Project

General

Profile

Bug #328

RULE CISCO-VPN.RULES ( Authentication rejected) UNRECOGNIZED FOR PRELUDE-LML

Added by almost 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
High
Assignee:
-
Target version:
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

Currently, I have prelude lml-installed and working properly for VPN authentication, however authentications refused to rule does not match and does not appear in prewikka.

I have installed the default configuration file that has the rule-cisco vpn.rules and pcre.rules

#LOG:Oct 29 19:18:20 vpn 1793 10/29/2003 19:18:20.190 SEV=3 AUTH/5 RPT=6 12.34.56.78  Authentication rejected: Reason = Invalid password handle = 66, server = Internal, user = gene.gomez, domain = <not specified>
regex=([\d\.]+)  Authentication rejected: Reason = (.+) handle = \d+, server = (\w+), user = (\S+), domain = (.+); \
 classification.text=VPN user authentication; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=vpn_id; \
 classification.reference(0).name=AUTH/5; \
 classification.reference(1).origin=vendor-specific; \
 classification.reference(1).meaning=vpn_severity; \
 classification.reference(1).name=3; \
 id=301; \
 revision=3; \
 analyzer(0).name=VPN Concentrator; \
 analyzer(0).manufacturer=Cisco; \
 analyzer(0).class=VPN; \
 assessment.impact.severity=medium; \
 assessment.impact.type=user; \
 assessment.impact.completion=failed; \
 assessment.impact.description=VPN user $4 failed authentication because of $2; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$1; \
 target(0).user.category=application; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$4; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Failure reason; \
 additional_data(0).data=$2; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Authentication server; \
 additional_data(1).data=$3; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Authentication domain; \
 additional_data(2).data=$5; \
 last

Archivo pcre.rules

regex=SEV=;                include = cisco-vpn.rules;

cisco-vpn.rules (7.64 KB) , 10/28/2008 04:59 PM

pcre.rules (5.35 KB) , 10/28/2008 04:59 PM

cisco-vpn.diff View (915 Bytes) Yoann VANDOORSELAERE, 11/04/2008 03:16 PM

History

#1 Updated by Yoann VANDOORSELAERE almost 14 years ago

Could you please provide input logs that aren't matched by the current ruleset, so that we can look at the issue?

#2 Updated by almost 14 years ago

Replying to [comment:1 yoann]:

Could you please provide input logs that aren't matched by the current ruleset, so that we can look at the issue?

Hi Yoann,

Yes sure!

Nov 3 08:56:25 xx.xxx.xx.xx 3752150 11/03/2008 09:03:03.660 SEV=3 AUTH/5 RPT=33245 190.74.200.57 Authentication rejected: Reason = Unspecified handle = 687, server = xxx.xxx.xx.xx, user = dromer, domain = <not specified>

Nov 3 08:57:33 xxx.xxx.xx.xx 3752396 11/03/2008 09:04:11.330 SEV=3 AUTH/5 RPT=33246 190.38.158.25 Authentication rejected: Reason = Unspecified handle = 681, server = xxx.xxx.xx.xx, user = tp1fallvi, domain = <not specified>

Where:
xxx.xxx.xx.xx is IP address

#3 Updated by Yoann VANDOORSELAERE almost 14 years ago

Could you try the attached patch, and report whether it fixes your problem?

#4 Updated by almost 14 years ago

Replying to [comment:3 yoann]:

Could you try the attached patch, and report whether it fixes your problem?

Hi Yoann,

Excellent friend,
The problem has been solved!!

Thank you very much!

#5 Updated by Yoann VANDOORSELAERE almost 14 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

(In r11081) Match Authentication Rejected message even thought the server field
does not contain a word (fix #328).

#6 Updated by Yoann VANDOORSELAERE over 13 years ago

  • Project changed from PRELUDE SIEM to Prelude-LML
  • Category deleted (4)
  • Target version deleted (93)

Also available in: Atom PDF