Project

General

Profile

Feature #340

New ruleset for PPP/PPTPD/L2TP

Added by over 13 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
Normal
Target version:
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

New ruleset for PPP/PPTPD/L2TP

pcre.rules.diff.gz - pcre.rules update (305 Bytes) , 12/16/2008 08:05 AM

ppp.rules.gz - PPP rules (758 Bytes) , 12/16/2008 08:05 AM

History

#1 Updated by Pierre Chifflier over 13 years ago

  • Status changed from New to Assigned

Overall looks good, just a few comments:

  • The line preceding the rule should use the following format:
    #LOG: Dec  4 23:01:36 beorc pppr24796: tun2: Phase: Chap Input: RESPONSE (49 bytes from afonyashin)
    

    instead of
    #Dec  4 23:01:36 beorc pppr24796: tun2: Phase: Chap Input: RESPONSE (49 bytes from afonyashin)
    

    This allows automated tools to run tests (and check that signature really matches the line)
  • in rule 2, you have the following:
     assessment.impact.completion=succeeded; \
     assessment.impact.description=Authenticated successfully; \
    

    This is redundant. You should use something like 'Authentication attempt' in description, the completion will tell the result by itself
  • not all your rules have an 'id' field

#2 Updated by Pierre Chifflier over 13 years ago

One more point:
  • impact.description can be set in first rule, since it is generic, so you assign the description when creating the context, and the status (success/failed) when you get the result.

#3 Updated by Yoann VANDOORSELAERE over 13 years ago

  • Status changed from Assigned to Closed
  • Resolution set to fixed

(In r11135) New PPP/PPTPD/L2TP ruleset, by Alexander Afonyashin <>,
with slight modification from Pierre Chifflier <>.
Close #340.

#4 Updated by Yoann VANDOORSELAERE over 13 years ago

  • Project changed from PRELUDE SIEM to Prelude-LML
  • Category deleted (4)
  • Target version deleted (93)

Also available in: Atom PDF