# THUNDER PRM LIBRARY # Copyright 2007 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # PRM Parser for Cisco switch events # # DESCRIPTION: # This library is used to process logs from Cisco 4400 switches # # LAST UPDATED: $Date: 2011/08/22 00:54:47 $ id=4850 name=This Cisco switch could not register an IP add on MSCB, due to the MSCB still in an init state. match=IP match=Could not Register IP match=sta match=ate match=Add on MSCB. MSCB still in init state. regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_In_Init_State type:system srcip:$1 NEXT id=4851 name=This Cisco switch has logged the exceeded maximum EAP identity retries for a client. match=OT match=DOT1X match=AP match=ent match=client match=est match=ty match=Max EAP identity request retries match=request match=ce match=ed match= exceeded for client regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Retries_Exceeded type:error srcip:$1 NEXT id=4852 name=This Cisco switch has disconnected a mobile due to switch of WLANS match=ect match=onnect match=ing match=le match=Disconnecting mobile match=due to switch of WLANs regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Disconnecting_Mobile type:system srcip:$1 NEXT id=4853 name=This Cisco switch has exceeded maximum EAP or EAPOL-key M1 retransmissions for a client. match=Max match=OT match=DOT1X match=ent match=client match=ion match=ce match=ed match=ss match=retransmissions exceeded for client match=an regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Max_Retransmission_Exceeded type:error srcip:$1 NEXT id=4854 name=This Cisco switch had an authentication aborted. match=OT match=DOT1X match=ent match=ion match=ed match=Authentication Aborted regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Authentication_Aborted type:error srcip:$1 NEXT id=4855 name=This Cisco switch was unable to send key message due to an invalid WPA state. match=OT match=DOT1X match=AP match=le match=nable match=sta match=ate match=Unable to send EAPOL-key msg - invalid WPA state regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Unable_To_Send_Message type:error srcip:$1 NEXT id=4856 name=This Cisco switch has detected a poisoned ARP. match=ARP match=ce match=ed match=received with invalid SPA match=DTL-1-ARP_POISON_DETECTED: regex=.* invalid SPA ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Poisoned_ARP_Detected type:intrusion srcip:$1 dstip:$2 NEXT id=4857 name=This Cisco switch has changed the orphan packer IP address for a station. match=ss match=address match=ing match=Changing orphan match=an match=ack match=packet match=IP address for match=AP regex=APF.* from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) --->([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Orphan_Packet_IP_Changed type:system srcip:$1 dstip:$2 NEXT id=4859 name=This Cisco switch is unable to send a AAA message for client. match=OT match=DOT1X match=AAA match=ent match=client match=le match=Unable to send match=ss match=AAA message for client regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Unable_To_Send_AAA_Message type:error srcip:$1 NEXT id=4860 name=This Cisco switch has encountered an invalid replay counter from a client. match=OT match=DOT1X match=rom match=Invalid replay counter from match=ent match=client match=got match=ed match=expected match=ect regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Invalid_Replay_Counter type:error srcip:$1 NEXT id=4861 name=This Cisco switch has been unable to find AP entry in the database, thus could not process delete of mobile request. match=le match=nable match=Unable to find AP match=AP match=est match=request match=ent match=ce match=ss match=entry in the database, could not process delete mobile request regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Entry_Not_In_Database type:error srcip:$1 NEXT id=4862 name=This Cisco switch is not advertising SSID wireless on AP due to radio policy. match=ire match=le match=ss match=ireless match=ing match=Not advertising SSID match=on AP match=AP match=ol match=due to radio policy. regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Not_Advertising_Per_Policy type:system srcip:$1 NEXT id=4863 name=This Cisco switch Proc_RSN_WARP_IE_Failed, could not process the RSN and WARP IEs, the station was not using RSN on WLAN. match=ARP match=ce match=ss match=Could not process the RSN match=sta match=ion match=ing match=and WARP IEs. station not using match=an regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_RSN_WARP_IE_Failed type:error srcip:$1 NEXT id=4864 name=This Cisco switch was unable to process a request due to client not found. match=OT match=DOT1X match=CL match=EN match=CLIENT_NOT_FOUND: match=FO match=ce match=le match=ss match= Unable to process regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Client_Not_Found type:error srcip:$1 NEXT id=4865 name=This Cisco switch has logged a replay error. match=rr match=error match=AP match=REPLAY_ERR: match=ER match=ce match=ed match=Received replay error on regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Replay_Error type:error srcip:$1 NEXT id=4866 name=This Cisco switch is unable to delete a username. match=le match=nable match=SE match=USER_DEL_FAILED: match=ER match=ser match=user match=Unable to delete username regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Delete_User_Failed type:error srcip:$1 NEXT id=4867 name=This Cisco switch is encountered an invalid arp timeout address and is dropping it. match=MAC match=IN match=INVALID_ARP_TIMEOUT_ADDR: match=AL match=ing match=ce match=ed match=received for timeout is INVALID. Dropping it. match=pp regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Invalid_ARP_Timeout_Address type:error srcip:$1 NEXT id=4868 name=This Cisco switch was unable to delete an arp entry from the operating system. match=ARP match=OSARP_DEL_FAILED: match=le match=Unable to delete match=nable match=ent match=an ARP entry for match=an regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .* DTL.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Delete_ARP_Entry_Failed type:error srcip:$1 dstip:$2 NEXT id=4869 name=This Cisco switch received EAPOL-key message while in an invalid state. match=OT match=DOT1X match=IN match=AT match=INVALID_WPA_KEY_STATE: match=ST match=AP match=ce match=le match=ed match=ss match= Received EAPOL-key message while regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Invalid_WPA_Key_State type:system srcip:$1 NEXT id=4870 name=This Cisco switch received a mobility response while in the wrong state. match=ce match=ed match=eceived match=RCV_MOBILITY_RES: match=le match=ty match= Received Mobility response for mobile match=sta match=ate match=as anchor while in the wrong state. match=an regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Received_Mobility_Response type:system srcip:$1 NEXT id=4871 name=This Cisco switch header parsing failed, packet was dropped. match=PARSE_ERR match=ER match=SE match=ail match=le match=ed match=ailed match=ack match=packet match=AP match=ing match=ar match=LWAPP header parsing match=failed, dropping the packet match=pp regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Parse_Error_Packet_Dropped type:error srcip:$1 NEXT id=4872 name=This Cisco switch IP protocol in the received packet is not UDP, LWAPP packets are only UDP, dropping the packet. match=ack match=packet match=OT match=IP_PROT_ERR: match=ER match=AP match=UDP match=ar match=is not UDP, LWAPP packets are match=ing match=only UDP, dropping the packet match=pp regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Not_UDP_Dropping_Packet type:error srcip:$1 NEXT id=4873 name=This Cisco switch is rejecting association attempt - privacy bit set on WLAN not requiring security. match=WLAN match=tem match=pt match=attempt match=ASSOCREQ: match=ss match=ass match=ion match=ing match=Rejecting association attempt match=ect match=acy bit set on match=t requiring sec regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Cisco-Switch_Rejecting_Association_Attempt type:error srcip:$1 NEXT id=4874 name=This Cisco switch is dropping the primary recovery request AP, maximum AP's joined. match=AP match=DISC_MAX_AP2: match=est match=rom match=ing match=ar match=Dropping primary discovery request from AP match=pp match=request match=ed match=- maximum APs joined log=event:Cisco-Switch_Dropping_Primary_Discovery type:system