[prelude-devel] [Prelude Universal SIM system] #328: RULE CISCO-VPN.RULES ( Authentication rejected) UNRECOGNIZED FOR PRELUDE-LML

Prelude Universal SIM system noreply at prelude-ids.org
Mon Nov 3 09:47:03 CET 2008 

#328: RULE CISCO-VPN.RULES ( Authentication rejected) UNRECOGNIZED FOR PRELUDE-
LML
-----------------------------------+----------------------------------------
 Reporter:  alvareco1 at hotmail.com  |        Owner:                    
     Type:  defect                 |       Status:  new               
 Priority:  high                   |    Milestone:  Prelude-LML 0.9.15
Component:  prelude-lml            |      Version:  0.9               
 Severity:  critical               |   Resolution:                    
 Keywords:                         |  
-----------------------------------+----------------------------------------

Old description:

> Currently, I have prelude lml-installed and working properly for VPN
> authentication, however authentications refused to rule does not match
> and does not appear in prewikka.
>
> I have installed the default configuration file that has the rule-cisco
> vpn.rules and pcre.rules
>
> #LOG:Oct 29 19:18:20 vpn 1793 10/29/2003 19:18:20.190 SEV=3 AUTH/5 RPT=6
> 12.34.56.78  Authentication rejected: Reason = Invalid password handle =
> 66, server = Internal, user = gene.gomez, domain = <not specified>
> regex=([\d\.]+)  Authentication rejected: Reason = (.+) handle = \d+,
> server = (\w+), user = (\S+), domain = (.+); \
>  classification.text=VPN user authentication; \
>  classification.reference(0).origin=vendor-specific; \
>  classification.reference(0).meaning=vpn_id; \
>  classification.reference(0).name=AUTH/5; \
>  classification.reference(1).origin=vendor-specific; \
>  classification.reference(1).meaning=vpn_severity; \
>  classification.reference(1).name=3; \
>  id=301; \
>  revision=3; \
>  analyzer(0).name=VPN Concentrator; \
>  analyzer(0).manufacturer=Cisco; \
>  analyzer(0).class=VPN; \
>  assessment.impact.severity=medium; \
>  assessment.impact.type=user; \
>  assessment.impact.completion=failed; \
>  assessment.impact.description=VPN user $4 failed authentication because
> of $2; \
>  source(0).node.address(0).category=ipv4-addr; \
>  source(0).node.address(0).address=$1; \
>  target(0).user.category=application; \
>  target(0).user.user_id(0).type=target-user; \
>  target(0).user.user_id(0).name=$4; \
>  additional_data(0).type=string; \
>  additional_data(0).meaning=Failure reason; \
>  additional_data(0).data=$2; \
>  additional_data(1).type=string; \
>  additional_data(1).meaning=Authentication server; \
>  additional_data(1).data=$3; \
>  additional_data(2).type=string; \
>  additional_data(2).meaning=Authentication domain; \
>  additional_data(2).data=$5; \
>  last
>
> Archivo pcre.rules
> regex=SEV=;                             include = cisco-vpn.rules;

New description:

 Currently, I have prelude lml-installed and working properly for VPN
 authentication, however authentications refused to rule does not match and
 does not appear in prewikka.

 I have installed the default configuration file that has the rule-cisco
 vpn.rules and pcre.rules

 {{{
 #LOG:Oct 29 19:18:20 vpn 1793 10/29/2003 19:18:20.190 SEV=3 AUTH/5 RPT=6
 12.34.56.78  Authentication rejected: Reason = Invalid password handle =
 66, server = Internal, user = gene.gomez, domain = <not specified>
 regex=([\d\.]+)  Authentication rejected: Reason = (.+) handle = \d+,
 server = (\w+), user = (\S+), domain = (.+); \
  classification.text=VPN user authentication; \
  classification.reference(0).origin=vendor-specific; \
  classification.reference(0).meaning=vpn_id; \
  classification.reference(0).name=AUTH/5; \
  classification.reference(1).origin=vendor-specific; \
  classification.reference(1).meaning=vpn_severity; \
  classification.reference(1).name=3; \
  id=301; \
  revision=3; \
  analyzer(0).name=VPN Concentrator; \
  analyzer(0).manufacturer=Cisco; \
  analyzer(0).class=VPN; \
  assessment.impact.severity=medium; \
  assessment.impact.type=user; \
  assessment.impact.completion=failed; \
  assessment.impact.description=VPN user $4 failed authentication because
 of $2; \
  source(0).node.address(0).category=ipv4-addr; \
  source(0).node.address(0).address=$1; \
  target(0).user.category=application; \
  target(0).user.user_id(0).type=target-user; \
  target(0).user.user_id(0).name=$4; \
  additional_data(0).type=string; \
  additional_data(0).meaning=Failure reason; \
  additional_data(0).data=$2; \
  additional_data(1).type=string; \
  additional_data(1).meaning=Authentication server; \
  additional_data(1).data=$3; \
  additional_data(2).type=string; \
  additional_data(2).meaning=Authentication domain; \
  additional_data(2).data=$5; \
  last
 }}}

 Archivo pcre.rules
 {{{
 regex=SEV=;                             include = cisco-vpn.rules;
 }}}

--

Comment(by yoann):

 Could you please provide input logs that aren't matched by the current
 ruleset, so that we can look at the issue?

-- 
Ticket URL: <https://trac.prelude-ids.org/ticket/328#comment:1>
Prelude Universal SIM system <http://www.prelude-ids.com>
Prelude Universal SIM system

More information about the Prelude-devel mailing list