# THUNDER PRM LIBRARY # Copyright 2008 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # ISA Firewall # # DESCRIPTION: # This library is used to process logs from the the ISA Firewall sent # vis the Snare tool. # # TUNING: # Tenable customers who wish to tune this library may choose to # comment out various portions of the library. For example, they may wish # to only log threats. When adding and deleting signatures, ensure # that each active signature is separated by a 'NEXT' separator. # # # LAST UPDATE: $Date: 2009/02/20 21:56:46 $ id=4275 name=The ISA firewall has blocked an internal to local UDP connection. match=ISAFWSLog match=UDP match=Internal match=Local Host match=Denied regex=UDP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Denied_Internal_To_Local_Connection_UDP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:firewall NEXT id=4276 name=The ISA firewall has terminated an external to internal TCP connection. match=ISAFWSLog match=TCP match=External match=Internal match=Terminate regex=TCP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Terminated_External_To_Internal_Connection_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:firewall NEXT id=4277 name=The ISA firewall has established an external to internal TCP connection. match=ISAFWSLog match=TCP match=External match=Internal match=Establish regex=TCP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-External_To_Internal_Connection_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection NEXT id=4278 name=The ISA firewall has established a local to internal TCP connection. match=ISAFWSLog match=TCP match=Local Host match=Internal match=Establish regex=TCP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Local_To_Internal_Connection_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection NEXT id=4279 name=The ISA firewall has established an external to local TCP connection. match=ISAFWSLog match=TCP match=Local Host match=External match=Establish regex=TCP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-External_To_Local_Connection_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection NEXT id=4280 name=The ISA firewall has terminated a local to internal TCP connection. match=ISAFWSLog match=TCP match=Local Host match=Internal match=Terminate regex=TCP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Terminated_Local_To_Internal_Connection_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:firewall NEXT id=4281 name=The ISA firewall has terminated an external to local TCP connection. match=ISAFWSLog match=TCP match=Local Host match=External match=Terminate regex=TCP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Terminated_External_To_Local_Connection_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:firewall NEXT id=4282 name=The ISA firewall has terminated an external to local IGMP connection. match=ISAFWSLog match=IGMP match=Local Host match=Internal match=Denied regex=IGMP.* ([0-9]+(\.[0-9]+){3}).* ([0-9]+(\.[0-9]+){3}).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Denied_Internal_To_Local_Connection_IGMP srcip:$1 dstip:$3 proto:8 type:firewall NEXT id=4283 name=The ISA firewall has established a local to internal ICMP connection. match=ISAFWSLog match=ICMP match=Local Host match=Internal match=Establish regex=ICMP.* ([0-9]+(\.[0-9]+){3}).* ([0-9]+(\.[0-9]+){3}).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Established_Local_To_Internal_Connection_ICMP srcip:$1 dstip:$3 proto:8 type:firewall NEXT id=4284 name=The ISA firewall has denied an external to local TCP connection. match=ISAFWSLog match=TCP match=Local Host match=External match=Denied regex=TCP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Denied_External_To_Local_Connection_TCP srcip:$1 srcport:$3 dstip:$4 dstport:$5 proto:6 type:firewall NEXT id=4285 name=The ISA firewall has denied an external to local TCP connection. match=ISAFWSLog match=UDP match=Local Host match=External match=Denied regex=UDP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Denied_Local_To_External_Connection_UDP srcip:$1 srcport:$3 dstip:$4 dstport:$5 proto:17 type:firewall NEXT id=4286 name=The ISA firewall has established a local to internal UDP connection. match=ISAFWSLog match=UDP match=Local Host match=Internal match=Establish regex=UDP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Established_Local_To_External_Connection_UDP srcip:$1 srcport:$3 dstip:$4 dstport:$5 proto:17 type:connection NEXT id=4287 name=The ISA firewall has established an external to local ICMP connection. match=ISAFWSLog match=ICMP match=Local Host match=External match=Denied regex=ICMP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Denied_External_To_Local_Connection_ICMP srcip:$1 srcport:$3 dstip:$4 proto:8 type:connection NEXT id=4288 name=The ISA firewall has terminated a local to internal ICMP connection. match=ISAFWSLog match=ICMP match=Local Host match=Internal match=Terminate regex=ICMP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Terminated_Local_To_Internal_Connection_ICMP srcip:$1 srcport:$3 dstip:$4 proto:8 type:firewall NEXT id=4289 name=The ISA firewall has terminated a local to internal UDP connection. match=ISAFWSLog match=UDP match=Local Host match=Internal match=Terminate regex=UDP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Terminated_Local_To_Internal_Connection_UDP srcip:$1 srcport:$3 dstip:$4 dstport:$5 proto:17 type:firewall NEXT id=4290 name=The ISA firewall has denied an internal to local ICMP connection. match=ISAFWSLog match=ICMP match=Local Host match=Internal match=Denied regex=ICMP.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Denied_Internal_To_Local_Connection_ICMP srcip:$1 srcport:$3 dstip:$4 proto:8 type:firewall NEXT id=4291 name=The ISA firewall has established an intermediate connection. match=ISAFWSLog match=Intermediate match=Internal regex=.* ([0-9]+(\.[0-9]+){3}):([0-9]+).* ([0-9]+(\.[0-9]+){3}).* ([0-9]+(\.[0-9]+){3}) log=event:ISA-Intermediate_Connection srcip:$1 srcport:$3 dstip:$4 type:connection