# Customized prelude-lml rules file to support Ipchains events # Simon Castro # # Deny rules : Match all IPv4 packet deny references for tcp, udp and icmp protocols. # # TCP regex=kernel: Packet log: (\w+) DENY (\w+) PROTO=6 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ class.name=Packet denied by Ipchains firewall; \ impact.completion=failed; impact.type=other; impact.severity=medium; \ impact.description=Ipchains denied a TCP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source.node.address; source.node.address.category=ipv4-addr; \ source.node.address.address=$3; source.service.port=$4; source.service.protocol=tcp; \ target.node.address; target.node.address.category=ipv4-addr; \ target.node.address.address=$5; target.service.port=$6; target.service.protocol=tcp; \ source.interface=$2; # UDP regex=kernel: Packet log: (\w+) DENY (\w+) PROTO=17 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ class.name=Packet denied by Ipchains firewall; \ impact.completion=failed; impact.type=other; impact.severity=medium; \ impact.description=Ipchains denied an UDP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source.node.address; source.node.address.category=ipv4-addr; \ source.node.address.address=$3; source.service.port=$4; source.service.protocol=udp; \ target.node.address; target.node.address.category=ipv4-addr; \ target.node.address.address=$5; target.service.port=$6; target.service.protocol=udp; \ source.interface=$2; # ICMP regex=kernel: Packet log: (\w+) DENY (\w+) PROTO=1 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ class.name=Packet denied by Ipchains firewall; \ impact.completion=failed; impact.type=other; impact.severity=medium; \ impact.description=Ipchains denied an ICMP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source.node.address; source.node.address.category=ipv4-addr; \ source.node.address.address=$3; source.service.port=$4; source.service.protocol=icmp; \ target.node.address; target.node.address.category=ipv4-addr; \ target.node.address.address=$5; target.service.port=$6; target.service.protocol=icmp; \ source.interface=$2; # # Accept rules : Match all IPv4 packet accept references for tcp, udp and icmp protocols. # # TCP regex=kernel: Packet log: (\w+) ACCEPT (\w+) PROTO=6 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ class.name=Packet accepted by Ipchains firewall; \ impact.completion=succeeded; impact.type=other; impact.severity=medium; \ impact.description=Ipchains accepted a TCP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source.node.address; source.node.address.category=ipv4-addr; \ source.node.address.address=$3; source.service.port=$4; source.service.protocol=tcp; \ target.node.address; target.node.address.category=ipv4-addr; \ target.node.address.address=$5; target.service.port=$6; target.service.protocol=tcp; \ source.interface=$2; # UDP regex=kernel: Packet log: (\w+) ACCEPT (\w+) PROTO=17 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ class.name=Packet accepted by Ipchains firewall; \ impact.completion=succeeded; impact.type=other; impact.severity=medium; \ impact.description=Ipchains accepted an UDP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source.node.address; source.node.address.category=ipv4-addr; \ source.node.address.address=$3; source.service.port=$4; source.service.protocol=udp; \ target.node.address; target.node.address.category=ipv4-addr; \ target.node.address.address=$5; target.service.port=$6; target.service.protocol=udp; \ source.interface=$2; # ICMP regex=kernel: Packet log: (\w+) ACCEPT (\w+) PROTO=1 ([\d\.]+):(\d+) ([\d\.]+):(\d+); \ class.name=Packet accepted by Ipchains firewall; \ impact.completion=succeeded; impact.type=other; impact.severity=medium; \ impact.description=Ipchains accepted an ICMP packet : $3:$4 -> $5:$6 on $2 (Rulename is '$1'); \ source.node.address; source.node.address.category=ipv4-addr; \ source.node.address.address=$3; source.service.port=$4; source.service.protocol=icmp; \ target.node.address; target.node.address.category=ipv4-addr; \ target.node.address.address=$5; target.service.port=$6; target.service.protocol=icmp; \ source.interface=$2;