##### # # Copyright (C) 2006 PreludeIDS Technologies. All Rights Reserved. # Author: Yoann Vandoorselaere # # This file is part of the SEC program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### # Contexts in this ruleset should be prefixed with FIREWALL_ # Suppress info and low events type=Suppress ptype=IDMEF pattern=assessment.impact.severity: (info|low) # Firewall correlation (1 of 2) # This rule detects packet denials and resets any contexts that may have been # created regarding events attached to this packet. It sets a timer for the # next 10 seconds for other events that might match the criterea. type=Single ptype=IDMEF pattern=classification.text: [Pp]acket [Dd]ropped|[Dd]enied; \ source(0).node.address(0).address: (.+); \ source(0).service.port: (.*); \ target(0).node.address(0).address: (.+); \ target(0).service.port: (.*); desc=$0 continue=TakeNext action=create FIREWALL_SOURCE_TARGET_DROP_$1_$2_$3_$4 10 # Firewall correlation (2 of 2) # This rule begins a timer for every event that contains a source and a target # address which has not been matched by an observed packet denial. If a packet # denial is not observed in the next 10 seconds, an event alert is generated. type=Single ptype=IDMEF pattern=source(0).node.address(0).address: (.+); \ source(0).service.port: (.*); \ target(0).node.address(0).address: (.+); \ target(0).service.port: (.*); \ assessment.impact.severity: (.*); \ messageid: (.+); \ analyzer(-1).analyzerid: (.*); \ analyzer(-2).analyzerid: (.*); continue=TakeNext context=!FIREWALL_SOURCE_TARGET_DROP_$1_$2_$3_$4 desc=correlation_alert.name=No firewall drop reported; \ assessment.impact.severity=$5; \ correlation_alert.alertident(0).alertident=$6; \ correlation_alert.alertident(0).analyzerid=%analyzerid; \ additional_data(>>).data = ignore_atomic_event; action=eval %analyzerid ("$7" || "$8"); \ create FIREWALL_SOURCE_TARGET_DROP_$1_$2_$3_$4 10 (prelude %s)