapping between ports $4 and $5 in $1 vlan $3
action=pipe '%s' mail -s 'cisco event' root at example.com
window=300
thresh=5

# host flapping on multiple vlans 
# 
type=SingleWithThreshold
continue=TakeNext
ptype=RegExp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C4K_EBM-4-HOSTFLAPPING: Host (\S+) in vlan (\S+) is flapping between port (\S+) and port (\S+)
desc=(MINOR) multiple hosts are flapping between ports $4 and $5 in $1 (potentially on multiple VLANs)
action=pipe '%s' mail -s 'cisco event' root at example.com
window=300
thresh=20

# ----- process misc hw events -----

# %FILESYS-SP-STDBY-5-DEV:# flash disk removal
#
type=single
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%FILESYS-SP-STDBY-5-DEV:.*?PCMCIA flash card removed from (\S+)
desc=(WARNING) Flash card removed from $1 $2
action=pipe '%s' mail -s 'cisco event' root at example.com

# %OIR-SP-STDBY-6-CONSOLE
#
type=suppress
ptype=substr
pattern=%OIR-SP-STDBY-6-CONSOLE
desc=console access to route processor changed

# %OIR-SP-6-INSCARD:  - card inserted 
#
type=single
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%OIR-SP-6-INSCARD: Card inserted in slot (\d+), (.*)
desc=(HARMLESS) card inserted in $1 slot $2 status:$3
action=pipe '%s' mail -s 'cisco event' root at example.com 

# ----- process module events -----

# %DIAG-SP-3-TEST_FAIL - diagnostics failed on a module
#
type=single
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%DIAG-SP-3-TEST_FAIL: Module (\d+): (.*)
desc=(WARNING) diagnostics failed for $1 module $2 detail:$3
action=pipe '%s' mail -s 'cisco event' root at example.com

# %SNMP-5-MODULETRAP
# Looks for a module down followed by module up event
# 
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-MODULETRAP: Module (\d+) [Down] Trap
desc=(MINOR) $1 Module DOWN (not back up in a minute)
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=($1) .*? %SNMP-5-MODULETRAP: Module ($2) [Up] Trap
desc2=(WARNING) $1 Module $2 BOUNCE (down and back up within a minute)
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=60

# ----- process irrelevant events (by suppressing) -----

# %SYS-SP-STDBY-5-RESTART - system restarted part of the boot - interesting?
# 
type=suppress
ptype=substr
pattern=SYS-SP-STDBY-5-RESTART
desc=system restarted

# %DIAG-SP-6-TEST_RUNNING - Running system test
# 
type=suppress
ptype=substr
pattern=%DIAG-SP-6-TEST_RUNNING
desc=running diagnostics on a module

# %FABRIC-SP-5-FABRIC_MODULE_BACKUP - module changed to backup state
# 
type=suppress
ptype=substr
pattern=%FABRIC-SP-5-FABRIC_MODULE_BACKUP
desc=module became backup

# %DIAG-SP-6-RUN_MINIMUM - diagnostics are run
# 
type=suppress
ptype=substr
pattern=%DIAG-SP-6-RUN_MINIMUM
desc=diagnostics running on switch

# %DIAG-SP-6-DIAG_OK - diagnostics results are OK
# 
type=suppress
ptype=substr
pattern=%DIAG-SP-6-DIAG_OK
desc=diagnostics results are OK

# %PFREDUN-SP-STDBY-6-STANDBY - SSO events
# 
type=suppress
ptype=substr
pattern=%PFREDUN-SP-STDBY-6-STANDBY
desc=SSO event (startup)

# %PFREDUN-SP-STDBY-6-STANDBY - SSO events
# 
type=suppress
ptype=substr
pattern=%PFREDUN-SP-6-ACTIVE
desc=SSO event (startup)

# %FABRIC-SP-5-FABRIC_MODULE_BACKUP: - secondary sup is up and is secondary
# 
type=suppress
ptype=substr
pattern=%FABRIC-SP-5-FABRIC_MODULE_BACKUP:
desc=secondary sup is up and is secondary

# %PFINIT-SP-5-CONFIG_SYNC - startup config on standby router sync
# 
type=suppress
ptype=substr
pattern=%PFINIT-SP-5-CONFIG_SYNC
desc=startup config on standby router sync

# %C4K_REDUNDANCY - Cayt 4K configuration/vlan database succesful sync
# the success match is to allow fails in sync to not be suppress
# 
type=suppress
ptype=regexp
pattern=%C4K_REDUNDANCY.*?success
desc=config sync with standby supervisor

# %SCP-SP-5-ASYNC_WATERMARK: SCP long queue wait
# the success match is to allow fails in sync to not be suppress
# 
type=suppress
ptype=substr
pattern=%SCP-SP-5-ASYNC_WATERMARK:
desc=SCP control protocol pending queue is longer than notification threshold

# %MLS_RATE-4-DISABLING: - Layer2 Rate Limiters have been disabled. Is this interesting?
#
type=suppress
ptype=substr
pattern=%MLS_RATE-4-DISABLING:
desc=Layer2 Rate Limiters have been disabled

# ----- process native VLAN mismatch events -----

# %CDP-4-NATIVE_VLAN_MISMATCH: - native VLAN mismatch between switches, will repeat every minute until fixed
#
type=singleWithSuppress
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on (\S+) \((\d+)\), with (\S+) (\S+) \((\d+)\)
desc=(MINOR) A native VLAN mistmatch reported between $1 interface $2 (native VLAN $3) and host $4 interface $5 (native VLAN $6)
action=pipe '%s' mail -s 'cisco event' root at example.com
window=60

# ----- process snmp trapblock messages -----

# %SNMP-3-TRAPBLOCK - A process tried to create a trap it is not entitled to create
# See Cisco http://www.cisco.com/cgi-bin/Support/Errordecoder/index.cgi?action=search&counter=0&paging=5&query=SNMP-3-TRAPBLOCK
# 
type=suppress
ptype=substr
pattern=%SNMP-3-TRAPBLOCK
desc=a process tried to create a trap it is not entitled to create

# ----- process chassis alarm events -----

# %SNMP-5-CHASSISALARM - this rule handles the tmpAlarm
#
type=pairWithWindow
continue=takeNext
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: tmpAlarm\(ON\)
desc=(MINOR) $1 temprature alarm signaled and not cleared in five minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
continue2=takeNext
ptype2=regexp
pattern2=\d+:\d+:\d+.*?($1)\s+\d+:.*%SNMP-5-CHASSISALARM: Chassis Alarm Trap: tmpAlarm\(OFF\)
desc2=(WARNING) $1 temprature alarm went on and was cleared in under five minutes
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=300

# %SNMP-5-CHASSISALARM - this rule handles the minorAlarm
#
type=pairWithWindow
continue=takeNext
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? minorAlarm\(ON\)
desc=(MINOR) $1 minor alarm reported and not cleared in three minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
continue2=takeNext
desc2=(WARNING) $1 minor alarm went on and was cleared in under three minutes
ptype2=regexp
pattern2=\d+:\d+:\d+.*?($1)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? minorAlarm\(OFF\)
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=180	

# %SNMP-5-CHASSISALARM - this rule handles the majorAlarm
#
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? majorAlarm\(ON\)
desc=(MINOR) $1 major alarm signaled and not cleared in two minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=\d+:\d+:\d+.*?($1)\s+\d+:.*?%SNMP-5-CHASSISALARM: Chassis Alarm Trap: .*? majorAlarm\(OFF\)
desc2=(WARNING) $1 major alarm went on and was cleared in under two minutes
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=120

# ----- process power supply related events -----

# %C4K_IOSMODPORTMAN events - this one is about power supplies only 
#
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C4K_IOSMODPORTMAN-4-POWERSUPPLYBAD: Power Supply (\d+) has failed or been turned off
desc=(MINOR) $1 power supply $2 reported bad and event not cleared in two minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=($1) .*? %C4K_IOSMODPORTMAN-6-POWERSUPPLYGOOD: Power Supply ($2) is Okay
desc2=(WARNING) $1 power supply $2 alarm went on and was cleared in under two minutes
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=120

# ----- process neighbor down and neighbor up events -----

# %DVMRP-5-NBRDOWN
#
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%DVMRP-5-NBRDOWN: Neighbor (\S+) went down on (\S+)
desc=(MINOR) $1 lost DVMRP neighbor $2 on interface $3 and it did not come up in two minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=($1) .*? %DVMRP-5-NBRUP: Neighbor ($2) is up on ($3)
desc2=(WARNING) $1 lost DVMRP neighbor $2 on interface $3 but id come up within two minutes
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=120

# ----- process fan power supply failure/ok events -----

# %C6KENV-SP-4-PSFANF events - this one is about fan failures
#
type=pairWithWindow
ptype=regexp
pattern=\d+:\d+:\d+.*?(\S+)\s+\d+:.*?%C6KENV-SP-4-PSFANFAILED: the fan in power supply (\d+) has failed
desc=(MINOR) $1 fan in power supply $2 was reported bad and event not cleared in two minutes
action=pipe '%s' mail -s 'cisco event' root at example.com
ptype2=regexp
pattern2=($1) .*? %C6KENV-SP-4-PSFANOK: the fan in power supply (\d+) is OK
desc2=(WARNING) $1 fan in power supply $2 alarm went on and was cleared in under two minutes
action2=pipe '%s' mail -s 'cisco event' root at example.com
window=120

# ----- process events that have not been matched by any of above rules -----

# Default match
# this rule will match anything not previously matched but allows only 
# one notification per day for each new event class seen
#
type=singleWithSuppress
ptype=regexp
pattern=(%.*?:)
desc=$1
action=pipe '$0' mail -s 'cisco event' root at example.com
window=86400


--- NEW FILE import.log ---
sec-2_5_2-1_fc11:F-12:sec-2.5.2-1.fc11.src.rpm:1254556293


--- NEW FILE pix-general.sec ---
####################################################################
#                SEC ruleset for Cisco PIX 6.x, 7.x, FWSM 2.x
#
# Copyright (C) 2003-2009 Colin Hudler
# This is free software. You may redistribute copies of it under the terms of 
# the GNU General Public License version 2.
# There is NO WARRANTY, to the extent permitted by law.
####################################################################

# Process various events from PIX syslog output
# 
# TODO -- A few FWSM log lines will not match.

# Setup our variables -- not the right way to do this?  Needs tweaking for your log lines
type=Single
ptype=RegExp
pattern=^(.* [0-9].:[0-9].:[0-9].) (.*)\.yourdomain\.edu.*?%(PIX|FWSM)-[0-9]-.*?:(.*)
desc=PIXLOG $2^ $1 $4
action=event %s

# 106001
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Inbound TCP connection denied from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+).*
desc=PIX $1 TCP connection denid HAMMER $2 to $3
action=create ham1_$1; add ham1_$1 %t; add ham1_$1 %s;add ham1_$1 %s; add ham1_$1 $0; report ham1_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham1_$1
window=10
thresh=6

# 106006
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Connection denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+)
desc=PIX $1 denied by list HAMMER $2 to $3
action=create ham2_$1; add ham2_$1 %t; add ham2_$1 %s; add ham2_$1 $0; report ham2_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham2_$1
window=10
thresh=6

# 106007
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny inbound UDP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) due to DNS.*
desc=PIX $1 Denied inbound UDP HAMMER $2 to $3
action=create ham3_$1; add ham3_$1 %t; add ham3_$1 %s; add ham3_$1 $0; report ham3_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham3_$1
window=10
thresh=6

# 106010
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny inbound.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+).*
desc=PIX $1 Denied inbound HAMMER $2 to $3
action=create ham4_$1; add ham4_$1 %t; add ham4_$1 %s; add ham4_$1 $0; report ham4_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham4_$1
window=10
thresh=6

# 106012
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny IP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+), IP options.*
desc=PIX $1 Denied IP Options HAMMER $2 to $3
action=create ham5_$1; add ham5_$1 %t; add ham5_$1 %s; add ham5_$1 $0; report ham5_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham5_$1
window=10
thresh=6

# 106013
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Dropping echo request from (\d+.\d+.\d+.\d+) to PAT address 
desc=PIX $1 Echo HAMMER $2 to PAT Address
action=create ham6_$1; add ham6_$1 %t; add ham6_$1 %s; add ham6_$1 $0; report ham7_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham8_$1
window=10
thresh=6

# 106014
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny inbound icmp src.*: (\d+.\d+.\d+.\d+) dst.*: (\d+.\d+.\d+.\d+)
desc=PIX $1 Deny inbound ICMP HAMMER $2 to $3
action=create ham9_$1; add ham9_$1 %t; add ham9_$1 %s; add ham9_$1 $0; report ham9_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham9_$1
window=10
thresh=6

# 106015
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny.*\(no connection\) from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+)
desc=PIX $1 Deny (no connection) HAMMER $2 to $3
action=create ham10_$1; add ham10_$1 %t; add ham10_$1 %s; add ham10_$1 $0; report ham10_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham10_$1
window=10
thresh=30

# 106016,106017,106020,106021,106022 is further down this list...

# 106018
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*ICMP packet type.*denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+)
desc=PIX $1 Deny ICMP type HAMMER $2 to $3
action=create ham11_$1; add ham11_$1 %t; add ham11_$1 %s; add ham11_$1 $0; report ham11_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham11_$1
window=10
thresh=6

# 106023
#Deny udp src outside:128.135.93.11/137 dst inside:128.135.211.65/137 by access-group "inward"
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+) by .*
desc=PIX $1 Deny by ACL HAMMER $2 to $3
action=create ham12_$1; add ham12_$1 %t; add ham12_$1 %s; add ham12_$1 $0; report ham12_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ham12_$1
window=10
thresh=32

# This is broken... still fix? TODO
# 106001 -- Report
#type=SingleWithThreshold
#continue=takenext
#ptype=RegExp
#pattern=^PIXLOG (\S+)\^ .*(Inbound TCP connection denied from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+).*)|\
#(Connection denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+))|\
#(Deny inbound UDP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) due to DNS)|\
#(Deny inbound.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+))|\
#(Deny IP from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+), IP options)|\
#(Dropping echo request from (\d+.\d+.\d+.\d+) to PAT address)|\
#(Deny inbound icmp src.*: (\d+.\d+.\d+.\d+) dst.*: (\d+.\d+.\d+.\d+))|\
#(Deny.*\(no connection\) from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+))|\
#(ICMP packet type.*denied by outbound list.*src (\d+.\d+.\d+.\d+) dest (\d+.\d+.\d+.\d+))|\
#(Deny.*src.*:(\d+.\d+.\d+.\d+\/\d+) dst.*:(\d+.\d+.\d+.\d+\/\d+) by )
#desc=PIX Conn Denied 10 times from $2
#action=create rpt_$1; add rpt_$1 %t; add rpt_$1 %s;add rpt_$1 %s; add rpt_$1 $0; report rpt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rpt_$1
#window=10
#thresh=30

# 101002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Bad failover cable.
desc=PIX $1 Bad Failover Cable
action=create bfc_$1; add bfc_$1 %t; add bfc_$1 %s; add bfc_$1 $0; report bfc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete bfc_$1

# 101003/4
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Failover cable not connected
desc=PIX $1 Failover cable gone
action=create nfc_$1; add nfc_$1 %t; add nfc_$1 %s; add nfc_$1 $0; report nfc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete nfc_$1

# 101005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Error reading failover cable status
desc=PIX $1 Failover cable ERROR
action=create fce_$1; add fce_$1 %t; add fce_$1 %s; add fce_$1 $0; report fce_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fce_$1

# 102001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Power failure/System reload
desc=PIX $1 Peer Lost Power
action=create fpp_$1; add fpp_$1 %t; add fpp_$1 %s; add fpp_$1 $0; report fpp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fpp_$1

# 103001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*No response from other firewall
desc=PIX $1 Peer Gone Away
action=create fnp_$1; add fnp_$1 %t; add fnp_$1 %s; add fnp_$1 $0; report fnp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fnp_$1

# 103003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Other firewall network interface (\S+) failed
desc=PIX $1 Peer interface $2 died
action=create fpi_$1; add fpi_$1 %t; add fpi_$1 %s; add fpi_$1 $0; report fpi_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fpi_$1

# 103004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Other firewall reports this firewall failed
desc=PIX $1 Peer says I failed
action=create fif_$1; add fif_$1 %t; add fif_$1 %s; add fif_$1 $0; report fif_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fif_$1

# 103005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Other firewall reporting failure
desc=PIX $1 Peer reports failure
action=create fpf_$1; add fpf_$1 %t; add fpf_$1 %s; add fpf_$1 $0; report fpf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fpf_$1

# 104001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*(Primary|Secondary) Switching to ACTIVE \(cause: (.*)\)
desc=PIX $1 FAILOVER! Becoming ACTIVE because $2
action=create fba_$1; add fba_$1 %t; add fba_$1 %s; add fba_$1 $0; report fba_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fba_$1

# 104002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*(Primary|Secondary) Switching to STNDBY \(cause: (.*)\)
desc=PIX $1 FAILOVER! Becoming STNDBY because $2
action=create fbs_$1; add fbs_$1 %t; add fbs_$1 %s; add fsb_$1 $0; report fbs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fbs_$1

# 104003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Switching to FAILED
desc=PIX $1 IN FAILED STATE!
action=create ffs_$1; add ffs_$1 %t; add ffs_$1 %s; add ffs_$1 $0; report ffs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ffs_$1

# 104004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Switching to OK.
desc=PIX $1 Failed Unit is ok
action=create ffs_$1; add ffs_$1 %t; add ffs_$1 %s; add ffs_$1 $0; report ffs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ffs_$1

# 105005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Lost Failover communications with mate on interface
desc=PIX $1 Peer Gone Away
action=create fnp_$1; add fnp_$1 %t; add fnp_$1 %s; add fnp_$1 $0; report fnp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fnp_$1

# 105007
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Link status \'Down\' on interface (\S+).*
desc=PIX $1 interface $2 is DOWN
action=create ind_$1; add ind_$1 %t; add ind_$1 %s; add ind_$1 $0; report ind_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ind_$1

# 105011
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Failover cable communication failure
desc=PIX $1 Failver cable failed
action=create fcf_$1; add fcf_$1 %t; add fcf_$1 %s; add fcf_$1 $0; report fcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fcf_$1

# 105021
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Standby unit failed to sync due to a locked (\S+) config. Lock held by (\S+)
desc=PIX $1 Failover Sync failed because $2 is locked by $3
action=create lck_$1; add fcf_$1 %t; add fcf_$1 %s; add lck_$1 $0; report lck_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete lck_$1

# 10532
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LAN Failover interface is down
desc=PIX $1 Failover interface is down
action=create fin_$1; add fin_$1 %t; add fin_$1 %s; add fin_$1 $0; report fin_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fin_$1

# 10535
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Receive a LAN failover interface down msg from peer.
desc=PIX $1 Failover Peer reports LAN interface down
action=create fin_$1; add fin_$1 %t; add fin_$1 %s; add fin_$1 $0; report fin_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fin_$1

# 10536
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*dropped a LAN Failover command message.
desc=PIX $1 Failover Dropped a LAN packet
action=create fdr_$1; add fdr_$1 %t; add fdr_$1 %s; add fdr_$1 $0; report fdr_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fdr_$1

# 10537
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*The primary and standby units are switching back 
desc=PIX $1 Failover: primary and standby units are switching back
action=create fsw_$1; add fsw_$1 %t; add fsw_$1 %s; add fsw_$1 $0; report fsw_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fsw_$1

# 10543
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Failover interface failed
desc=PIX $1 Failover LAN Interface is down!
action=create fin_$1; add fin_$1 %t; add fin_$1 %s; add fin_$1 $0; report fin_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fin_$1

# messages from 106001 moved to top

# 106011
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny inbound (No xlate).*
desc=PIX $1 Same-Side Traffic Attack
action=create sst_$1; add sst_$1 %t; add sst_$1 %s; add sst_$1 $0; report sst_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete sst_$1

# 106016
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny IP spoof from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) on interface 
desc=PIX $1 IP Spoof from $2 to $3
action=create spf_$1; add spf_$1 %t; add spf_$1 %s; add spf_$1 $0; report spf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete spf_$1

# 106017
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny IP due to Land Attack from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+)
desc=PIX $1 IP LAND Attack
action=create lnd_$1; add lnd_$1 %t; add lnd_$1 %s; add lnd_$1 $0; report lnd_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete lnd_$1

# 106020
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny IP teardrop fragment.*from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+)
desc=PIX $1 Teardrop Attack
action=create tdr_$1; add tdr_$1 %t; add tdr_$1 %s; add tdr_$1 $0; report tdr_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete tdr_$1

# 106021
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny.*reverse path check from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+).*
desc=PIX $1 Reverse Path Check Attack from $2 to $3
action=create rpc_$1; add rpc_$1 %t; add rpc_$1 %s; add rpc_$1 $0; report rpc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rpc_$1

# 106022
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Deny.*connection spoof from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+).*
desc=PIX $1 Connection Spoof Attack from $2 to $3
action=create spf_$1; add spf_$1 %t; add spf_$1 %s; add spf_$1 $0; report spf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete spf_$1

# 106024
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Access rules memory exhausted
desc=PIX $1 Out of ACL Memory!
action=create ame_$1; add ame_$1 %t; add ame_$1 %s; add ame_$1 $0; report ame_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ame_$1

# 106025/6
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Failed to determine the security context for the packet:(\S+):(\d+.\d+.\d+.\d+) (\d+.\d+.\d+.\d+) (\d+) (\d+).*
desc=PIX $1 failed getting context for vlan $2 $3:$4 to $5:$6
action=create ctx_$1; add ctx_$1 %t; add ctx_$1 %s; add ctx_$1 $0; report ctx_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ctx_$1

# 107001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*RIP auth failed from (\d+.\d+.\d+.\d+).*
desc=PIX $1 RIP Auth Attack from $2
action=create rip_$1; add rip_$1 %t; add rip_$1 %s; add rip_$1 $0; report rip_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rip_$1

# 107002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*RIP pkt failed from (\d+.\d+.\d+.\d+).*
desc=PIX $1 Invalid RIP Packet from $2
action=create rpk_$1; add rpk_$1 %t; add rpk_$1 %s; add rpk_$1 $0; report rpk_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rpk_$1

# 109003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Auth from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+\/\d+) failed \(all servers failed\).*
desc=PIX $1 All AAA Failed from $2 to $3
action=create aaa_$1; add aaa_$1 %t; add aaa_$1 %s; add aaa_$1 $0; report aaa_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete aaa_$1

# 109006/8
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*(Authentication|Authorization) (failed|denied) for user \'(\S+)\' from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+)
desc=PIX $1 Auth Guessing Attack by $2 from $3 to $4
action=create brt_$1; add brt_$1 %t; add brt_$1 %s; add brt_$1 $0; report brt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete brt_$1
window=10
thresh=6

# 109010
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Auth from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+) failed \(too many pending auths\).*
desc=PIX $1 Max Auths Reached for $2 to $3
action=create mth_$1; add mth_$1 %t; add mth_$1 %s; add mth_$1 $0; report mth_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete mth_$1

# 109017
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User at (\d+.\d+.\d+.\d+) exceeded auth proxy connection 
desc=PIX $1 $2 has opened to many proxy conns
action=create pcn_$1; add pcn_$1 %t; add pcn_$1 %s; add pcn_$1 $0; report pcn_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete pcn_$1

# 109024
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Authorization denied.*for user \'(\S+)\' from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+)
desc=PIX $1 Authorization Denied HAMMER $2 from $3 to $4
action=create uhm_$1; add uhm_$1 %t; add uhm_$1 %s; add uhm_$1 $0; report uhm_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete uhm_$1
window=10
thresh=6

# 109025
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Authorization denied \(acl=.*\) for user \'(\S+)\' from (\d+.\d+.\d+.\d+\/\d+) to (\d+.\d+.\d+.\d+\/\d+) on interface.*
desc=PIX $1 Authorization Denied  HAMMER $2 from $3 to $4
action=create uhm_$1; add uhm_$1 %t; add uhm_$1 %s; add uhm_$1 $0; report uhm_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete uhm_$1
window=10
thresh=6

# 111001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Begin configuration: (\d+.\d+.\d+.\d+) writing to (\S+)
desc=PIX $1 Config saved to $3 by $2
action=create sav_$1; add sav_$1 %t; add sav_$1 %s; add sav_$1 $0; report sav_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete sav_$1

# 111002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Begin configuration: (\d+.\d+.\d+.\d+) reading from (\S+)
desc=PIX $1 Config read from $3 by $2
action=create sav_$1; add sav_$1 %t; add sav_$1 %s; add sav_$1 $0; report sav_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete sav_$1

# 111003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*(\d+.\d+.\d+.\d+) Erase configuration
desc=PIX $1 WRITE ERASE WAS ISSUED $2
action=create ers_$1; add ers_$1 %t; add ers_$1 %s; add ers_$1 $0; report ers_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ers_$1

# 111004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*(\d+.\d+.\d+.\d+) end configuration: \[FAILED\]
desc=PIX $1 FAILED CONFIGURING $2
action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1

# 111008
type=Single
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User \'(\S+)\' executed the command (.*)
desc=PIX $1 $2 executed: $3
action=add CMD_REPORT $2 : $3
#create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1

# FIXME -- Add syslog number
# FSWM Style
type=Single
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User \'(\S+)\' executed the \'(.*)\' command.*
desc=PIX $1 $2 executed: $3
action=add CMD_REPORT $2 : $3
#action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1


# 111008
type=Single
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User (\S+) executed cmd:(.*)
desc=PIX $1 $2 executed: $3
action=add CMD_REPORT $2 : $3
#action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
#action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1

# 113001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Unable to open AAA session. Session limit
desc=PIX $1 AAA Reached session limit
action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1

# 113005
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*AAA user authentication Rejected: reason = (.*) server = .* User = (\S+).*
desc=PIX $1 IPSEC: User Auth Attack: $2 for $3
action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1
window=10
thresh=6

# 113006
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User (\S+) locked out on exceeding number successive failed authentication attempts
desc=PIX $1 User Locked out: $2
action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1

# 113020
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Kerberos error : Clock skew with server (\d+.\d+.\d+.\d+).*
desc=PIX $1 User Locked out: $2
action=create cff_$1; add cff_$1 %t; add cff_$1 %s; add cff_$1 $0; report cff_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cff_$1

# Might be only 6.x
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Console Login from user at (\d+.\d+.\d+.\d+)
desc=PIX $1 Console Login from $2
action=create con_$1; add con_$1 %t; add con_$1 %s; add con_$1 $0; report con_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete con_$1

# 112001 
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*clear (finished|complete)\.
desc=PIX $1 Clear Command Executed
action=create clr_$1; add clr_$1 %t; add clr_$1 %s; add clr_$1 $0; report clr_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete clr_$1

# 199002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*[rR]eload command executed from.*(\d+.\d+.\d+.\d+)
desc=PIX $1 Reloaded by $2
action=create rld_$1; add rld_$1 %t; add rld_$1 %s; add rld_$1 $0; report rld_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rld_$1

# 199002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Orderly reload started at.*by (\S+). Reload.*
desc=PIX $1 Reloaded by $2
action=create rld_$1; add rld_$1 %t; add rld_$1 %s; add rld_$1 $0; report rld_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rld_$1

# 201002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+).*Too many.*connections on (static|xlate) (\d+.\d+.\d+.\d+)
desc=PIX $1 Max Embryonics to $3 (not attack)
action=create max_$1; add max_$1 %t; add max_$1 %s; add max_$1 $0; report max_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete max_$1

# 201003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Embryonic limit exceeded.*for (\d+.\d+.\d+.\d+\/\d+) \((\d+.\d+.\d+.\d+)\) (\d+.\d+.\d+.\d+\/\d+)
desc=PIX $1 Max Embryonics from $2 to $3 ($4) Attack
action=create emb_$1; add emb_$1 %t; add emb_$1 %s; add emb_$1 $0; report emb_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete emb_$1

# 201008
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*The PIX is disallowing new connections.
desc=PIX $1 No longer allowing connections!
action=create stp_$1; add stp_$1 %t; add stp_$1 %s; add stp_$1 $0; report stp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete stp_$1

# 202001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Out of address translation slots!
desc=PIX $1 Out of NAT Slots
action=create nnt_$1; add nnt_$1 %t; add nnt_$1 %s; add nnt_$1 $0; report nnt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete nnt_$1

# 209003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Fragment database limit of.*exceeded: src = (\d+.\d+.\d+.\d+), dest = (\d+.\d+.\d+.\d+).*
desc=PIX $1 No room to assemble more frags from $2 to $3
action=create frg_$1; add frg_$1 %t; add frg_$1 %s; add frg_$1 $0; report frg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete frg_$1

# 209004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Invalid IP fragment, size =.*exceeds maximum size =.*src = (\d+.\d+.\d+.\d+), dest = (\d+.\d+.\d+.\d+).*
desc=PIX $1 Frag is invalid from $2 to $3
action=create lrg_$1; add lrg_$1 %t; add lrg_$1 %s; add lrg_$1 $0; report lrg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete lrg_$1

# 209005
# FIXME -- Cisco log message doesnt match this
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Discard IP fragment set with more than.*elements:src = (\d+.\d+.\d+.\d+), dest = (\d+.\d+.\d+.\d+).*
desc=PIX $1 To many frags from $2 to $3
action=create _$1; add _$1 %t; add _$1 %s; add _$1 $0; report _$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete _$1

# 210002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU allocate block .* failed.
desc=PIX $1 Failover Block Alocation Failed
action=create fba_$1; add fba_$1 %t; add fba_$1 %s; add fba_$1 $0; report fba_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fba_$1

# 210005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU allocate connection failed
desc=PIX $1 Failover Connection Failed
action=create fcf_$1; add fcf_$1 %t; add fcf_$1 %s; add fcf_$1 $0; report fcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fcf_$1

# 210003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Unknown LU Object.*
desc=PIX $1 Failover: Unknown LU Object
action=create ulu_$1; add ulu_$1 %t; add ulu_$1 %s; add ulu_$1 $0; report ulu_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ulu_$1

# 210006
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU look NAT for (\d+.\d+.\d+.\d+) failed
desc=PIX $1 Failover NAT Sync failed for $2
action=create fns_$1; add fns_$1 %t; add fns_$1 %s; add fns_$1 $0; report fns_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fns_$1

# 210007
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU allocate xlate failed
desc=PIX $1 Failover xlate Sync Failed
action=create fxs_$1; add fxs_$1 %t; add fxs_$1 %s; add fxs_$1 $0; report fxs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fxs_$1

# 210008
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU no xlate for (\d+.\d+.\d+.\d+\/\d+) (\d+.\d+.\d+.\d+\/\d+)
desc=PIX $1 Failover xlate Sync Failure for $2 to $3
action=create fxs_$1; add fxs_$1 %t; add fxs_$1 %s; add fxs_$1 $0; report fxs_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fxs_$1

# 210010
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU make UDP connection for (\d+.\d+.\d+.\d+:\d+) (\d+.\d+.\d+.\d+:\d+) failed
desc=PIX $1 Failover UDP Conn sync failure for $2 to $3
action=create fus_$1; add fus_$1 %t; add fus_$1 %s; add fus_$1 $0; report fus_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fus_$1

# 210020
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU PAT port (\d+) reserve failed
desc=PIX $1 Failover PAT Sync for $2 failed
action=create fps_$1; add fps_$1 %t; add fps_$1 %s; add fps_$1 $0; report fps_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fps_$1

# 210021
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU create static xlate (\d+.\d+.\d+.\d+).*failed
desc=PIX $1 Failover Static xlate failed for $2
action=create fxf_$1; add fxf_$1 %t; add fxf_$1 %s; add fxf_$1 $0; report fxf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fxf_$1

# 210022
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*LU missed (\d+) updates
desc=PIX $1 Failover Sync failed for $2 updates
action=create fsf_$1; add fsf_$1 %t; add fsf_$1 %s; add fsf_$1 $0; report fsf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fsf_$1

# 211001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Memory allocation Error
desc=PIX $1 Memory allocation Error!
action=create mae_$1; add mae_$1 %t; add mae_$1 %s; add mae_$1 $0; report mae_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete mae_$1

# 211003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*CPU utilization for (\d+) seconds = (.*)
desc=PIX $1 CPU high ($2) for $3 secs
action=create cpu_$1; add cpu_$1 %t; add cpu_$1 %s; add cpu_$1 $0; report cpu_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete cpu_$1

# 211003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Dropping SNMP request from (\d+.\d+.\d+.\d+\/\d+) to.*:(\d+.\d+.\d+.\d+\/\d+).*
desc=PIX $1 SNMP Attempt from $2 to $3
action=create snp_$1; add snp_$1 %t; add snp_$1 %s; add snp_$1 $0; report snp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete snp_$1

# 213001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PPTP control daemon socket io.*errno = (\d+)
desc=PIX $1 PPTP Error $2
action=create ppt_$1; add ppt_$1 %t; add ppt_$1 %s; add ppt_$1 $0; report ppt_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ppt_$1

# 213002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PPTP tunnel hashtable insert failed, peer = (\d+.\d+.\d+.\d+)
desc=PIX $1 PPTP hash table insert failed for $2
action=create pht_$1; add pht_$1 %t; add pht_$1 %s; add pht_$1 $0; report pht_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete pht_$1

# 213003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PPP virtual interface (\S+) isn't opened.
desc=PIX $1 PPP Virtual Int $2 failed to close
action=create ppp_$1; add ppp_$1 %t; add ppp_$1 %s; add ppp_$1 $0; report ppp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ppp_$1

# 213004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PPP virtual interface (\S+) client ip allocation failed.
desc=PIX $1 PPP Virutal interface $2 failure (pool depleted)
action=create ppl_$1; add ppl_$1 %t; add ppl_$1 %s; add ppl_$1 $0; report ppl_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ppl_$1

#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Denied Telnet login session from (\d+.\d+.\d+.\d+) on interface (int_name).
desc=PIX $1 Denid Telnet from $2 ($3) !!
action=create tel_$1; add tel_$1 %t; add tel_$1 %s; add tel_$1 $0; report tel_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete tel_$1

#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Permitted Telnet login session from (\d+.\d+.\d+.\d+)
desc=PIX $1 Permitted Telnet from $2 !
action=create tel_$1; add tel_$1 %t; add tel_$1 %s; add tel_$1 $0; report tel_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete tel_$1

#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*telnet login session failed from (\d+.\d+.\d+.\d+).*
desc=PIX $1 Telnet login guessing attack
action=create tel_$1; add tel_$1 %t; add tel_$1 %s; add tel_$1 $0; report tel_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete tel_$1

# 308001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PIX console enable password incorrect for (num) tries \(from (\d+.\d+.\d+.\d+)\).
desc=PIX $1 Many Enable Password failures for $3
action=create enb_$1; add enb_$1 %t; add enb_$1 %s; add enb_$1 $0; report enb_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete enb_$1

# 315011
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*SSH session from (\d+.\d+.\d+.\d+) on interface.*for user (\S+) disconnected by SSH server, reason:.*
desc=PIX $1 SSH Auth Attach from $2 ($3)
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 %s; add ssh_$1 $0; report ssh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ssh_$1
window=10
thresh=6

#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Denied manager connection from (\d+.\d+.\d+.\d+).
desc=PIX $1 Denied Manager from $2
action=create nmg_$1; add nmg_$1 %t; add nmg_$1 %s; add nmg_$1 $0; report nmg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete nmg_$1

# FIXME -- Add log code FWSM
type=Single
continue=takenext
ptype=RegExp
pattern==^PIXLOG (\S+)\^ .*Denied SSH session from (\d+.\d+.\d+.\d+) on interface.*
desc=PIX $1 Denied SSH from $2
action=create ssh_$1; add ssh_$1 %t; add ssh_$1 %s; add ssh_$1 $0; report ssh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ssh_$1

#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Permitted manager connection from (IP_addar).
desc=PIX $1 Allowed Manager from $2
action=create ymg_$1; add ymg_$1 %t; add ymg_$1 %s; add ymg_$1 $0; report ymg_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ymg_$1

# FIXME
# SET \d+.\d+.\d+.\d+ TO ! 128.135.0.x
#type=Single
#continue=takenext
#ptype=RegExp
#pattern=^PIXLOG (\S+)\^ .*Permitted SSH session from (\d+.\d+.\d+.\d+) on interface.*for user "user_id"
#desc=PIX $1 Permitted ssh $3 from $2
#action=create fsh_$1; add fsh_$1 %t; add fsh_$1 %s; add fsh_$1 $0; report fsh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete fsh_$1

#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*SSH login session failed from (\d+.\d+.\d+.\d+) on \((num) attempts\) on interface.*by user "(\S+)"
desc=PIX $1 SSH $3 Failures from $2 by $4
action=create lsh_$1; add lsh_$1 %t; add lsh_$1 %s; add lsh_$1 $0; report lsh_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete lsh_$1

# 402101
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*decaps: rec\'d IPSEC packet has invalid spi for destaddr=(\d+.\d+.\d+.\d+).*
desc=PIX $1 IPSEC: Invalid SPI in packet from $2 (possible attack)
action=create spi_$1; add spi_$1 %t; add spi_$1 %s; add spi_$1 $0; report spi_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete spi_$1

# 402101
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*decapsulate: packet missing (.*), destadr=(\d+.\d+.\d+.\d+)
desc=PIX $1 IPSEC:  Packet to $3 did not have type $2 (possible attack)
action=create itp_$1; add itp_$1 %t; add itp_$1 %s; add itp_$1 $0; report itp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete itp_$1

# 402103
# FIXME -- This is messy
#type=Single
#continue=takenext
#ptype=RegExp
#pattern=^PIXLOG (\S+)\^ .*dentity doesn't match negotiated identity \((ip)\) dest_addr= (\d+.\d+.\d+.\d+), src_addr= (\d+.\d+.\d+.\d+), prot= protocol, \((ident)\) local=(\d+.\d+.\d+.\d+), remote=(\d+.\d+.\d+.\d+), local_proxy=(\d+.\d+.\d+.\d+/\d+.\d+.\d+.\d+/port/port), remote_proxy=(\d+.\d+.\d+.\d+/\d+.\d+.\d+.\d+/port/port)
#desc=PIX $1 IPSEC:  Peer $2 is attempting to send other packets through us $3 $4 $5 $6 $7
#action=create per_$1; add per_$1 %t; add per_$1 %s; add per_$1 $0; report per_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete per_$1

# 402115
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Received a packet from (\d+.\d+.\d+.\d+) to (\d+.\d+.\d+.\d+) containing.*data instead of.*data.
desc=PIX $1 IPSEC: packet from $2 to $3 doesn't match negotiated proto
action=create ipx_$1; add ipx_$1 %t; add ipx_$1 %s; add ipx_$1 $0; report ipx_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ipx_$1

# 402115
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Received an.*packet.*from (\d+.\d+.\d+.\d+).*to (\d+.\d+.\d+.\d+).*The decapsulated inner packet doesn't match the negotiated policy in the SA
desc=PIX $1 IPSEC: packet from $2 to $3 is encapsulated with unexpected data.
action=create enc_$1; add enc_$1 %t; add enc_$1 %s; add enc_$1 $0; report enc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete enc_$1

# 402118
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Received an.*packet.*from (\d+.\d+.\d+.\d+).*to (\d+.\d+.\d+.\d+) containing an illegal IP fragment.*
desc=PIX $1 IPSEC: packet from $2 to $3 has invalid fragment
action=create enc_$1; add enc_$1 %t; add enc_$1 %s; add enc_$1 $0; report enc_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete enc_$1

# 403103
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*PPP virtual interface max connections reached.
desc=PIX $1  PPP interfaces exhausted
action=create pie_$1; add pie_$1 %t; add pie_$1 %s; add pie_$1 $0; report pie_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete pie_$1

# 403109
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Rec\'d packet not an PPTP packet. \(.*\) dest_addr= (\d+.\d+.\d+.\d+), src_addr= (\d+.\d+.\d+.\d+).*
desc=PIX $1 Spoofed PPTP Packet from $3 to $2
action=create spp_$1; add spp_$1 %t; add spp_$1 %s; add spp_$1 $0; report spp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete spp_$1

# 404101
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*ISAKMP: Failed to allocate address for client from pool (\S+)
desc=PIX $1 IPSEC: Failed to allocate addr from $2
action=create faa_$1; add faa_$1 %t; add faa_$1 %s; add faa_$1 $0; report faa_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete faa_$1

# 405001
#type=Single
#continue=takenext
#ptype=RegExp
#pattern=PIXLOG (\S+)\^ .*Received ARP.*collision from (\d+.\d+.\d+.\d+\/....\.....\.....) on.*
#desc=PIX $1 ARP Collision: $2
#action=create mac_$1; add mac_$1 %t; add mac_$1 %s;add mac_$1 %s; add mac_$1 $0; report mac_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete mac_$1

#
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Configuration replication failed for command (\S+)
desc=PIX $1 Failover replication command $2 failed
action=create rcf_$1; add rcf_$1 %t; add rcf_$1 %s; add rcf_$1 $0; report rcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rcf_$1

# 709001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*FO replication failed: cmd=(.*) returned=.*
desc=PIX $1 Failover: Command replication failed for Peer: $2
action=create rcf_$1; add rcf_$1 %t; add rcf_$1 %s; add rcf_$1 $0; report rcf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rcf_$1

# 316001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Denied new tunnel to (\d+.\d+.\d+.\d+). VPN peer limit.*exceeded.*
desc=PIX $1 VPN Peer limit exceeded for $2
action=create plm_$1; add plm_$1 %t; add plm_$1 %s; add plm_$1 $0; report plm_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete plm_$1

# 317003
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*IP routing table creation failure - (.*)
desc=PIX $1 Route table Error: $2
action=create rte_$1; add rte_$1 %t; add rte_$1 %s; add rte_$1 $0; report rte_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rte_$1

# 317004
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*IP routing table limit warning
desc=PIX $1 Routing table limit reached
action=create rtl_$1; add rtl_$1 %t; add rtl_$1 %s; add rtl_$1 $0; report rtl_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rtl_$1

# 317005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*IP routing table limit exceeded - (.*), (\d+.\d+.\d+.\d+).*
desc=PIX $1 Route table limit breached by $3:  $2
action=create rtb_$1; add rtb_$1 %t; add rtb_$1 %s; add rtb_$1 $0; report rtb_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rtb_$1

# 323005
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Module in slot (\S+) can not be powered on completely
desc=PIX $1 Slot $2 will not power on
action=create slp_$1; add slp_$1 %t; add slp_$1 %s; add slp_$1 $0; report slp_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete slp_$1

# 411002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Line protocol on interface (\S+) changed state to down
desc=PIX $1 Interface $2 is DOWN!
action=create lpd_$1; add ldp_$1 %t; add ldp_$1 %s; add lpd_$1 $0; report lpd_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete lpd_$1

# 412002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Detected bridge table full while inserting MAC (....\.....\.....) on interface .*
desc=PIX $1 MAC Address table is FULL!
action=create brf_$1; add brf_$1 %t; add brf_$1 %s; add brf_$1 $0; report brf_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete brf_$1

# 505001
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Module in slot (\S+) is shutting down.  Please.*
desc=PIX $1 Slot $2 is shutting down!
action=create sht_$1; add sht_$1 %t; add sht_$1 %s; add sht_$1 $0; report sht_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete sht_$1

# 505002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Module in slot (\S+) is reloading. Please.*
desc=PIX $1 Slot $2 is reloading!
action=create rld_$1; add rld_$1 %t; add rld_$1 %s; add rld_$1 $0; report rld_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete rld_$1

# 605004
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*Login denied from (.*) to (.*) for user "(\S+)"
desc=PIX $1 Auth Attack from $2 to $3 ($4)
action=create ath_$1; add ath_$1 %t; add ath_$1 %s; add ath_$1 $0; report ath_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ath_$1
window=10
thresh=6

# 611102
type=SingleWithThreshold
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*User authentication failed: Uname: (\S+)
desc=PIX $1 Auth Attach from $2
action=create ath_$1; add ath_$1 %t; add ath_$1 %s; add ath_$1 $0; report ath_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete ath_$1
window=10
thresh=6

# 615002
type=Single
continue=takenext
ptype=RegExp
pattern=^PIXLOG (\S+)\^ .*vlan number not available for firewall interface
desc=PIX $1 VLAN Error for FWSM
action=create vln_$1; add vln_$1 %t; add vln_$1 %s; add vln_$1 $0; report vln_$1 /bin/mailx -s "Syslog Watcher [ALERT]" user at example.com; delete vln_$1

#


Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/.cvsignore,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- .cvsignore	28 May 2007 20:06:22 -0000	1.4
+++ .cvsignore	3 Oct 2009 07:52:14 -0000	1.5
@@ -1 +1 @@
-sec-2.4.1.tar.gz
+sec-2.5.2.tar.gz


Index: amavisd.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/amavisd.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- amavisd.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ amavisd.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,5 +1,11 @@
-#Amavisd events
-
+#############################################################################
+# Amavisd events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
 
 #Sep  4 15:43:02 xxxxx clamd[581]: /var/amavisd/amavis-20050904T153955-46858/parts/part-00001: HTML.Phishing.Bank-1 FOUND
 type=Single


Index: bsd-MONITOR.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/bsd-MONITOR.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- bsd-MONITOR.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ bsd-MONITOR.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,9 +1,14 @@
 #
-# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
-#
 # SEC rules to pick up disruptive monitoring
 # events.
 #
+# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
+#
+# Copyright (C) 2003-2009 Jim Brown
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#
 #Logs involving syslogd disabled or unusual promiscuous mode (MONITOR)
 #----------------------------------------------------------------------
 #Nov 15 20:02:48 foohost syslogd: exiting on signal 15
@@ -50,5 +55,5 @@ type=Single
 ptype=RegExp
 pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+kernel: swap_pager_getswapspace\(\S\): .*
 desc=$0
-action=pipe '$1 GET SWAP FAILURE: %s' /usr/bin/mail -s "SWAP SPACE FAIL on $1" alerts at yourdomain.com
+action=pipe '$1 GET SWAP FAILURE: %s' /usr/bin/mail -s "SWAP SPACE FAIL on $1" alerts at example.com
 


Index: bsd-PHYSMOD.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/bsd-PHYSMOD.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- bsd-PHYSMOD.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ bsd-PHYSMOD.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,9 +1,13 @@
 #
-# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
-#
 # PHYSMOD.conf - Events concerning physical modifications
 #                to the system.
 #
+# from http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
+#
+# Copyright (C) 2003-2009 Jim Brown
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
 #
 #Logs involving physical modifications (PHYSMOD)
 #------------------------------------------------


Index: bsd-USERACT.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/bsd-USERACT.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- bsd-USERACT.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ bsd-USERACT.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,7 +1,12 @@
 #
+# Events concerning user activities.
+#
 # From http://sixshooter.v6.thrupoint.net/SEC-examples/article.html
 #
-# Events concerning user activities.
+# Copyright (C) 2003-2009 Jim Brown
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
 #
 #Logs involving logins, change of UID and privilege escalations (USERACT)
 #-------------------------------------------------------------------------


Index: conf.README
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/conf.README,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- conf.README	1 Sep 2006 20:54:01 -0000	1.1
+++ conf.README	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,10 +1,10 @@
-This is the SEC configuration directory.  Because SEC usage varies so widely
-from user to user, this Fedora Extras package is configured by default to not
-run.
+This is the SEC configuration directory. Because SEC usage varies so widely
+from user to user, this package is configured by default to not run.
 
 The commented-out default settings in /etc/sysconfig/sec will load any file in
-this directory with a .sec suffix.  Please look through the example files
-included in /etc/sec/examples/ and install the ones you want here (taking into
-account that the examples are generic and some of them may need to be tweaked
-to work with your setup).  You should also read the SEC man page so you have
-at least a basic understanding of the SEC configuration commands.
+this directory with a .sec suffix. Please look through the example files
+included in /usr/share/doc/sec-<version>/examples/ and install the ones you
+want here (taking into account that the examples are generic and some of them
+may need to be tweaked to work with your setup). You should also read the SEC
+man page so you have at least a basic understanding of the SEC configuration
+commands.


Index: cvs.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/cvs.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- cvs.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ cvs.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,3 +1,11 @@
+#############################################################################
+# CVS events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
 
 #Jul 31 19:54:21 xxxx xinetd[2088]: START: cvspserver pid=16385 from=xx.xx.xx.xx
 
@@ -14,7 +22,7 @@ type=single
 ptype=regexp
 pattern=([A-z._0-9-]*) cvs: password mismatch for (.*) in (.*)
 desc = cvs login failure
-action=pipe '$1 $2 CVS Login Failure: User $2 from $3' /usr/bin/mail -s '$1 $2 CVS Login Failure: $2 from $3' alerts at yourdomain.com
+action=pipe '$1 $2 CVS Login Failure: User $2 from $3' /usr/bin/mail -s '$1 $2 CVS Login Failure: $2 from $3' alerts at example.com
 
 
 #Aug  5 10:38:49 xxxx cvs: attempt to root from account: username
@@ -23,7 +31,7 @@ type=single
 ptype=regexp
 pattern=([A-z._0-9-]*) cvs: attempt to root from account: (.*)
 desc = cvs login to root attempt
-action=pipe ' $1 $2 CVS Login to Root Attempt: User $2 ' /usr/bin/mail -s '$1 CVS Login to Root Failure: $2' alerts at yourdomain.com
+action=pipe ' $1 $2 CVS Login to Root Attempt: User $2 ' /usr/bin/mail -s '$1 CVS Login to Root Failure: $2' alerts at example.com
 
 
 #Aug  5 10:42:37 xxxx cvs: login failure (for /usr/local/cvsroot)
@@ -32,5 +40,5 @@ type=single
 ptype=regexp
 pattern=([A-z._0-9-]*) cvs: login failure \(for /usr/local/cvsroot\)
 desc = cvs login failure
-action=pipe '$1 $2 CVS Login Failure ' /usr/bin/mail -s '$1 CVS Login Failure' alerts at yourdomain.com
+action=pipe '$1 $2 CVS Login Failure ' /usr/bin/mail -s '$1 CVS Login Failure' alerts at example.com
 


Index: dameware.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/dameware.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- dameware.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ dameware.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,10 +1,19 @@
+#############################################################################
+# Dameware events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
+
 #Dameware Connect
 type=single
 ptype=regexp
 pattern=([A-z._0-9-]*) DMWRCS: (.*) Connect: (.*)
 desc = Dameware Connect
 action=add WINDOWS_REPORT DAMEWARE CONNECT: %s; \
-pipe 'DAMEWARE Connect -- : %s' /usr/bin/mail -s 'DAMEWARE CONNECT' alerts at yourdomain.com
+pipe 'DAMEWARE Connect -- : %s' /usr/bin/mail -s 'DAMEWARE CONNECT' alerts at example.com
 
 
 #Dameware Disconnect


Index: hp-openview.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/hp-openview.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- hp-openview.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ hp-openview.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,10 +1,14 @@
 ################################################################
 #          Sample SEC ruleset for HP OpenView ITO
+#
+# Copyright (C) 2003-2009 Risto Vaarandi
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
 ################################################################
 
 # process Cisco linkDown/linkUp trap events received from 
 # HP OpenView ITO trap template through itostream plugin
-# Submitted by Risto Vaarandi
 
 type=PairWithWindow
 ptype=RegExp


Index: labrea.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/labrea.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- labrea.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ labrea.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,4 +1,11 @@
-#Labrea tarpit events
+#############################################################################
+# Labrea tarpit events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
 
 type=Single
 ptype=RegExp
@@ -25,5 +32,5 @@ type=Calendar
 time=0 8,12,20 * * *
 desc=Sending tarpit report...
 action=report TARPIT_REPORT \
-       /usr/bin/mail -s 'Tarpits: Tarpit Victim report' alerts at yourdomain.com; \
+       /usr/bin/mail -s 'Tarpits: Tarpit Victim report' alerts at example.com; \
        delete TARPIT_REPORT


Index: pix-security.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/pix-security.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- pix-security.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ pix-security.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,5 +1,10 @@
 ####################################################################
 #                SEC ruleset for Cisco PIX 6.x, 7.x
+#
+# Copyright (C) 2003-2009 Chris Sawall
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
 ####################################################################
 
 # Process various events from PIX syslog output
@@ -19,7 +24,7 @@ type=SingleWithThreshold
 ptype=RegExp
 pattern=\s*.*Deny\s+(\w+)\s+src.*:(.*)/.*:(.*)/(\b2\d\b).*$
 desc=Unusual Failures:$1 $4/$2 -> $3
-action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
 window=10
 thresh=10
 
@@ -31,7 +36,7 @@ continue=dontcont
 ptype=RegExp
 pattern=(212\.147\.14[12]\.)
 desc=Possible PHEL Trojan (1)
-action=create phel_$1; add phel_$1 Local Time = %t; add phel_$1 $0; report phel_$1 /bin/mail -s "%s" email01 at domain.com; delete phel_$1
+action=create phel_$1; add phel_$1 Local Time = %t; add phel_$1 $0; report phel_$1 /bin/mail -s "%s" email01 at example.com; delete phel_$1
 
 # ------------------------------------------------------------------
 # Watch for firewall failovers
@@ -50,7 +55,7 @@ continue=takenext
 ptype=RegExp
 pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Primary\).*$
 desc=Secondary firewall for $1 - failure/reload
-action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
 
 # Failure of secondary (standby) firewall while primary is active
 # Works for PIX 7.x
@@ -62,7 +67,7 @@ continue=takenext
 ptype=RegExp
 pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX-1-102001.*\(Secondary\).*$
 desc=Primary firewall for $1 - failure/reload
-action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
 
 # Failure of secondary (active), primary assumes active
 # Works for PIX 7.x
@@ -79,7 +84,7 @@ action=logonly
 ptype2=RegExp
 pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Primary\).*Peer state Standby Ready
 desc2=Secondary (was active) firewall ($1) has failed.  Primary is now active.
-action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
 window=5
 
 # Failure of primary (active), secondary assumes active
@@ -97,7 +102,7 @@ action=logonly
 ptype2=RegExp
 pattern2=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Secondary\).*Peer state Standby Ready
 desc2=Primary firewall ($1) has failed.  Secondary is now active.
-action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action2=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
 window=5
 
 # ------------------------------------------------------------------
@@ -114,7 +119,7 @@ continue=dontcont
 ptype=RegExp
 pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*PIX reload.*$
 desc=$1 has been manually rebooted
-action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com ; delete ffo_$1
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com ; delete ffo_$1
 
 # Manual reload of PIX
 # Works for PIX 7.x
@@ -126,7 +131,7 @@ continue=dontcont
 ptype=RegExp
 pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*Orderly reload.*Reload reason:\s(\S+)
 desc=$1 has been manually rebooted, reason: $2
-action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at domain.com; delete ffo_$1
+action=create ffo_$1; add ffo_$1 %t; add ffo_$1 $0; report ffo_$1 /bin/mail -s "%s" email01 at example.com; delete ffo_$1
 
 # ------------------------------------------------------------------
 # Watch for SSH logins/failures on firewalls
@@ -152,7 +157,7 @@ continue=dontcont
 ptype=RegExp
 pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'.*to\s(\d+\.\d+\.\d+\.\d+)\/0.*SSH
 desc=Admin Auth to $1.$2 -> $3 from $4
-action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
 
 # Successful Admin SSH session
 # Works for PIX 7.x
@@ -165,7 +170,7 @@ continue=dontcont
 ptype=RegExp
 pattern=\s*.*(10|172|192)\.(\d+\.\d+\.\d+).*Authentication succeeded.*\'(\S+)\'\sfrom\s(\d+\.\d+\.\d+\.\d+)\/0.*/22.*$
 desc=Admin Auth to $1.$2 -> $3 from $4
-action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 Local Time = %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
 
 # Failed Admin SSH session
 # Works for PIX 6.x
@@ -178,7 +183,7 @@ continue=takenext
 ptype=RegExp
 pattern=Authentication failed.*\'(\S+)\'.*SSH
 desc=Admin Auth FAILED -> $1
-action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
 
 # Failed Admin SSH session
 # Works for PIX 7.x
@@ -191,7 +196,7 @@ continue=takenext
 ptype=RegExp
 pattern=Authentication failed.*\'(\S+)\'.*/22.*$
 desc=Admin Auth FAILED -> $1
-action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
 
 # Normal SSH termination
 # Works for both PIX 6.x and 7.x
@@ -202,7 +207,7 @@ type=Single
 ptype=RegExp
 pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*\"(\S+)\".*terminated normally
 desc=ADMIN END $1 -> $2
-action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
 
 # SSH session timeout or abnormal termination
 # Works for PIX 6.x
@@ -214,7 +219,7 @@ type=Single
 ptype=RegExp
 pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*disconnected by SSH server
 desc=Firewall session END - timeout $1
-action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
 
 # ------------------------------------------------------------------
 # Watch for firewall commands
@@ -228,7 +233,7 @@ type=Single
 ptype=RegExp
 pattern=\s*\S+\s(\d+\.\d+\.\d+\.\d+).*write\sm.*
 desc=User wrote config to memory -> $1
-action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01 at domain.com; delete fwcmd_$1
+action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01 at example.com; delete fwcmd_$1
 
 # Watch for HIGH CPU Utilization
 # Works for PIX 6.x
@@ -237,5 +242,5 @@ type=Single
 ptype=RegExp
 pattern=PIX-.-211003
 desc=HIGH CPU Utilization
-action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01 at domain.com; delete fwcmd_$1
+action=create fwcmd_$1; add fwcmd_$1 %t; add fwcmd_$1 $0; report fwcmd_$1 /bin/mail -s "%s" email01 at example.com; delete fwcmd_$1
 


Index: pix-url.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/pix-url.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- pix-url.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ pix-url.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,5 +1,10 @@
 ####################################################################
 #                SEC ruleset for Monitoring Keywords
+#
+# Copyright (C) 2003-2009 Chris Sawall
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
 ####################################################################
 
 # This particular ruleset was designed to monitor PIX syslog traffic
@@ -41,7 +46,7 @@ type=Single
 ptype=PerlFunc
 pattern=sub {($_[0] =~ /($list)/) }
 desc=Inappropriate word in URL
-action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at domain.com; delete ssh_$1
+action=create ssh_$1; add ssh_$1 %t; add ssh_$1 $0; report ssh_$1 /bin/mail -s "%s" email01 at example.com; delete ssh_$1
 
 #
 # Examples of "watch4badwords" and "watch4excludes"


Index: portscan.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/portscan.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- portscan.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ portscan.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,5 +1,10 @@
 ################################################################
 # Sample SEC ruleset for "PORTSCAN FROM ip1 TO ip2:port" events
+#
+# Copyright (C) 2003-2009 Risto Vaarandi
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
 ################################################################
 
 # process "PORTSCAN FROM ip1 TO ip2:port" events, and if a certain
@@ -35,6 +40,6 @@ context=HORIZONTAL_PORTSWEEP_FROM_SOURCE
 continue=DontCont
 desc=$1 has scanned more than 10 destinations
 action=report HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3 \
-       mail -s 'Horizontal port sweep from $1 target port $3' root at localhost; \
+       mail -s 'Horizontal port sweep from $1 target port $3' root at example.com; \
        delete HORIZONTAL_PORTSWEEP_FROM_SOURCE_IP_$1_TO_TARGET_PORT_$3; \
        eval %o ( delete $portscans{"$1:$3"} )


Index: sec.init
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/sec.init,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- sec.init	1 Sep 2006 20:54:01 -0000	1.1
+++ sec.init	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,88 +1,102 @@
 #!/bin/bash
 #
-# sec           This starts and stops SEC
+# sec           Start and stop SEC.
 #
-# chkconfig:    - 26 74
+# chkconfig:    - 20 80
 # description:  Simple Event Correlator script to filter log file entries
-# processname:  /usr/bin/sec
-# config:       /etc/sysconfig/sec
-# pidfile:      /var/run/sec.pid
-#
-
-# Source function library.
-    . /etc/rc.d/init.d/functions
-
-# Default to a clean return value
-    RETVAL=0
-
-# Program we'll be executing
-    EXEC='/usr/bin/sec'
-    prog='sec'
 
-    [ -f $EXEC ] || exit 0
+. /etc/rc.d/init.d/functions
 
-# Source the config
-    [ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
+prog="sec"
+exec="/usr/bin/sec"
+lockfile="/var/lock/subsys/sec"
 
-# No options defined means that sec can't run
-    [ -z "$SEC_ARGS" ] && exit 0
-
-# And away we go...
+[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
 
 start() {
-    for n in `seq 0 $((${#SEC_ARGS[*]} - 1))`; do
-        echo -n $"Starting $prog instance "$(($n + 1))": "
-        daemon $EXEC ${SEC_ARGS[$n]}
-        RETVAL=$?
-        [ $RETVAL -ne 0 ] && return $RETVAL
-    done
-    touch /var/lock/subsys/$prog
-    return $RETVAL
+	[ -x $exec ] || exit 5
+	for n in `seq 0 $((${#SEC_ARGS[*]} - 1))`; do
+		echo -n $"Starting $prog instance "$(($n + 1))": "
+		daemon $exec ${SEC_ARGS[$n]}
+		RETVAL=$?
+		echo
+		[ $RETVAL -ne 0 ] && return $RETVAL
+	done
+	touch $lockfile
+	return $RETVAL
 }
 
 stop() {
-    echo -n $"Stopping $prog: "
-    killproc $prog
-    RETVAL=$?
-    echo
-    [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog
-    return $RETVAL
+	echo -n $"Stopping $prog: "
+	killproc $prog
+	RETVAL=$?
+	echo
+	[ $RETVAL -eq 0 ] && rm -f $lockfile
+	return $RETVAL
+}
+
+restart() {
+	stop
+	start
 }
 
 reload() {
-    echo -n $"Reloading configuration: "
-    killproc $prog -HUP
-    RETVAL=$?
-    echo
-    return $RETVAL
+	echo -n $"Reloading $prog: "
+	killproc $prog -HUP
+	RETVAL=$?
+	echo
+	return $RETVAL
 }
 
-restart() {
-    stop
-    start
+force_reload() {
+	restart
 }
 
-dump() {
-    echo -n $"Dumping state in /tmp/sec.dump: "
-    killproc $prog -USR1
-    RETVAL=$?
-    echo
-    return $RETVAL
+rh_status() {
+	status $prog
 }
 
-sec_status() {
-    status $prog
+rh_status_q() {
+	rh_status >/dev/null 2>&1
+}
+
+dump() {
+	echo -n $"Dumping state of $prog in /tmp/sec.dump: "
+	killproc $prog -USR1
+	RETVAL=$?
+	echo
+	return $RETVAL
 }
 
 case "$1" in
-    start|stop|reload|restart|dump)
-        $1
-        ;;
-    status)
-        sec_status
-        ;;
-    *)
-        echo $"Usage: $0 {start|stop|reload|restart|dump|status}"
-        exit 2
+  start)
+	start
+	;;
+  stop)
+	stop
+	;;
+  restart)
+	restart
+	;;
+  condrestart|try-restart)
+	rh_status_q || exit 0
+	restart
+	;;
+  reload)
+	reload
+	;;
+  force-reload)
+	force_reload
+	;;
+  status)
+	rh_status
+	;;
+  dump)
+	dump
+	;;
+  *)
+	echo $"Usage: $0 {start|stop|restart|condrestart|try-restart|reload|force-reload|status|dump}"
+	exit 2
 esac
 
+exit $?


Index: sec.logrotate
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/sec.logrotate,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- sec.logrotate	1 Sep 2006 20:54:01 -0000	1.1
+++ sec.logrotate	3 Oct 2009 07:52:15 -0000	1.2
@@ -3,6 +3,6 @@
     notifempty
     sharedscripts
     postrotate
-        /sbin/service sec reload 2> /dev/null > /dev/null || true
+        /sbin/service sec reload >/dev/null 2>&1 || true
     endscript
 }


Index: sec.spec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/sec.spec,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -p -r1.6 -r1.7
--- sec.spec	27 Jul 2009 04:07:02 -0000	1.6
+++ sec.spec	3 Oct 2009 07:52:15 -0000	1.7
@@ -1,198 +1,121 @@
-#
-# Specfile for SEC, the simple event correlator
-#
-# https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=169345
-#
-
 Name:           sec
-Version:        2.4.1
-Release:        4%{?dist}
-Summary:        SEC (simple event correlator)
-
+Version:        2.5.2
+Release:        1%{?dist}
+Summary:        Simple Event Correlator script to filter log file entries
 Group:          System Environment/Daemons
 License:        GPLv2+
-URL:            http://www.estpak.ee/~risto/sec/
-
-################################################################################
-
+URL:            http://simple-evcorr.sourceforge.net/
 Source0:        http://dl.sourceforge.net/simple-evcorr/%{name}-%{version}.tar.gz
 Source1:        sec.sysconfig
 Source2:        sec.init
 Source3:        sec.logrotate
-
 # Example files and configuration info
-Source100:      conf.README
-Source101:      http://www.estpak.ee/~risto/sec/examples/syslog-ng.txt
-Source102:      001_init.sec
-Source103:      http://www.bleedingsnort.com/sec/amavisd.sec
-Source104:      http://www.bleedingsnort.com/sec/bsd-MONITOR.sec
-Source105:      http://www.bleedingsnort.com/sec/bsd-PHYSMOD.sec
-Source106:      http://www.bleedingsnort.com/sec/bsd-USERACT.sec
-Source107:      http://www.bleedingsnort.com/sec/clamav.sec
-Source108:      http://www.bleedingsnort.com/sec/cvs.sec
-Source109:      http://www.bleedingsnort.com/sec/dameware.sec
-Source110:      http://www.bleedingsnort.com/sec/dbi-example.sec
-Source111:      http://www.bleedingsnort.com/sec/general.sec
-Source112:      http://www.bleedingsnort.com/sec/hp-openview.sec
-Source113:      http://www.bleedingsnort.com/sec/labrea.sec
-Source114:      http://www.bleedingsnort.com/sec/mpd.sec
-Source115:      http://www.bleedingsnort.com/sec/pix-security.sec
-Source116:      http://www.bleedingsnort.com/sec/pix-url.sec
-Source117:      http://www.bleedingsnort.com/sec/portscan.sec
-Source118:      http://www.bleedingsnort.com/sec/snort.sec
-Source119:      http://www.bleedingsnort.com/sec/snortsam.sec
-Source120:      http://www.bleedingsnort.com/sec/ssh-brute.sec
-Source121:      http://www.bleedingsnort.com/sec/ssh.sec
-Source122:      http://www.bleedingsnort.com/sec/vtund.sec
-Source123:      http://www.bleedingsnort.com/sec/windows.sec
-
-BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-
-BuildArch:		noarch
+Source4:        conf.README
+Source5:        http://simple-evcorr.sourceforge.net/rulesets/amavisd.sec
+Source6:        http://simple-evcorr.sourceforge.net/rulesets/bsd-MONITOR.sec
+Source7:        http://simple-evcorr.sourceforge.net/rulesets/bsd-PHYSMOD.sec
+Source8:        http://simple-evcorr.sourceforge.net/rulesets/bsd-USERACT.sec
+Source9:        http://simple-evcorr.sourceforge.net/rulesets/bsd-general.sec
+Source10:       http://simple-evcorr.sourceforge.net/rulesets/bsd-mpd.sec
+Source11:       http://simple-evcorr.sourceforge.net/rulesets/cisco-syslog.sec
+Source12:       http://simple-evcorr.sourceforge.net/rulesets/cvs.sec
+Source13:       http://simple-evcorr.sourceforge.net/rulesets/dameware.sec
+Source14:       http://simple-evcorr.sourceforge.net/rulesets/hp-openview.sec
+Source15:       http://simple-evcorr.sourceforge.net/rulesets/labrea.sec
+Source16:       http://simple-evcorr.sourceforge.net/rulesets/pix-general.sec
+Source17:       http://simple-evcorr.sourceforge.net/rulesets/pix-security.sec
+Source18:       http://simple-evcorr.sourceforge.net/rulesets/pix-url.sec
+Source19:       http://simple-evcorr.sourceforge.net/rulesets/portscan.sec
+Source20:       http://simple-evcorr.sourceforge.net/rulesets/snort.sec
+Source21:       http://simple-evcorr.sourceforge.net/rulesets/snortsam.sec
+Source22:       http://simple-evcorr.sourceforge.net/rulesets/ssh-brute.sec
+Source23:       http://simple-evcorr.sourceforge.net/rulesets/ssh.sec
+Source24:       http://simple-evcorr.sourceforge.net/rulesets/vtund.sec
+Source25:       http://simple-evcorr.sourceforge.net/rulesets/windows.sec
+BuildArch:      noarch
 
-################################################################################
+# The init script uses arrays, so we need bash
+Requires:       bash
+Requires:       logrotate
 
-Requires(post):	    chkconfig
+Requires(post):     chkconfig
 Requires(postun):   initscripts
 Requires(preun):    initscripts, chkconfig
 
-# The init script uses arrays, so we need bash
-Requires:           bash
-
-# Not required specifically by SEC, but our examples use it so we might as well
-# create a requirement for logrotate.
-Requires:           logrotate
-
-# Some alternate names for the package that users might search for
-Provides:           simple-evcorr
-Provides:           sec.pl
-
-################################################################################
-
 %description
-SEC is an open source and platform independent event correlation tool that
-was designed to fill the gap between commercial event correlation systems and
-homegrown solutions that usually comprise a few simple shell scripts.
-SEC accepts input from regular files, named pipes, and standard input, and can
-thus be employed as an event correlator for any application that is able to
-write its output events to a file stream.
-
-################################################################################
+SEC is a simple event correlation tool that reads lines from files, named
+pipes, or standard input, and matches the lines with regular expressions,
+Perl subroutines, and other patterns for recognizing input events.
+Events are then correlated according to the rules in configuration files,
+producing output events by executing user-specified shell commands, by
+writing messages to pipes or files, etc.
 
 %prep
 %setup -q
 
-# Replace some tags in the config files
-    sed -i -e 's/@@NAME@@/%{name}/'    \
-        %{SOURCE1}                     \
-        %{SOURCE2}                     \
-        %{SOURCE3}
-
-# Fix the bindir in case a user wants it put in a different location
-    sed -i -e 's#/usr/bin/sec#%{_bindir}/sec#' \
-        %{SOURCE2}
-
-################################################################################
+%build
 
 %install
-
-rm -rf $RPM_BUILD_ROOT
-
-# Create the directories we'll need
-    install -d -m 755 $RPM_BUILD_ROOT%{_initrddir}
-    install -d -m 755 $RPM_BUILD_ROOT%{_localstatedir}/log
-    install -d -m 755 $RPM_BUILD_ROOT%{_localstatedir}/run
-    install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d
-    install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig
-    install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/examples
-
 # Install SEC and its associated files
-    install -D -p -m 755 sec.pl     $RPM_BUILD_ROOT%{_bindir}/sec
-    install -D -p -m 644 sec.pl.man $RPM_BUILD_ROOT%{_mandir}/man1/sec.1
-    install -p -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/sec
-    install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_sysconfdir}/logrotate.d/sec
-    install -p -m 755 %{SOURCE2} $RPM_BUILD_ROOT%{_initrddir}/sec
+install -D -m 0755 -p sec.pl     %{buildroot}%{_bindir}/sec
+install -D -m 0644 -p sec.pl.man %{buildroot}%{_mandir}/man1/sec.1
+install -D -m 0644 -p %{SOURCE1} %{buildroot}%{_sysconfdir}/sysconfig/sec
+install -D -m 0644 -p %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/sec
+install -D -m 0755 -p %{SOURCE2} %{buildroot}%{_initrddir}/sec
 
 # Install the example config files and readme
-    install -p -m 644 %{SOURCE100} \
-            $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/README
-    install -p -m 644 %{SOURCE101} \
-            $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/examples/syslog-ng.sec
-    install -p -m 644 %{SOURCE102}  \
-                      %{SOURCE103}  \
-                      %{SOURCE104}  \
-                      %{SOURCE105}  \
-                      %{SOURCE106}  \
-                      %{SOURCE107}  \
-                      %{SOURCE108}  \
-                      %{SOURCE109}  \
-                      %{SOURCE110}  \
-                      %{SOURCE111}  \
-                      %{SOURCE112}  \
-                      %{SOURCE113}  \
-                      %{SOURCE114}  \
-                      %{SOURCE115}  \
-                      %{SOURCE116}  \
-                      %{SOURCE117}  \
-                      %{SOURCE118}  \
-                      %{SOURCE119}  \
-                      %{SOURCE120}  \
-                      %{SOURCE121}  \
-                      %{SOURCE122}  \
-                      %{SOURCE123}  \
-            $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/examples/
-
-# Replace all "email.com" in sample scripts with an actual fake domain: example.com
-    grep -rl 'email.com' $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/ \
-         | xargs sed -i -e 's/email.com/example.com/g'
-
-# Create ghost files so rpm doesn't complain about them being gone
-    touch $RPM_BUILD_ROOT%{_localstatedir}/log/sec
-    touch $RPM_BUILD_ROOT%{_localstatedir}/run/sec.pid
+install -D -m 0644 -p %{SOURCE4} %{buildroot}%{_sysconfdir}/%{name}/README
+install -d -m 0755  examples
+install -m 0644 -p %{SOURCE5} %{SOURCE6} %{SOURCE7} %{SOURCE8} \
+                   %{SOURCE9} %{SOURCE10} %{SOURCE11} %{SOURCE12} \
+                   %{SOURCE13} %{SOURCE14} %{SOURCE15} %{SOURCE16} \
+                   %{SOURCE17} %{SOURCE18} %{SOURCE19} %{SOURCE20} \
+                   %{SOURCE21} %{SOURCE22} %{SOURCE23} %{SOURCE24} \
+                   %{SOURCE25} examples/
 
-################################################################################
+# Remove executable bits because these files get packed as docs
+chmod 0644 contrib/convert.pl contrib/swatch2sec.pl
 
 %post
-
-if [ $1 = 1 ]; then
-	/sbin/chkconfig --add sec
+if [ $1 -eq 1 ]; then
+        /sbin/chkconfig --add sec
 fi
 
 %preun
-
-if [ $1 = 0 ]; then
-	/sbin/service sec stop > /dev/null 2>&1 || :
-	/sbin/chkconfig --del sec
+if [ $1 -eq 0 ]; then
+        /sbin/service sec stop >/dev/null 2>&1
+        /sbin/chkconfig --del sec
 fi
 
 %postun
-
-if [ $1 = 1 ]; then
-    /sbin/service sec condrestart
+if [ $1 -eq 1 ]; then
+        /sbin/service sec condrestart >/dev/null 2>&1
 fi
 
 %clean
-
-rm -rf $RPM_BUILD_ROOT
-
-################################################################################
+rm -rf %{buildroot}
 
 %files
-
 %defattr(-,root,root,-)
-%doc ChangeLog COPYING README
+%doc ChangeLog COPYING README contrib/convert.pl contrib/itostream.c contrib/swatch2sec.pl examples
+%config(noreplace) %{_sysconfdir}/%{name}
 %config(noreplace) %{_sysconfdir}/sysconfig/sec
-%config(noreplace) %verify (not md5 size mtime) %{_sysconfdir}/logrotate.d/sec
-%{_sysconfdir}/%{name}
-%{_bindir}/sec
+%config(noreplace) %{_sysconfdir}/logrotate.d/sec
 %{_initrddir}/sec
-%{_mandir}/man1/*
-%ghost %verify (not md5 size mtime) %{_localstatedir}/log/sec
-%ghost %verify (not md5 size mtime) %{_localstatedir}/run/sec.pid
-
-################################################################################
+%{_bindir}/sec
+%{_mandir}/man1/sec.1*
 
 %changelog
+* Tue Sep 29 2009 Stefan Schulze Frielinghaus <stefan at seekline.net> - 2.5.2-1
+- New upstream release
+- SPEC file cleanup
+- Init script cleanup
+- Removed some examples because of licensing issues. Upstream has clarified
+  and changed most of the license tags to GPLv2. Additionally, upstream
+  will include the examples in the next release.
+- Removed a provide statement since a period was in the name and no other
+  package required that special name.
+
 * Sun Jul 26 2009 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.4.1-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
 


Index: snort.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/snort.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- snort.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ snort.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,5 +1,10 @@
 ####################################################################
 #                Sample SEC ruleset for Snort IDS
+#
+# Copyright (C) 2003-2009 Risto Vaarandi
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
 ####################################################################
 
 # ------------------------------------------------------------------
@@ -52,7 +57,8 @@ pattern=PRIORITY 1 INCIDENT FROM (\S+) T
 context=ATTACK_FROM_$1
 continue=TakeNext
 desc=Priority 1 attack started from $1
-action=create ATTACK_FROM_$1; add ALERT_REPORT %t: %s; pipe '%t: %s' 
+action=create ATTACK_FROM_$1; add ALERT_REPORT %t: %s; pipe '%t: %s' \
+       /usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1' alerts at example.com
 
 
 # For every priority 1 incident, add an entry to the context by its IP;
@@ -66,7 +72,7 @@ continue=TakeNext
 desc=Priority 1 incident from $1 to $2: $3
 action=add ATTACK_FROM_$1 %t: %s; \ 
        set ATTACK_FROM_$1 300 ( report ATTACK_FROM_$1 \
-       /usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1 (report)' alerts at email.com )
+       /usr/bin/mail -s 'NOC: SNORT: priority 1 attack from $1 (report)' alerts at example.com )
 
 
 # ------------------------------------------------------------------
@@ -116,7 +122,7 @@ continue=TakeNext
 desc=Create activity contexts for $1
 action=create ACTIVITY_LIST_FOR_$1_LIFETIME; \
        create ACTIVITY_LIST_FOR_$1 7200 ( report ACTIVITY_LIST_FOR_$1 \
-       /usr/bin/mail -s 'SNORT: $1 has been active for 2 hours' alerts at email.com; \
+       /usr/bin/mail -s 'SNORT: $1 has been active for 2 hours' alerts at example.com; \
        delete ACTIVITY_LIST_FOR_$1_LIFETIME )
 
 
@@ -142,7 +148,7 @@ type=Calendar
 time=0 12 * * *
 desc=Sending alert report...
 action=report ALERT_REPORT \
-       /usr/bin/mail -s 'SNORT: Hourly alert report' alerts at email.com; \
+       /usr/bin/mail -s 'SNORT: Hourly alert report' alerts at example.com; \
        delete ALERT_REPORT
 
 
@@ -152,6 +158,6 @@ type=Calendar
 time=0 9 * * *
 desc=Sending portscan report...
 action=report PORTSCAN_REPORT \
-       /usr/bin/mail -s 'SNORT: daily portscan report' alerts at email.com; \
+       /usr/bin/mail -s 'SNORT: daily portscan report' alerts at example.com; \
        delete PORTSCAN_REPORT
 


Index: snortsam.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/snortsam.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- snortsam.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ snortsam.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,10 +1,17 @@
-
+#############################################################################
+# Snort SAM events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
 
 type=single
 ptype=regexp
 pattern=([A-Za-z0-9._-]+) root: (.*) snortsam, Error: Could not bind socket.
 desc = $0
-action=pipe '$1 Snortsam Bind Failed -- NEEDS ATTENTION!: %s' /usr/bin/mail -s "Snortsam Bind Failure: NEEDS ATTENTION on $1" alerts at yourdomain.com
+action=pipe '$1 Snortsam Bind Failed -- NEEDS ATTENTION!: %s' /usr/bin/mail -s "Snortsam Bind Failure: NEEDS ATTENTION on $1" alerts at example.com
 
 
 type=single
@@ -24,7 +31,7 @@ action=add SNORTSAM_REPORT $1 Extending 
 #ptype=regexp
 #pattern=([A-Za-z0-9._-]+)snortsam\[([0-9]+)\]: [*], [:0-9]+, -, ipf, (.*) Failed
 #desc = Snortsam ipf error
-#action=pipe '$1 Snortsam IPF Command Failed' /usr/bin/mail -s "%s" alerts at yourdomain.com
+#action=pipe '$1 Snortsam IPF Command Failed' /usr/bin/mail -s "%s" alerts at example.com
 ##action=add SNORTSAM_REPORT ERROR $1 IPF Command Failure: $2
 
 
@@ -52,13 +59,13 @@ type=single
 ptype=regexp
 pattern=([A-Za-z0-9._-]+) root: (.*) ipf, Error: Command (.*) Failed
 desc = $0
-action=pipe '$1 Snortsam IPF Command Failed: $1 $2 $3' /usr/bin/mail -s "Snortsam IPF Command Failed on $1" alerts at yourdomain.com
+action=pipe '$1 Snortsam IPF Command Failed: $1 $2 $3' /usr/bin/mail -s "Snortsam IPF Command Failed on $1" alerts at example.com
 
 type=single
 ptype=regexp
 pattern=([A-Za-z0-9._-]+) root: (.*) snortsam, Snortsam Station .* using wrong password, trying to resync.
 desc = $0
-action=pipe '$1 Snortsam Password Failure: $1' /usr/bin/mail -s "Snortsam Password Failure on $1" alerts at yourdomain.com
+action=pipe '$1 Snortsam Password Failure: $1' /usr/bin/mail -s "Snortsam Password Failure on $1" alerts at example.com
 
 #Send hourly snortsam report
 
@@ -66,5 +73,5 @@ type=Calendar
 time=0 * * * *
 desc=Sending snortsam report...
 action=report SNORTSAM_REPORT \
-       /usr/bin/mail -s 'SNORTSAM report' alerts at yourdomain.com; \
+       /usr/bin/mail -s 'SNORTSAM report' alerts at example.com; \
        delete SNORTSAM_REPORT


Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/sources,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -p -r1.4 -r1.5
--- sources	28 May 2007 20:06:22 -0000	1.4
+++ sources	3 Oct 2009 07:52:15 -0000	1.5
@@ -1 +1 @@
-f233b3acf7cebdb573f4ff1f441866c3  sec-2.4.1.tar.gz
+0e5e3c2e4e3ef6c21fc32a809c6263bb  sec-2.5.2.tar.gz


Index: ssh-brute.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/ssh-brute.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- ssh-brute.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ ssh-brute.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,4 +1,10 @@
 ################## ssh brute force attack blocker
+# Copyright (C) 2003-2009 Mark Bergman
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+##################
+#
 # This sec ruleset monitors syslog messages for indications that an ssh brute-force
 # login attack is underway. The trigger is an ssh login failure.
 #
@@ -15,10 +21,6 @@
 # 2 hours.
 #
 # Vulnerabilities of this ruleset are:
-#	DoS attack: if the attacker is aware of this ruleset, they could
-#		spoof a series of victim IP addresses (for example, the 
-#		AOL proxy address), thus causing the server running sec
-#		to deny service to the victim.
 #
 #	persistent firewall rules:
 #		if the sec daemon crashes or is restarted, any existing rules


Index: ssh.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/ssh.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- ssh.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ ssh.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,6 +1,13 @@
-# a ruleset to accumulate errors from a parent and child sshd process
+###########################################################################
+# SEC ruleset to accumulate errors from a parent and child sshd process
 # into a single context. This allows reporting of the authenticated
 # user information with the error's generated by the child sshd process.
+#
+# Copyright (C) 2003-2009 John P. Rouillard
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+###########################################################################
 
 # note handling of deferred reporting until after tie events received
 # is still in flux. My old rules hanlded it by resubmitting all the
@@ -38,7 +45,7 @@ action=create EVENT_PROCESSED
 #ptype=regexp
 #pattern=([A-Za-z0-9._-]+) sshd\[([0-9]+)\]: \[[^]]+\] Connection from ([0-9.]+) port [0-9]+
 #action=pipe session_log_$1_$2 \
-#    /usr/bin/mail -s "ssh failed to generate tie event for $1" alerts at email.com
+#    /usr/bin/mail -s "ssh failed to generate tie event for $1" alerts at example.com
 #desc2=Link parent and child contexts
 #ptype2=regexp
 #pattern2=$1 [A-z0-9]+\[[0-9]+\]: \[[^]]+\] SSHD child process +([0-9]+) spawned by $2
@@ -86,7 +93,7 @@ desc=Report immediate on request.
 ptype=regexp
 pattern=^sshd: Report (.*) if needed$
 context = session_log_report_$1
-action= report session_log_$1 /usr/bin/mailx -s "sshd error on $1" alerts at email.com ;\
+action= report session_log_$1 /usr/bin/mailx -s "sshd error on $1" alerts at example.com ;\
         delete session_log_report_$1
 
 type=suppress
@@ -144,7 +151,7 @@ pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]:
 context = $3 < 1025 && tie_event_received_$1_$2
 action = add session_log_$1_$2 $0 ; \
          report session_log_report_$1_$2 \
-             /usr/bin/mailx -s "sshd bind < 1025 on $1" alerts at email.com
+             /usr/bin/mailx -s "sshd bind < 1025 on $1" alerts at example.com
 
 # end immediate rules here
 
@@ -178,7 +185,7 @@ pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]:
 context = ssh_port_forward_errors_$1_$2
 desc = send report on ssh forward errors if pass threshold (bind)
 action = report session_log_$1_$2 \
-            /usr/bin/mailx -s "ssh port forward errors host $1" alerts at email.com; \
+            /usr/bin/mailx -s "ssh port forward errors host $1" alerts at example.com; \
          delete ssh_port_forward_errors_$1_$2
 thresh=5
 window=600
@@ -211,7 +218,7 @@ pattern=([A-z._0-9-]*) sshd\[([0-9]+)\]:
 context = ssh_channel_setup_errors_$1_$2
 desc = send report on ssh channel setup errors
 action = report session_log_$1_$2 \
-            /usr/bin/mailx -s "ssh port forward errors host $1" alerts at email.com ; \
+            /usr/bin/mailx -s "ssh port forward errors host $1" alerts at example.com ; \
          delete ssh_channel_setup_errors_$1_$2
 thresh=5
 window=600
@@ -234,7 +241,7 @@ pattern=([A-Za-z0-9._-]+) sshd\[([0-9]+)
 desc = create context to report ssh errors for host $1 pid $2 in 5 minutes
 context = ! session_log_5min_timer_$1_$2
 action = create session_log_5min_timer_$1_$2 300 report session_log_$1_$2 \
-              /usr/bin/mailx -s "ssh errors for host $1 pid $2" alerts at email.com
+              /usr/bin/mailx -s "ssh errors for host $1 pid $2" alerts at example.com
 
 type=single
 continue = dontcont


Index: vtund.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/vtund.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- vtund.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ vtund.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,4 +1,11 @@
-#VTUN Events
+#############################################################################
+# VTUN events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
 
 type=Single
 ptype=RegExp
@@ -58,14 +65,3 @@ pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+vtund\
 desc=$0
 action=add GENERAL_REPORT %t: VTUN Session $2 Closed on $1
 
-
-
-#Send 12 hours vtun report
-
-type=Calendar
-time=0 0,12 * * *
-desc=Sending vtun report...
-action=report VTUN_REPORT \
-       /usr/bin/mail -s 'VTUN: VTUN Report' alerts at yourdomain.com; \
-       delete VTUN_REPORT0
-


Index: windows.sec
===================================================================
RCS file: /cvs/pkgs/rpms/sec/F-12/windows.sec,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- windows.sec	1 Sep 2006 20:54:01 -0000	1.1
+++ windows.sec	3 Oct 2009 07:52:15 -0000	1.2
@@ -1,4 +1,11 @@
-#Windows events
+#############################################################################
+# Windows events
+#
+# Copyright (C) 2003-2009 Matt Jonkman
+# This is free software. You may redistribute copies of it under the terms of 
+# the GNU General Public License version 2.
+# There is NO WARRANTY, to the extent permitted by law.
+#############################################################################
 
 type=Single
 ptype=RegExp
@@ -17,21 +24,21 @@ type=Single
 ptype=RegExp
 pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+Security: \\Everyone: User Account Locked Out: Target Account Name: (\S+) .*
 desc=$0
-action=pipe '$1 Windows Account Lockout: %s' /usr/bin/mail -s "Windows Account Locked on $1" alerts at yourdomain.com
+action=pipe '$1 Windows Account Lockout: %s' /usr/bin/mail -s "Windows Account Locked on $1" alerts at example.com
 
 
 type=Single
 ptype=RegExp
 pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+Security: \\Everyone: User Account Changed: (/S+)\. .*
 desc=$0
-action=pipe '$1 Windows Account Change: %s' /usr/bin/mail -s "Windows Account Changed on $1: $2" alerts at yourdomain.com
+action=pipe '$1 Windows Account Change: %s' /usr/bin/mail -s "Windows Account Changed on $1: $2" alerts at example.com
 
 
 type=Single
 ptype=RegExp
 pattern=\S+\s+\d+\s+\S+\s+(\S+)\s+NetBT: N\/A: A duplicate name has been detected on the TCP network\. .*
 desc=$0
-action=pipe '$1 Duplicate Netbios Name Detected: %s' /usr/bin/mail -s "Duplicate Netbios Name on $1" alerts at yourdomain.com
+action=pipe '$1 Duplicate Netbios Name Detected: %s' /usr/bin/mail -s "Duplicate Netbios Name on $1" alerts at example.com
 
 
 


--- 001_init.sec DELETED ---


--- clamav.sec DELETED ---


--- dbi-example.sec DELETED ---


--- general.sec DELETED ---


--- mpd.sec DELETED ---


--- syslog-ng.txt DELETED ---


