# THUNDER PRM LIBRARY
# Copyright 2007 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# PRM Parser for Cisco Application Control Engine, can run on the Cisco Catalyst 6500 Series Switches
#  and Cisco 7600 Series Routers  
#
# DESCRIPTION:
# This library is used to process logs from Cisco switches and routers which run ACE.
#
# LAST UPDATED: $Date: 2011/08/22 00:12:41 $

id=7409
name=This Cisco device configured service failed its health checks because a probe was unable to reach the server due to network problem.
match=%ACE
match=ser
match=ail
match=alt
match=le
match=ed
match=%ACE-3-251008: Health probe failed for server
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-3-251008:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) on port ([0-9]+),
log=event:CiscoACE-Health_Probe_Failed type:error sensor:$2 srcip:$3 srcport:$4

NEXT

id=7410
name=This Cisco device failed its health checks because the server response is not as expected. 
match=%ACE
match=ser
match=ail
match=alt
match=le
match=ed
match=%ACE-3-251010: Health probe failed for server
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-3-251010:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) on port ([0-9]+),
log=event:CiscoACE-Health_Probe_Failed type:error sensor:$2 srcip:$3 srcport:$4

NEXT

id=7411
name=This Cisco device received an ARP packet, and the MAC address in the packet differs from the ARP cache entry. 
match=%ACE
match=ce
match=ed
match=%ACE-4-405001: Received ARP 
match=ol
match=ion
match=collision
match=ace
match=on interface
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-4-405001:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:CiscoACE-Arp_Collision type:system sensor:$2 srcip:$3

NEXT

id=7412
name=This Cisco device shows an attack is in progress. Someone is attempting to spoof an IP address on an inbound connection.
match=%ACE
match=rom
match=from
match=ce
match=%ACE-1-106021: Deny
match=reverse path check
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-1-106021:.* from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:CiscoACE-Blocked_Reverse_Path_Check type:intrusion sensor:$2 srcip:$3 dstip:$4

NEXT

id=7413
name=This Cisco device built a TCP connection.
match=%ACE
match=ion
match=%ACE-6-302022: Built TCP connection
match=ect
match=onnect
match=onnection
regex=([a-zA-Z0-9._-]+): %ACE-6-302022: .* \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)\).* \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)\) 
log=event:CiscoACE-Built_TCP_Connection type:connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT

id=7414
name=This Cisco device did a teardown of a TCP connection.
match=%ACE
match=ion
match=ar
match=%ACE-6-302023: Teardown TCP connection
match=ect
match=onnect
match=onnection
regex=([a-zA-Z0-9._-]+): %ACE-6-302023: .*:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+) .*:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)
log=event:CiscoACE-Teardown_TCP_Connection type:connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT

id=7415
name=This Cisco device discarded ICMP packets because of security checks added by the stateful ICMP feature.
match=%ACE
match=MP
match=ed
match=%ACE-4-313004: Denied ICMP
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-4-313004:.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:CiscoACE-Blocked_ICMP type:firewall sensor:$2 srcip:$3 dstip:$4 proto:1 

NEXT

id=7416
name=This Cisco device built a TCP connection.
match=%ACE
match=ion
match=%ACE-6-302022: Built TCP connection
match=ect
match=onnect
match=onnection
regex=([a-zA-Z0-9._-]+) :%ACE-6-302022: .* \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)\).* \(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)\)
log=event:CiscoACE-Built_TCP_Connection type:connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT

id=7417
name=This Cisco device did a teardown of a TCP connection.
match=%ACE
match=ion
match=ar
match=%ACE-6-302023: Teardown TCP connection
match=ect
match=onnect
match=onnection
regex=([a-zA-Z0-9._-]+) :%ACE-6-302023: .*:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+) .*:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)
log=event:CiscoACE-Teardown_TCP_Connection type:connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT

id=7418
name=This Cisco device has detected a changed state.
match=%ACE
match=%ACE-4-44200
match=sta
match=ate
match=ed
match=changed state to
match=an
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-4-44200([1-6]):.*changed state to
log=event:CiscoACE-Changed_State type:system sensor:$2

NEXT

id=7419
name=This Cisco device has detected a server is now back in service.
match=%ACE
match=%ACE-5-441002:
match=ser
match=now
match=ack
match=ce
match=is now back in service
match=service
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-5-441002:
log=event:CiscoACE-Server_Back_In_Service type:system sensor:$2

NEXT

id=7420
name=This Cisco device has built an ICMP connection.
match=%ACE
match=%ACE-6-302026:
match=ion
match=Built ICMP connection
match=ect
match=onnect
match=onnection
match=MP
regex=([a-zA-Z0-9._-]+) :%ACE-6-302026: .* faddr ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+) gaddr ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)
log=event:CiscoACE-Built_ICMP_Connection type:connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:1

NEXT

id=7421
name=This Cisco device has  built an ICMP connection.
match=%ACE-6-302026:
match=%ACE
match=ion
match=Built ICMP connection
match=ect
match=onnect
match=onnection
match=MP
regex=([a-zA-Z0-9._-]+): %ACE-6-302026: .* faddr ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+) gaddr ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)
log=event:CiscoACE-Built_ICMP_Connection type:connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:1

NEXT

id=7422
name=This Cisco device failed its health checks because the ICMP server response is not as expected.
match=%ACE-3-251011:
match=%ACE
match=ser
match=ail
match=alt
match=le
match=ed
match=ICMP health probe failed for server
match=MP
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-3-251011: ICMP health probe failed for server ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:CiscoACE-Health_Probe_Failed type:error sensor:$2 srcip:$3

NEXT

id=7423
name=This Cisco device has detected a server which has failed over to the backup.
match=%ACE
match=%ACE-5-441001:
match=ail
match=ack
match=le
match=ed
match=failed over to backup
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-5-441001:
log=event:CiscoACE-Server_Failed_Over_Backup type:system sensor:$2 

NEXT

id=7424
name=This Cisco device has detected a line protocol on interface and changed state to up.
match=%ACE
match=%ACE-4-411001
match=ol
match=Line protocol on
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-4-411001:
log=event:CiscoACE-Changed_State type:system sensor:$2

NEXT

id=7425
name=This Cisco device has built a UDP connection.
match=%ACE
match=%ACE-6-302024:
match=ion
match=Built UDP connection
match=ect
match=onnect
match=onnection
regex=([a-zA-Z0-9._-]+) :%ACE-6-302024: .*\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+).*\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+) 
log=event:CiscoACE-Built_UDP_Connection type:connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17

NEXT

id=7426
name=This Cisco device has built a UDP connection.
match=%ACE
match=%ACE-6-302024:
match=ion
match=Built UDP connection
match=ect
match=onnect
match=onnection
regex=([a-zA-Z0-9._-]+): %ACE-6-302024: .*\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+).*\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)
log=event:CiscoACE-Built_UDP_Connection type:connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17

NEXT

id=7427
name=This Cisco device has determined a command has been executed.
match=%ACE
match=%ACE-5-111008:
match=ecu
match=ed
match=executed
match=ommand
match=an
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-5-111008:
log=event:CiscoACE-Command_Executed type:system sensor:$2

NEXT

id=7428
name=This Cisco device has determined a health probe failed for a server due to an internal error.
match=%ACE
match=%ACE-3-251006
match=ser
match=ail
match=alt
match=le
match=ed
match=Health probe failed for server
match=rr
match=internal error
regex=.* ([0-9]+\:[0-9]+\:[0-9]+) ([a-zA-Z0-9._-]+) .* %ACE-3-251006: Health probe failed for server ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) on port ([0-9]+) 
log=event:CiscoACE-Health_Probe_Failed type:error sensor:$2 srcip:$3 srcport:$4

NEXT

id=7429
name=This Cisco device has had an ICMP connection removed.
match=%ACE
match=%ACE-6-302027
match=ion
match=ar
match= Teardown ICMP connection
match=ect
match=onnect
match=onnection
match=MP
regex=([a-zA-Z0-9._-]+) :%ACE-6-302027: Teardown ICMP connection for faddr ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+) gaddr ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)
log=event:CiscoACE-Teardown_ICMP type:connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:1

NEXT

id=7430
name=This Cisco device has had an ICMP connection removed.
match=%ACE
match=%ACE-6-302027
match=ion
match=ar
match= Teardown ICMP connection
match=ect
match=onnect
match=onnection
match=MP
regex=([a-zA-Z0-9._-]+): %ACE-6-302027: Teardown ICMP connection for faddr ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+) gaddr ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)
log=event:CiscoACE-Teardown_ICMP type:connection sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:1