# THUNDER PRM LIBRARY # # Copyright 2007 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # Cisco NAC # # DESCRIPTION: # This library is used to process logs from a Cisco NAC # # LAST UPDATE: $Date: 2011/09/16 16:08:27 $ ################## # # # Administration # # # ################## id=4600 name=This Cisco NAC logged an admin user logging out. match=Perfigo: match=lo match=log match=ser match=ion match=ed match=: Administration:Admin user logged out match=Name: match=Group: regex=([a-zA-Z0-9&_\.-]+): Administration:Admin user logged out. .* IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-NAC_Admin_Logout sensor:$1 proto:6 srcip:$2 type:logout NEXT id=4603 name=This Cisco NAC had logged an admin logging in successfully. match=Perfigo: match=lo match=log match=ser match=ate match=ion match=ce match=ed match=ss match=: Administration:Admin user session is created, login succeeded. match=Name: match=Group: regex=([a-zA-Z0-9&_\.-]+): Administration:Admin user session is created, login succeeded. .* IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-NAC_Admin_Login sensor:$1 proto:6 srcip:$2 type:login NEXT id=4604 name=This Cisco NAC has added a device to the certified device list. match=Perfigo: match=ion match=: Administration: match=ce match=ed match=added to certified device list regex=([a-zA-Z0-9&_\.-]+): Administration:.*added to certified device list log=event:Cisco-NAC_Device_Added_To_List sensor:$1 type:system NEXT id=4605 name=This Cisco NAC has removed a device from the Mac list. match=Perfigo: match=ion match=: Administration: match=rom match=ed match=removed from the MAC list match=rem regex=([a-zA-Z0-9&_\.-]+): Administration:.* removed from the MAC list log=event:Cisco-NAC_Device_Removed_From_Mac_List sensor:$1 type:system NEXT id=4606 name=This Cisco NAC has added a device to the Mac list. match=Perfigo: match=ion match=: Administration: match=ed match=added to MAC list regex=([a-zA-Z0-9&_\.-]+): Administration:.* added to MAC list log=event:Cisco-NAC_Device_Added_To_Mac_List sensor:$1 type:system NEXT id=4607 name=This Cisco NAC Anti Virus definitions have been updated. match=Perfigo: match=ion match=: Administration: match=ar match=ed match=are modified. All other checks are unchanged match=an regex=([a-zA-Z0-9&_\.-]+): Administration:.* are modified. All other checks are unchanged log=event:Cisco-NAC_Antivirus_Updated sensor:$1 type:system NEXT id=4609 name=This Cisco NAC has logged out an admin user whose session has expired, automatically. match=Perfigo: match=ion match=: Administration: match=ire match=lo match=log match=ser match=ed match=ss match=Admin user session expired, automatically logged out. match=cal regex=([a-zA-Z0-9&_\.-]+): Administration:Admin user session expired, automatically logged out.* IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-NAC_Admin_Auto_Logout sensor:$1 type:logout NEXT id=4610 name=This Cisco NAC has logged a user who has been forced off by the administrator. match=Perfigo: match=ion match=: Administration: match=lo match=log match=ce match=ed match=- forcefully logged out by Administrator regex=([a-zA-Z0-9&_\.-]+): Administration:.* IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*- forcefully logged out by Administrator log=event:Cisco-NAC_Admin_Forced_Logout sensor:$1 type:access-denied ################### # # # Authentication # # # ################### NEXT id=4611 name=This Cisco NAC has logged a successful login from an out-of-band user. match=Perfigo: match=ent match=ion match=: Authentication: match=lo match=log match=ser match=ce match=ed match=ss match=- Successfully logged in as out-of-band user, match=an regex=([a-zA-Z0-9&_\.-]+): Authentication:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] ([A-Za-z0-9]{2,15}) - Successfully log=event:Cisco-NAC_Out_Of_Band_User_Login sensor:$1 proto:6 srcip:$2 user:$3 type:login NEXT id=4612 name=This Cisco NAC has logged an unsuccessful login. match=Perfigo: match=ent match=lo match=log match=ion match=le match=: Authentication:Unable to login, regex=([a-zA-Z0-9&_\.-]+): Authentication:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-NAC_Failed_Login sensor:$1 srcip:$2 proto:6 type:login-failure NEXT id=4613 name=This Cisco NAC has logged a successful logout. match=Perfigo: match=ent match=ion match=: Authentication: match=Lo match=ce match=ed match=ss match=- Logged out successfully match=ogged regex=([a-zA-Z0-9&_\.-]+): Authentication:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* - Logged out successfully log=event:Cisco-NAC_Logout_Sucessful sensor:$1 srcip:$2 proto:6 type:logout NEXT id=4614 name=This Cisco NAC has logged a successful login in a temporary role. match=Perfigo: match=ent match=ion match=: Authentication: match=tem match=lo match=log match=ol match=ar match=ce match=le match=ed match=ss match=- Successfully logged in temporary role, match=ogged regex=([a-zA-Z0-9&_\.-]+): Authentication:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] ([A-Za-z0-9]{2,15}) - Successfully logged in temporary role, log=event:Cisco-NAC_Login_Temporary sensor:$1 srcip:$2 user:$3 proto:6 type:login NEXT id=4615 name=This Cisco NAC has logged a forced logout by the administrator. match=Perfigo: match=ent match=ion match=: Authentication: match=lo match=log match=ce match=ed match=- Forcefully logged out by administrator match=ogged regex=([a-zA-Z0-9&_\.-]+): Authentication:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* - Forcefully logged out by administrator log=event:Cisco-NAC_Forced_Logout sensor:$1 srcip:$2 proto:6 type:access-denied NEXT id=4616 name=This Cisco NAC has logged a session timeout. match=Perfigo: match=ent match=ion match=: Authentication: match=ss match=- Session Timeout regex=([a-zA-Z0-9&_\.-]+): Authentication:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* - Session Timeout log=event:Cisco-NAC_User_Session_Timeout sensor:$1 srcip:$2 proto:6 type:logout NEXT id=4617 name=This Cisco NAC has logged an invalid user or password. match=Perfigo: match=ent match=ion match=: Authentication: match=ser match=ss match=ass match=Invalid username or password, match=pass match=user regex=([a-zA-Z0-9&_\.-]+): Authentication:Invalid username or password,.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-NAC_Invalid_Login sensor:$1 srcip:$2 proto:6 type:login-failure NEXT ################# # # # SW Management # # # ################# id=4618 name=This Cisco NAC has logged an unsuccessful login from out-of-band due to connected device or MAC address not found. match=Perfigo: match=ent match=ce match=le match=ss match=: SW_Management:Unable to process match=lo match=log match=est match=rom match=out-of-band login request from match=an match=login match=nable match=request match=Cause: match=not found. regex=([a-zA-Z0-9&_\.-]+): SW_Management:Unable to process out-of-band login request from.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-NAC_SW_Mgt_Failed_Login sensor:$1 srcip:$2 proto:6 type:login-failure NEXT id=4619 name=This Cisco NAC has logged multiple MAC addresses associated with a switch. match=Perfigo: match=MAC match=ent match=: SW_Management: match=an match=ar match=le match=There are multiple match=ss match= MAC address match=ass match=ate match=ed match=associated with switch regex=([a-zA-Z0-9&_\.-]+): SW_Management:There are multiple MAC address associated with switch.* \[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] port \[([a-zA-Z0-9&_\.-]+)\/([0-9]+) log=event:Cisco-NAC_SW_Mgt_Multiple_MAC_Addresses sensor:$1 srcip:$2 srcport:$4 type:system NEXT id=4620 name=This Cisco NAC has logged a SNMP trap event which is not in the database. match=Perfigo: match=ent match=: SW_Management:SNMP match=an match=rom match=ce match=ed match=trap event is received from switch match=MP match=SNMP match=OT match=which is NOT in our database. regex=([a-zA-Z0-9&_\.-]+): SW_Management:SNMP trap event is received from switch \[([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] which is NOT in our database. log=event:Cisco-NAC_SW_Mgt_Trap_Not_In_Database sensor:$1 srcip:$2 type:error NEXT id=4621 name=This Cisco NAC switch management has kicked an out-of-band user off of switch. match=Perfigo: match=ser match=user match=ent match=ed match=: SW_Management:Kicked OOB user match=with mac match=on port match=of switch regex=([a-zA-Z0-9&_\.-]+): SW_Management:Kicked OOB user .* on port ([0-9]+) of switch ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-NAC_SW_Mgt_Kicked_User sensor:$1 srcport:$2 srcip:$3 type:access-denied ################ # # # CleanAccess # # # ################ NEXT id=4622 name=This Cisco NAC CleanAccess rules update has failed. match=Perfigo: match=ate match=ce match=le match=ed match=ss match=: CleanAccess:Automatic rules update scheduled match=date match=ail match=failed. match=ailed regex=([a-zA-Z0-9&_\.-]+): CleanAccess:Automatic rules update scheduled log=event:Cisco-NAC_CleanAccess_Rules_Update_Failed sensor:$1 type:error