# THUNDER PRM LIBRARY # Copyright 2004 Tenable Network Security # # This library may only be used with the lce server and may not # be used with other products or open source projects # # NAME: # D-Link Firewall event library # # DESCRIPTION: # # These signatures look for a variety of events. They can # be used by a Lce server receiving SYLOG messages from a # D-Link firewall. # # LAST UPDATE: $Date: 2011/09/19 17:14:54 $ id=7220 name=A D-Link firewall updated a dynamic DNS entry. match=D-Link Sys match=tem match=ystem match=ate match=date match=ent match=Lo match=ce match=ed match=ss match= System Log: Successfully updated dynamic DNS entry for regex=.* Successfully updated dynamic DNS entry for .* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:system event:DLink-Updated_DNS srcip:$1 NEXT id=7221 name=A D-Link firewall has allowed internet access for a specfic IP address. match=D-Link Sys match=IP match=tem match=ystem match=Lo match=ce match=ss match=System Log: Internet access for IP address match=acc regex=System Log: Internet access for IP address ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) set to: Allowed log=type:system event:DLink-Allowed_Access srcip:$1 NEXT id=7222 name=A D-Link firewall has had its log viewed. match=D-Link Sys match=tem match=Lo match=ed match=ss match=System Log: Log viewed by IP address match=IP match=ystem regex=System Log: Log viewed by IP address ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:system event:DLink-Log_Viewed srcip:$1 NEXT id=7223 name=A D-Link firewall has dropped a packet and is unable to create a new session. match=D-Link Sys match=tem match=rom match=ack match=Lo match=ed match=System Log: Dropped packet from match=pp match=ate match=ion match=le match=ss match=as unable to create new session match=ystem regex=System Log: Dropped packet from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) \(IP log=type:firewall event:DLink-Dropped_Packet srcip:$1 dstip:$2 NEXT id=7224 name=A D-Link firewall has blocked an incoming TCP connection match=D-Link Sys match=est match=request match=TCP match=tem match=rom match=Lo match=lo match=ion match=ing match=ed match=System Log: Blocked incoming TCP connection request from match=ect match=onnect match=onnection match=ystem regex=System Log: Blocked incoming TCP connection request from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:firewall event:DLink-Denied_Incoming_TCP_Connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=7225 name=A D-Link firewall has blocked an incoming TCP packet. match=D-Link Sys match=TCP match=tem match=rom match=ack match=Lo match=lo match=ing match=ed match=System Log: Blocked incoming TCP packet from match=ystem match=ion match=ce match= received but there is no active connection match=ect match=onnect match=onnection regex=System Log: Blocked incoming TCP packet from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:firewall event:DLink-Denied_Incoming_TCP_Packet srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=7226 name=A D-Link firewall has blocked an outgoing TCP packet. match=D-Link Sys match=TCP match=tem match=rom match=ack match=Lo match=lo match=ing match=ed match= System Log: Blocked outgoing TCP packet from match=ystem match=ion match=ce match= received but there is no active connection match=ect match=onnect match=onnection regex= System Log: Blocked outgoing TCP packet from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:firewall event:DLink-Denied_Outgoing_TCP_Packet srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=7227 name=A D-Link firewall has noticed a wireless system. match=D-Link Sys match=tem match=Lo match= System Log: match=ystem match=ire match=le match=ss match=Wireless system with match=ystem match=ass match=ate match=ed match=associated log=type:system event:DLink-Wireless_System_Associated NEXT id=7228 name=A D-Link firewall noticed a wireless system and secured and linked it. match=D-Link Sys match=tem match=Lo match= System Log: match=ystem match=ire match=le match=ss match=Wireless system with match=ystem match=ecu match=ed match=secured and linked match=an log=type:system event:DLink-Wireless_System_Secured NEXT id=7229 name=A D-Link firewall has noticed a network computer was assigned a IP address. match=D-Link Sys match=tem match=Lo match=System Log: A network computer match=ystem match=ss match=ass match=ed match=was assigned the IP address of match=IP regex=System Log: A network computer \(([a-zA-Z0-9._-]+)\) was assigned the IP address of ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:dhcp event:DLink-Network_Computer_Assigned_IP sensor:$1 srcip:$2 NEXT id=7230 name=A D-Link firewall has noticed a network computer has lost its lease. match=D-Link Sys match=tem match=Lo match=le match=ed match=System Log: A network computer never renewed its 'lease' of match=ystem match=lo match=ss match= and has lost its right to use that address. match=an regex=.*of ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) and log=type:dhcp event:DLink-Network_Computer_Lost_Lease srcip:$1 NEXT id=7231 name=A D-Link firewall has noticed a web site being accessed from a specific ip address. match=D-Link Sys match=tem match=Lo match=System Log: Web site match=ystem match=rom match=ce match=ed match=ss match=accessed from match=acc regex=System Log: .*accessed from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:web-access event:DLink-Web_Site_Accessed srcip:$1 NEXT id=7232 name=A D-Link firewall stored its configuration to non-volatile memory. match=tem match=ystem match=D-Link Sys match=ol match=St match=Lo match=ion match=le match=ed match=System Log: Stored configuration to non-volatile memory log=type:system event:DLink-Stored_Configuration NEXT id=7233 name=A D-Link firewall has blocked an incoming UDP packet. match=D-Link Sys match=UDP match=tem match=ystem match=lo match=ed match=Blocked match=rom match=ack match=Lo match=ing match=System Log: Blocked incoming UDP packet from regex=System Log: Blocked incoming UDP packet from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:firewall event:DLink-Denied_Incoming_UDP_Packet srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 NEXT id=7234 name=A D-Link firewall has blocked an incoming ICMP packet. match=D-Link Sys match=ICMP match=MP match=lo match=ed match=Blocked match=tem match=ystem match=Lo match=ing match= System Log: Blocked incoming ICMP regex= System Log: Blocked incoming ICMP .* from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:firewall event:DLink-Denied_Outgoing_TCP_Packet srcip:$1 dstip:$2 proto:1 NEXT id=7235 name=A D-Link firewall had a failed administrator login attempt. match=D-Link Sys match=ent match=tem match=ail match=Lo match=ion match=le match=ed match=pt match=System Log: Failed configuration authentication attempt match=ystem match=ailed regex=.* by IP address ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:login-failure event:DLink-Admin_Login_Failure srcip:$1 NEXT id=7236 name=A D-Link firewall had a valid administrator login attempt. match=D-Link Sys match=ent match=tem match=Lo match=lo match=ion match=ed match= System Log: Allowed configuration authentication by match=ystem regex=.* by IP address ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:login event:DLink-Admin_Login srcip:$1 NEXT id=7237 name=A D-Link firewall has rejected a packet. match=D-Link Sys match=tem match=Lo match=System Log: match=ystem match=rom match=ack match=ed match=rejected packet from match=reject match=ect regex=.* from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:firewall event:DLink-Rejected_Packet srcip:$1 srcport:$2 dstip:$3 dstport:$4 NEXT id=7238 name=A D-Link firewall had an internal source use UPnP to add a firewall rule. match=D-Link Sys match=tem match=Lo match=System Log: match=ystem match=ent match=ed match= UPnP added entry log=type:system event:DLink-Firewall_Rule_Added_Via_UPnP NEXT id=7239 name=A D-Link firewall had an internal source use UPnP to remove a firewall rule. match=D-Link Sys match=tem match=Lo match=System Log: match=ystem match=ent match=le match=ed match= UPnP deleted entry log=type:system event:DLink-Firewall_Rule_Deleted_Via_UPnP NEXT id=7240 name=A D-Link firewall blocked Internet activity on a protocol other than ICMP, TCP or UDP. match=D-Link Sys match=IP match=tem match=Lo match=System Log: match=lo match=ed match=Blocked match=rom match=ack match=ing match= Blocked incoming packet from match=ystem match=ol match= (IP protocol regex=.* from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:firewall event:DLink-Firewall_IP_Protocol_Blocked srcip:$1 dstip:$2 NEXT id=7241 name=A D-Link firewall blocked an outbound ICMP ping request. match=D-Link Sys match=ICMP match=MP match=tem match=Lo match=System Log: match=ystem match=lo match=ed match=Blocked match=ack match=ing match= Blocked outgoing ICMP packet (ICMP regex=.* from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:firewall event:DLink-Firewall_Blocked_Outbound_Ping srcip:$1 dstip:$2 NEXT id=7242 name=A D-Link firewall blocked a packet. match=: match= System Log: match= packet match=System match=tem match=System Log: match=in match=lo match=rom match=from match=ystem match=: match= from match=Link match=Lo match=D-Link Sys match=packet match=from match=Blocked match=ed match=ac match=System Log: Blocked packet from regex=.* from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:firewall event:DLink-Firewall_Blocked_Packet srcip:$1 dstip:$2