# THUNDER PRM LIBRARY # Copyright 2009 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # SonicWall Firewall # # DESCRIPTION: # This library is used to process logs from a system running the # SonicWall firewall. Logs should be sent to LCE via SYSLOG, # or from an LCE Client monitoring the log file that events are # being logged to by the SonicWall Firewall. # # LAST UPDATE: $Date: 2011/08/22 00:54:47 $ id=7485 name=This SonicWall firewall closed a tcp connection. match=lo match=ion match=ed match=msg="Connection Closed" match=cp match=tcp match=onnection match=onnect match=ect match=fw= match=proto=tcp regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:connection event:Sonicwall-Closed_Connection_TCP sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=7486 name=This SonicWall firewall opened a tcp connection. match=ion match=ed match=msg="Connection Opened" match=cp match=tcp match=onnection match=onnect match=ect match=fw= match=proto=tcp regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:connection event:Sonicwall-Allowed_Connection_TCP sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=7487 name=This SonicWall firewall opened a udp connection. match=ion match=ed match=msg="Connection Opened" match=udp match=onnection match=onnect match=ect match=fw= match=proto=udp regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:connection event:Sonicwall-Allowed_Connection_UDP sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17 NEXT id=7488 name=This SonicWall firewall closed a udp connection. match=lo match=ion match=ed match=msg="Connection Closed" match=udp match=onnection match=onnect match=ect match=fw= match=proto=udp regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:connection event:Sonicwall-Closed_Connection_UDP sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17 NEXT id=7489 name=This SonicWall firewall has issued a GET. match=!msg= match=fw= match=dstname= match=op=GET match=GET regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:web-access event:Sonicwall-Allowed_GET_TCP sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=7490 name=This SonicWall firewall has issued a drop for TCP connection. match=ion match=ed match=msg="TCP connection dropped" match=TCP match=onnection match=onnect match=ect match=pp match=fw= regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:firewall event:Sonicwall-Blocked_TCP sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=7491 name=This SonicWall firewall has allowed a UDP packet. match=ack match=lo match=ed match=msg="DNS packet allowed" match=fw= match=packet regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:connection event:Sonicwall-Allowed_DNS_Packet_UDP sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17 NEXT id=7492 name=This SonicWall firewall has issued a drop for TCP non existent connection. match=ent match=ack match=lo match=ion match=ce match=ed match=msg="TCP packet received on non-existent/closed connection; TCP packet dropped" match=TCP match=onnection match=onnect match=ect match=pp match=fw= regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:firewall event:Sonicwall-Blocked_TCP_Non_Connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=7493 name=This SonicWall firewall has issued a drop for UDP broadcast packets. match=ack match=ed match=msg="Broadcast packet dropped" match=pp match=fw= regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:firewall event:Sonicwall-Blocked_UDP_Broadcast_Packets sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17 NEXT id=7494 name=This SonicWall firewall has received an abort and dropped TCP connection. match=ion match=ce match=ed match=msg="TCP connection abort received; TCP connection dropped" match=TCP match=onnection match=onnect match=ect match=pp match=fw= regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:firewall event:Sonicwall-Blocked_Abort_Received sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=7495 name=This SonicWall firewall has dropped a web access connection. match=est match=ce match=ed match=ss match= msg="Web access request dropped" match=acc match=pp match=request match=fw= regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:firewall event:Sonicwall-Blocked_TCP_Web_Access sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=7496 name=This SonicWall firewall has sent an Interface statistics report. match=sta match=ce match=ace match= msg="Interface statistics report" match=fw= regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:system event:Sonicwall-Interface_Stat_Report sensor:$1 proto:6 NEXT id=7497 name=This SonicWall firewall has issued an Other request. match=!msg= match=fw= match=op=Other match=tcp match=cp regex=fw=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+).*dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=type:connection event:Sonicwall-Other_Request sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6