Bug #328
RULE CISCO-VPN.RULES ( Authentication rejected) UNRECOGNIZED FOR PRELUDE-LML
0%
Description
Currently, I have prelude lml-installed and working properly for VPN authentication, however authentications refused to rule does not match and does not appear in prewikka.
I have installed the default configuration file that has the rule-cisco vpn.rules and pcre.rules
#LOG:Oct 29 19:18:20 vpn 1793 10/29/2003 19:18:20.190 SEV=3 AUTH/5 RPT=6 12.34.56.78 Authentication rejected: Reason = Invalid password handle = 66, server = Internal, user = gene.gomez, domain = <not specified> regex=([\d\.]+) Authentication rejected: Reason = (.+) handle = \d+, server = (\w+), user = (\S+), domain = (.+); \ classification.text=VPN user authentication; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=vpn_id; \ classification.reference(0).name=AUTH/5; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=vpn_severity; \ classification.reference(1).name=3; \ id=301; \ revision=3; \ analyzer(0).name=VPN Concentrator; \ analyzer(0).manufacturer=Cisco; \ analyzer(0).class=VPN; \ assessment.impact.severity=medium; \ assessment.impact.type=user; \ assessment.impact.completion=failed; \ assessment.impact.description=VPN user $4 failed authentication because of $2; \ source(0).node.address(0).category=ipv4-addr; \ source(0).node.address(0).address=$1; \ target(0).user.category=application; \ target(0).user.user_id(0).type=target-user; \ target(0).user.user_id(0).name=$4; \ additional_data(0).type=string; \ additional_data(0).meaning=Failure reason; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Authentication server; \ additional_data(1).data=$3; \ additional_data(2).type=string; \ additional_data(2).meaning=Authentication domain; \ additional_data(2).data=$5; \ last
Archivo pcre.rules
regex=SEV=; include = cisco-vpn.rules;
History
#1 Updated by Yoann VANDOORSELAERE almost 15 years ago
Could you please provide input logs that aren't matched by the current ruleset, so that we can look at the issue?
#2 Updated by almost 15 years ago
Replying to [comment:1 yoann]:
Could you please provide input logs that aren't matched by the current ruleset, so that we can look at the issue?
Hi Yoann,
Yes sure!
Nov 3 08:56:25 xx.xxx.xx.xx 3752150 11/03/2008 09:03:03.660 SEV=3 AUTH/5 RPT=33245 190.74.200.57 Authentication rejected: Reason = Unspecified handle = 687, server = xxx.xxx.xx.xx, user = dromer, domain = <not specified>
Nov 3 08:57:33 xxx.xxx.xx.xx 3752396 11/03/2008 09:04:11.330 SEV=3 AUTH/5 RPT=33246 190.38.158.25 Authentication rejected: Reason = Unspecified handle = 681, server = xxx.xxx.xx.xx, user = tp1fallvi, domain = <not specified>
Where:
xxx.xxx.xx.xx is IP address
#3 Updated by Yoann VANDOORSELAERE almost 15 years ago
Could you try the attached patch, and report whether it fixes your problem?
#4 Updated by almost 15 years ago
Replying to [comment:3 yoann]:
Could you try the attached patch, and report whether it fixes your problem?
Hi Yoann,
Excellent friend,
The problem has been solved!!
Thank you very much!
#5 Updated by Yoann VANDOORSELAERE almost 15 years ago
- Status changed from New to Closed
- Resolution set to fixed
(In r11081) Match Authentication Rejected message even thought the server field
does not contain a word (fix #328).
#6 Updated by Yoann VANDOORSELAERE over 14 years ago
- Project changed from PRELUDE SIEM to Prelude-LML
- Category deleted (
4) - Target version deleted (
93)