├── Daemon-Control-0.001006 ├── Changes ├── MANIFEST ├── META.yml ├── Makefile ├── Makefile.PL ├── blib │ ├── arch │ │ ├── .exists │ │ └── auto │ │ │ └── Daemon │ │ │ └── Control │ │ │ └── .exists │ ├── bin │ │ └── .exists │ ├── lib │ │ ├── Daemon │ │ │ ├── .exists │ │ │ └── Control.pm │ │ └── auto │ │ │ └── Daemon │ │ │ └── Control │ │ │ └── .exists │ ├── man1 │ │ └── .exists │ ├── man3 │ │ ├── .exists │ │ └── Daemon::Control.3pm │ └── script │ │ └── .exists ├── inc │ └── Module │ │ ├── Install.pm │ │ └── Install │ │ ├── Base.pm │ │ ├── Can.pm │ │ ├── Fetch.pm │ │ ├── Makefile.pm │ │ ├── Metadata.pm │ │ ├── Repository.pm │ │ ├── Win32.pm │ │ └── WriteAll.pm ├── lib │ └── Daemon │ │ └── Control.pm ├── pm_to_blib └── t │ ├── 00_load.t │ ├── 01_lsb_file.t │ ├── 01_lsb_file_with_init_code.t │ ├── 01_lsb_file_with_init_config.t │ ├── 02_sleep_perl.t │ ├── 02_sleep_perl_array.t │ ├── 02_sleep_system.t │ ├── 03_perl_gets_control.t │ ├── 04_show_warnings.t │ └── bin │ ├── 01_lsb.pl │ ├── 01_lsb_02.pl │ ├── 01_lsb_03.pl │ ├── 02_sleep_perl.pl │ ├── 02_sleep_perl_array.pl │ ├── 02_sleep_system.pl │ ├── 03_perl_gets_control.pl │ └── 04_show_warnings.pl ├── README.md ├── assets ├── asset-playback ├── make_assets.pl └── prads_dummy0.cfg.local ├── install.pl ├── misc ├── aa-demo.conf ├── demo.conf ├── demo.nbe ├── logrotate ├── okay.php └── user_form.php ├── ossecwin ├── brutewin.sh ├── ossec-single-line.cfg.local ├── ossec.conf ├── ossec.conf.orig └── windows.log.bk ├── pcaps ├── 2014-02-09-Neutrino-EK-traffic.pcap ├── 2014-02-11-Fiesta-EK-traffic.pcap ├── 2014-03-05-Goon-EK-traffic.pcap ├── 2014-03-27-Nuclear-EK-traffic.pcap ├── 2014-04-14-Magnitude-EK-traffic.pcap ├── 2015-07-11-traffic-analysis-exercise.pcap ├── 44ef5251789e8f63f687a44a3004ff44_20140327.pcap ├── 473b3ddf5b3db7be3a716db349889839_20140322.pcap ├── EXPLOIT_CVE-2007-5020_Acrobat_mailto_URI_Handler_EvilFingers.pcap ├── EXPLOIT_Jet_DB_BufferOverflow_EvilFingers.pcap ├── InvestigationExtractionRussianCryptolocker.pcap ├── MALW_CRIME_blaster_PracticalPacketAnalysis.pcap ├── abuse.pcap ├── armageddon.pcap ├── botnet.pcap ├── cnc1.pcap ├── cnc2.pcap ├── cnc3.pcap ├── cnc4.pcap ├── d9soft.pcap ├── fake-antivirus1.pcap ├── forbes.pcap ├── heart2.pcap ├── inject_pcaps.sh ├── input.cache ├── m-androme.pcap ├── old │ ├── 2014-02-26-Angler-EK-traffic.pcap │ ├── 2014-03-29-FlashPack-EK-traffic.pcap │ ├── 2015-03-24-traffic-analysis-exercise.pcap │ ├── 2015-05-29-traffic-analysis-exercise.pcap │ └── fake-antivirus2.pcap ├── slammer.pcap ├── spambot.pcap ├── spyware.pcap └── zeus.pcap ├── plugins ├── aruba-6.cfg ├── aruba-6.log ├── cisco-asa.cfg ├── cisco-asa.log ├── clamav.cfg ├── clamav.log ├── fortigate.cfg ├── fortigate.log ├── oracle-syslog.cfg ├── oracle-syslog.log ├── ssh-demo.cfg └── ssh-demo.log ├── runlogs.pl ├── runpcaps.pl ├── screenshots ├── image.png ├── image1.png ├── image2.png ├── image3.png ├── image4.png ├── image5.png └── image6.png ├── sonicwall ├── read_sonicwall.sh ├── sonicwall.conf ├── sonicwall.log ├── sonicwall.log.orig └── sonicwall.sql └── ssh ├── attackers.txt ├── brutessh.sh ├── sshd.log ├── sshlogs.conf ├── targets.txt └── tmp.log /Daemon-Control-0.001006/Changes: -------------------------------------------------------------------------------- 1 | 0.001006 2014-06-24 SymKat 2 | * Allow custom reload/stop signals (hemmop) 3 | * Documentation cleanup (ilmari, rwstauner) 4 | * Module name POD format fixed (RT 93280) 5 | 6 | 0.001005 2014-02-19 SymKat 7 | * Constructor now accepts a list as well as a hashref 8 | * New method added: run_command, allows multiple instances of D::C 9 | in the same script. Accepts the action as an argument and returns 10 | the exit code the user should exit with. 11 | * do_foreground added to allow running the code ref or program w/o forking 12 | * DC_FOREGROUND env will force foreground, regardless of compile-time settings 13 | * foreground added to constructor -- shortcut to fork => 0, quiet => 1 14 | * Calling the script without an argument results in the syntax being displayed 15 | * Stray exit removed for run_command 16 | * Updated documentation 17 | 18 | 0.001004 2013-08-27 SymKat 19 | * Abort the kill loop when PID changes; Thanks, atomicstac 20 | 21 | 0.001003 2013-06-12 SymKat 22 | * Add quiet accessor to supress pretty_print (github#51) 23 | 24 | 0.001002 2013-06-11 SymKat 25 | * Due to checking for true values instead of define it was 26 | possible to start a daemon as root by setting uid/gid to 0/0, 27 | but not user/group to root/root, which would resolve to 0/0 and 28 | be considered an invalid user, which it's not. 29 | * Fix an encoding error in the POD resulting from Ævar Arnfjörð 30 | Bjarmason contributing to the project. 31 | * Tests that invoke Perl now use $^X instead of the $PATH's perl. 32 | * properly write the pid file in single fork mode (github#49) 33 | 34 | 0.001001 2013-04-29 SymKat 35 | * All 0.001001 changes brought to you by Karen Etheridge; Thanks, ether! 36 | * create dir for pid_file if it does not exist 37 | * fix uninitialized warning in error when exec fails 38 | * 'stop' is now faster when kill_timeout is set to high values, by checking 39 | every second if the daemon has terminated rather than waiting for the 40 | full kill_timeout duration 41 | * new option: prereq_no_process 42 | * stdout is flushed immediately when diagnostic output is printed 43 | 44 | 0.001000 2013-02-26 SymKat 45 | * fixed a warning on "uninitialized value $called_with in substitution" 46 | (Kromg) 47 | 48 | * include the date and module version in the generated init file 49 | (Karen Etheridge) 50 | 51 | * warn is used rather than printing to STDERR 52 | * new commands: help, reload 53 | * new options: kill_timeout, umask, init_code, do_help 54 | * new functions: do_help, do_reload, trace 55 | * pid file is now written as the current user, then chowned to the target user 56 | * pid file is now written when single-forking 57 | * gid is calculated when not provided but the uid is, avoiding some 58 | warnings 59 | 60 | 0.000009 2012-04-19 SymKat 61 | * Stole Moo's MANIFEST.SKIP 62 | 63 | 0.000008 2012-04-19 SymKat 64 | * Added Makefile to MANIFEST.SKIP 65 | 66 | 0.000007 2012-04-15 SymKat 67 | * Added user and group accessors to set uid/gid based on names 68 | * Updated docs. 69 | 70 | 0.000006 2012-04-15 SymKat 71 | * PID file will be deleted on do_stop 72 | * PID file will be created by the target user when ->uid set 73 | * uid() and gid() now take strings as well (doherty) 74 | * Kill signal order changed to TERM TERM INT KILL 75 | * init_config option added, gives LSB script a file to source. 76 | * Typo fixes 77 | * Mike Doherty (doherty) added to contrib (Thank you!) 78 | 79 | 0.000005 2012-02-18 SymKat 80 | * Fixed an issue with the inital PID being invalid. 81 | * Added directory accessor to support chdir before exec. 82 | * Minor documentation changes 83 | 84 | 0.000004 2012-02-18 SymKat 85 | * First release to cpan. 86 | * Refactoring and review by Matt S. Trout 87 | * I really changed the version this time! 88 | 89 | 0.000003 2012-02-18 SymKat 90 | * Test added for show_warnings. 91 | * Documentation updated for 0.0.2 changes. 92 | * Version changed this time. 93 | 94 | 0.000002 2012-02-18 SymKat 95 | * Default fork mode changed to double. 96 | * Added show_warnings command instead of alerting 97 | about DWIM actions. 98 | * Fatal warnings changed from warn+exit to die (exits non-zero) 99 | * _fork handles undef/cannot fork. 100 | * $self->redirect_filehandles added 101 | * redirect_before_fork added (default 1) 102 | * With a code ref, $self is passed (can $control->redriect_filehandles) 103 | 104 | 0.000001 2012-02-02 SymKat 105 | * Inital Commit 106 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/MANIFEST: -------------------------------------------------------------------------------- 1 | Changes 2 | inc/Module/Install.pm 3 | inc/Module/Install/Base.pm 4 | inc/Module/Install/Can.pm 5 | inc/Module/Install/Fetch.pm 6 | inc/Module/Install/Makefile.pm 7 | inc/Module/Install/Metadata.pm 8 | inc/Module/Install/Repository.pm 9 | inc/Module/Install/Win32.pm 10 | inc/Module/Install/WriteAll.pm 11 | lib/Daemon/Control.pm 12 | Makefile.PL 13 | MANIFEST This list of files 14 | META.yml 15 | t/00_load.t 16 | t/01_lsb_file.t 17 | t/01_lsb_file_with_init_code.t 18 | t/01_lsb_file_with_init_config.t 19 | t/02_sleep_perl.t 20 | t/02_sleep_perl_array.t 21 | t/02_sleep_system.t 22 | t/03_perl_gets_control.t 23 | t/04_show_warnings.t 24 | t/bin/01_lsb.pl 25 | t/bin/01_lsb_02.pl 26 | t/bin/01_lsb_03.pl 27 | t/bin/02_sleep_perl.pl 28 | t/bin/02_sleep_perl_array.pl 29 | t/bin/02_sleep_system.pl 30 | t/bin/03_perl_gets_control.pl 31 | t/bin/04_show_warnings.pl 32 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/META.yml: -------------------------------------------------------------------------------- 1 | --- 2 | abstract: 'Create init scripts in Perl' 3 | author: 4 | - '=over 4' 5 | build_requires: 6 | ExtUtils::MakeMaker: 6.59 7 | Test::More: '0.88' 8 | configure_requires: 9 | ExtUtils::MakeMaker: 6.59 10 | distribution_type: module 11 | dynamic_config: 1 12 | generated_by: 'Module::Install version 1.08' 13 | license: perl 14 | meta-spec: 15 | url: http://module-build.sourceforge.net/META-spec-v1.4.html 16 | version: 1.4 17 | name: Daemon-Control 18 | no_index: 19 | directory: 20 | - inc 21 | - t 22 | requires: 23 | Cwd: 0 24 | File::Path: '2.08' 25 | File::Spec: 0 26 | POSIX: 0 27 | perl: 5.8.1 28 | resources: 29 | license: http://dev.perl.org/licenses/ 30 | repository: git://github.com/symkat/Daemon-Control.git 31 | version: '0.001006' 32 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/Makefile.PL: -------------------------------------------------------------------------------- 1 | use inc::Module::Install; 2 | 3 | # Define metadata 4 | name 'Daemon-Control'; 5 | all_from 'lib/Daemon/Control.pm'; 6 | license 'perl'; 7 | 8 | # uses Module::Install::Repository 9 | auto_set_repository; 10 | 11 | # Specific dependencies 12 | requires 'File::Spec' => '0'; 13 | requires 'POSIX' => '0'; 14 | requires 'Cwd' => '0'; 15 | requires 'File::Path' => '2.08'; 16 | 17 | test_requires 'Test::More' => '0.88'; 18 | 19 | WriteAll; 20 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/blib/arch/.exists: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/Daemon-Control-0.001006/blib/arch/.exists -------------------------------------------------------------------------------- /Daemon-Control-0.001006/blib/arch/auto/Daemon/Control/.exists: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/Daemon-Control-0.001006/blib/arch/auto/Daemon/Control/.exists -------------------------------------------------------------------------------- /Daemon-Control-0.001006/blib/bin/.exists: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/Daemon-Control-0.001006/blib/bin/.exists -------------------------------------------------------------------------------- /Daemon-Control-0.001006/blib/lib/Daemon/.exists: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/Daemon-Control-0.001006/blib/lib/Daemon/.exists -------------------------------------------------------------------------------- /Daemon-Control-0.001006/blib/lib/auto/Daemon/Control/.exists: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/Daemon-Control-0.001006/blib/lib/auto/Daemon/Control/.exists -------------------------------------------------------------------------------- /Daemon-Control-0.001006/blib/man1/.exists: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/Daemon-Control-0.001006/blib/man1/.exists -------------------------------------------------------------------------------- /Daemon-Control-0.001006/blib/man3/.exists: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/Daemon-Control-0.001006/blib/man3/.exists -------------------------------------------------------------------------------- /Daemon-Control-0.001006/blib/script/.exists: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/Daemon-Control-0.001006/blib/script/.exists -------------------------------------------------------------------------------- /Daemon-Control-0.001006/inc/Module/Install/Base.pm: -------------------------------------------------------------------------------- 1 | #line 1 2 | package Module::Install::Base; 3 | 4 | use strict 'vars'; 5 | use vars qw{$VERSION}; 6 | BEGIN { 7 | $VERSION = '1.08'; 8 | } 9 | 10 | # Suspend handler for "redefined" warnings 11 | BEGIN { 12 | my $w = $SIG{__WARN__}; 13 | $SIG{__WARN__} = sub { $w }; 14 | } 15 | 16 | #line 42 17 | 18 | sub new { 19 | my $class = shift; 20 | unless ( defined &{"${class}::call"} ) { 21 | *{"${class}::call"} = sub { shift->_top->call(@_) }; 22 | } 23 | unless ( defined &{"${class}::load"} ) { 24 | *{"${class}::load"} = sub { shift->_top->load(@_) }; 25 | } 26 | bless { @_ }, $class; 27 | } 28 | 29 | #line 61 30 | 31 | sub AUTOLOAD { 32 | local $@; 33 | my $func = eval { shift->_top->autoload } or return; 34 | goto &$func; 35 | } 36 | 37 | #line 75 38 | 39 | sub _top { 40 | $_[0]->{_top}; 41 | } 42 | 43 | #line 90 44 | 45 | sub admin { 46 | $_[0]->_top->{admin} 47 | or 48 | Module::Install::Base::FakeAdmin->new; 49 | } 50 | 51 | #line 106 52 | 53 | sub is_admin { 54 | ! $_[0]->admin->isa('Module::Install::Base::FakeAdmin'); 55 | } 56 | 57 | sub DESTROY {} 58 | 59 | package Module::Install::Base::FakeAdmin; 60 | 61 | use vars qw{$VERSION}; 62 | BEGIN { 63 | $VERSION = $Module::Install::Base::VERSION; 64 | } 65 | 66 | my $fake; 67 | 68 | sub new { 69 | $fake ||= bless(\@_, $_[0]); 70 | } 71 | 72 | sub AUTOLOAD {} 73 | 74 | sub DESTROY {} 75 | 76 | # Restore warning handler 77 | BEGIN { 78 | $SIG{__WARN__} = $SIG{__WARN__}->(); 79 | } 80 | 81 | 1; 82 | 83 | #line 159 84 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/inc/Module/Install/Can.pm: -------------------------------------------------------------------------------- 1 | #line 1 2 | package Module::Install::Can; 3 | 4 | use strict; 5 | use Config (); 6 | use ExtUtils::MakeMaker (); 7 | use Module::Install::Base (); 8 | 9 | use vars qw{$VERSION @ISA $ISCORE}; 10 | BEGIN { 11 | $VERSION = '1.08'; 12 | @ISA = 'Module::Install::Base'; 13 | $ISCORE = 1; 14 | } 15 | 16 | # check if we can load some module 17 | ### Upgrade this to not have to load the module if possible 18 | sub can_use { 19 | my ($self, $mod, $ver) = @_; 20 | $mod =~ s{::|\\}{/}g; 21 | $mod .= '.pm' unless $mod =~ /\.pm$/i; 22 | 23 | my $pkg = $mod; 24 | $pkg =~ s{/}{::}g; 25 | $pkg =~ s{\.pm$}{}i; 26 | 27 | local $@; 28 | eval { require $mod; $pkg->VERSION($ver || 0); 1 }; 29 | } 30 | 31 | # Check if we can run some command 32 | sub can_run { 33 | my ($self, $cmd) = @_; 34 | 35 | my $_cmd = $cmd; 36 | return $_cmd if (-x $_cmd or $_cmd = MM->maybe_command($_cmd)); 37 | 38 | for my $dir ((split /$Config::Config{path_sep}/, $ENV{PATH}), '.') { 39 | next if $dir eq ''; 40 | require File::Spec; 41 | my $abs = File::Spec->catfile($dir, $cmd); 42 | return $abs if (-x $abs or $abs = MM->maybe_command($abs)); 43 | } 44 | 45 | return; 46 | } 47 | 48 | # Can our C compiler environment build XS files 49 | sub can_xs { 50 | my $self = shift; 51 | 52 | # Ensure we have the CBuilder module 53 | $self->configure_requires( 'ExtUtils::CBuilder' => 0.27 ); 54 | 55 | # Do we have the configure_requires checker? 56 | local $@; 57 | eval "require ExtUtils::CBuilder;"; 58 | if ( $@ ) { 59 | # They don't obey configure_requires, so it is 60 | # someone old and delicate. Try to avoid hurting 61 | # them by falling back to an older simpler test. 62 | return $self->can_cc(); 63 | } 64 | 65 | # Do we have a working C compiler 66 | my $builder = ExtUtils::CBuilder->new( 67 | quiet => 1, 68 | ); 69 | unless ( $builder->have_compiler ) { 70 | # No working C compiler 71 | return 0; 72 | } 73 | 74 | # Write a C file representative of what XS becomes 75 | require File::Temp; 76 | my ( $FH, $tmpfile ) = File::Temp::tempfile( 77 | "compilexs-XXXXX", 78 | SUFFIX => '.c', 79 | ); 80 | binmode $FH; 81 | print $FH <<'END_C'; 82 | #include "EXTERN.h" 83 | #include "perl.h" 84 | #include "XSUB.h" 85 | 86 | int main(int argc, char **argv) { 87 | return 0; 88 | } 89 | 90 | int boot_sanexs() { 91 | return 1; 92 | } 93 | 94 | END_C 95 | close $FH; 96 | 97 | # Can the C compiler access the same headers XS does 98 | my @libs = (); 99 | my $object = undef; 100 | eval { 101 | local $^W = 0; 102 | $object = $builder->compile( 103 | source => $tmpfile, 104 | ); 105 | @libs = $builder->link( 106 | objects => $object, 107 | module_name => 'sanexs', 108 | ); 109 | }; 110 | my $result = $@ ? 0 : 1; 111 | 112 | # Clean up all the build files 113 | foreach ( $tmpfile, $object, @libs ) { 114 | next unless defined $_; 115 | 1 while unlink; 116 | } 117 | 118 | return $result; 119 | } 120 | 121 | # Can we locate a (the) C compiler 122 | sub can_cc { 123 | my $self = shift; 124 | my @chunks = split(/ /, $Config::Config{cc}) or return; 125 | 126 | # $Config{cc} may contain args; try to find out the program part 127 | while (@chunks) { 128 | return $self->can_run("@chunks") || (pop(@chunks), next); 129 | } 130 | 131 | return; 132 | } 133 | 134 | # Fix Cygwin bug on maybe_command(); 135 | if ( $^O eq 'cygwin' ) { 136 | require ExtUtils::MM_Cygwin; 137 | require ExtUtils::MM_Win32; 138 | if ( ! defined(&ExtUtils::MM_Cygwin::maybe_command) ) { 139 | *ExtUtils::MM_Cygwin::maybe_command = sub { 140 | my ($self, $file) = @_; 141 | if ($file =~ m{^/cygdrive/}i and ExtUtils::MM_Win32->can('maybe_command')) { 142 | ExtUtils::MM_Win32->maybe_command($file); 143 | } else { 144 | ExtUtils::MM_Unix->maybe_command($file); 145 | } 146 | } 147 | } 148 | } 149 | 150 | 1; 151 | 152 | __END__ 153 | 154 | #line 236 155 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/inc/Module/Install/Fetch.pm: -------------------------------------------------------------------------------- 1 | #line 1 2 | package Module::Install::Fetch; 3 | 4 | use strict; 5 | use Module::Install::Base (); 6 | 7 | use vars qw{$VERSION @ISA $ISCORE}; 8 | BEGIN { 9 | $VERSION = '1.08'; 10 | @ISA = 'Module::Install::Base'; 11 | $ISCORE = 1; 12 | } 13 | 14 | sub get_file { 15 | my ($self, %args) = @_; 16 | my ($scheme, $host, $path, $file) = 17 | $args{url} =~ m|^(\w+)://([^/]+)(.+)/(.+)| or return; 18 | 19 | if ( $scheme eq 'http' and ! eval { require LWP::Simple; 1 } ) { 20 | $args{url} = $args{ftp_url} 21 | or (warn("LWP support unavailable!\n"), return); 22 | ($scheme, $host, $path, $file) = 23 | $args{url} =~ m|^(\w+)://([^/]+)(.+)/(.+)| or return; 24 | } 25 | 26 | $|++; 27 | print "Fetching '$file' from $host... "; 28 | 29 | unless (eval { require Socket; Socket::inet_aton($host) }) { 30 | warn "'$host' resolve failed!\n"; 31 | return; 32 | } 33 | 34 | return unless $scheme eq 'ftp' or $scheme eq 'http'; 35 | 36 | require Cwd; 37 | my $dir = Cwd::getcwd(); 38 | chdir $args{local_dir} or return if exists $args{local_dir}; 39 | 40 | if (eval { require LWP::Simple; 1 }) { 41 | LWP::Simple::mirror($args{url}, $file); 42 | } 43 | elsif (eval { require Net::FTP; 1 }) { eval { 44 | # use Net::FTP to get past firewall 45 | my $ftp = Net::FTP->new($host, Passive => 1, Timeout => 600); 46 | $ftp->login("anonymous", 'anonymous@example.com'); 47 | $ftp->cwd($path); 48 | $ftp->binary; 49 | $ftp->get($file) or (warn("$!\n"), return); 50 | $ftp->quit; 51 | } } 52 | elsif (my $ftp = $self->can_run('ftp')) { eval { 53 | # no Net::FTP, fallback to ftp.exe 54 | require FileHandle; 55 | my $fh = FileHandle->new; 56 | 57 | local $SIG{CHLD} = 'IGNORE'; 58 | unless ($fh->open("|$ftp -n")) { 59 | warn "Couldn't open ftp: $!\n"; 60 | chdir $dir; return; 61 | } 62 | 63 | my @dialog = split(/\n/, <<"END_FTP"); 64 | open $host 65 | user anonymous anonymous\@example.com 66 | cd $path 67 | binary 68 | get $file $file 69 | quit 70 | END_FTP 71 | foreach (@dialog) { $fh->print("$_\n") } 72 | $fh->close; 73 | } } 74 | else { 75 | warn "No working 'ftp' program available!\n"; 76 | chdir $dir; return; 77 | } 78 | 79 | unless (-f $file) { 80 | warn "Fetching failed: $@\n"; 81 | chdir $dir; return; 82 | } 83 | 84 | return if exists $args{size} and -s $file != $args{size}; 85 | system($args{run}) if exists $args{run}; 86 | unlink($file) if $args{remove}; 87 | 88 | print(((!exists $args{check_for} or -e $args{check_for}) 89 | ? "done!" : "failed! ($!)"), "\n"); 90 | chdir $dir; return !$?; 91 | } 92 | 93 | 1; 94 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/inc/Module/Install/Makefile.pm: -------------------------------------------------------------------------------- 1 | #line 1 2 | package Module::Install::Makefile; 3 | 4 | use strict 'vars'; 5 | use ExtUtils::MakeMaker (); 6 | use Module::Install::Base (); 7 | use Fcntl qw/:flock :seek/; 8 | 9 | use vars qw{$VERSION @ISA $ISCORE}; 10 | BEGIN { 11 | $VERSION = '1.08'; 12 | @ISA = 'Module::Install::Base'; 13 | $ISCORE = 1; 14 | } 15 | 16 | sub Makefile { $_[0] } 17 | 18 | my %seen = (); 19 | 20 | sub prompt { 21 | shift; 22 | 23 | # Infinite loop protection 24 | my @c = caller(); 25 | if ( ++$seen{"$c[1]|$c[2]|$_[0]"} > 3 ) { 26 | die "Caught an potential prompt infinite loop ($c[1]|$c[2]|$_[0])"; 27 | } 28 | 29 | # In automated testing or non-interactive session, always use defaults 30 | if ( ($ENV{AUTOMATED_TESTING} or -! -t STDIN) and ! $ENV{PERL_MM_USE_DEFAULT} ) { 31 | local $ENV{PERL_MM_USE_DEFAULT} = 1; 32 | goto &ExtUtils::MakeMaker::prompt; 33 | } else { 34 | goto &ExtUtils::MakeMaker::prompt; 35 | } 36 | } 37 | 38 | # Store a cleaned up version of the MakeMaker version, 39 | # since we need to behave differently in a variety of 40 | # ways based on the MM version. 41 | my $makemaker = eval $ExtUtils::MakeMaker::VERSION; 42 | 43 | # If we are passed a param, do a "newer than" comparison. 44 | # Otherwise, just return the MakeMaker version. 45 | sub makemaker { 46 | ( @_ < 2 or $makemaker >= eval($_[1]) ) ? $makemaker : 0 47 | } 48 | 49 | # Ripped from ExtUtils::MakeMaker 6.56, and slightly modified 50 | # as we only need to know here whether the attribute is an array 51 | # or a hash or something else (which may or may not be appendable). 52 | my %makemaker_argtype = ( 53 | C => 'ARRAY', 54 | CONFIG => 'ARRAY', 55 | # CONFIGURE => 'CODE', # ignore 56 | DIR => 'ARRAY', 57 | DL_FUNCS => 'HASH', 58 | DL_VARS => 'ARRAY', 59 | EXCLUDE_EXT => 'ARRAY', 60 | EXE_FILES => 'ARRAY', 61 | FUNCLIST => 'ARRAY', 62 | H => 'ARRAY', 63 | IMPORTS => 'HASH', 64 | INCLUDE_EXT => 'ARRAY', 65 | LIBS => 'ARRAY', # ignore '' 66 | MAN1PODS => 'HASH', 67 | MAN3PODS => 'HASH', 68 | META_ADD => 'HASH', 69 | META_MERGE => 'HASH', 70 | PL_FILES => 'HASH', 71 | PM => 'HASH', 72 | PMLIBDIRS => 'ARRAY', 73 | PMLIBPARENTDIRS => 'ARRAY', 74 | PREREQ_PM => 'HASH', 75 | CONFIGURE_REQUIRES => 'HASH', 76 | SKIP => 'ARRAY', 77 | TYPEMAPS => 'ARRAY', 78 | XS => 'HASH', 79 | # VERSION => ['version',''], # ignore 80 | # _KEEP_AFTER_FLUSH => '', 81 | 82 | clean => 'HASH', 83 | depend => 'HASH', 84 | dist => 'HASH', 85 | dynamic_lib=> 'HASH', 86 | linkext => 'HASH', 87 | macro => 'HASH', 88 | postamble => 'HASH', 89 | realclean => 'HASH', 90 | test => 'HASH', 91 | tool_autosplit => 'HASH', 92 | 93 | # special cases where you can use makemaker_append 94 | CCFLAGS => 'APPENDABLE', 95 | DEFINE => 'APPENDABLE', 96 | INC => 'APPENDABLE', 97 | LDDLFLAGS => 'APPENDABLE', 98 | LDFROM => 'APPENDABLE', 99 | ); 100 | 101 | sub makemaker_args { 102 | my ($self, %new_args) = @_; 103 | my $args = ( $self->{makemaker_args} ||= {} ); 104 | foreach my $key (keys %new_args) { 105 | if ($makemaker_argtype{$key}) { 106 | if ($makemaker_argtype{$key} eq 'ARRAY') { 107 | $args->{$key} = [] unless defined $args->{$key}; 108 | unless (ref $args->{$key} eq 'ARRAY') { 109 | $args->{$key} = [$args->{$key}] 110 | } 111 | push @{$args->{$key}}, 112 | ref $new_args{$key} eq 'ARRAY' 113 | ? @{$new_args{$key}} 114 | : $new_args{$key}; 115 | } 116 | elsif ($makemaker_argtype{$key} eq 'HASH') { 117 | $args->{$key} = {} unless defined $args->{$key}; 118 | foreach my $skey (keys %{ $new_args{$key} }) { 119 | $args->{$key}{$skey} = $new_args{$key}{$skey}; 120 | } 121 | } 122 | elsif ($makemaker_argtype{$key} eq 'APPENDABLE') { 123 | $self->makemaker_append($key => $new_args{$key}); 124 | } 125 | } 126 | else { 127 | if (defined $args->{$key}) { 128 | warn qq{MakeMaker attribute "$key" is overriden; use "makemaker_append" to append values\n}; 129 | } 130 | $args->{$key} = $new_args{$key}; 131 | } 132 | } 133 | return $args; 134 | } 135 | 136 | # For mm args that take multiple space-seperated args, 137 | # append an argument to the current list. 138 | sub makemaker_append { 139 | my $self = shift; 140 | my $name = shift; 141 | my $args = $self->makemaker_args; 142 | $args->{$name} = defined $args->{$name} 143 | ? join( ' ', $args->{$name}, @_ ) 144 | : join( ' ', @_ ); 145 | } 146 | 147 | sub build_subdirs { 148 | my $self = shift; 149 | my $subdirs = $self->makemaker_args->{DIR} ||= []; 150 | for my $subdir (@_) { 151 | push @$subdirs, $subdir; 152 | } 153 | } 154 | 155 | sub clean_files { 156 | my $self = shift; 157 | my $clean = $self->makemaker_args->{clean} ||= {}; 158 | %$clean = ( 159 | %$clean, 160 | FILES => join ' ', grep { length $_ } ($clean->{FILES} || (), @_), 161 | ); 162 | } 163 | 164 | sub realclean_files { 165 | my $self = shift; 166 | my $realclean = $self->makemaker_args->{realclean} ||= {}; 167 | %$realclean = ( 168 | %$realclean, 169 | FILES => join ' ', grep { length $_ } ($realclean->{FILES} || (), @_), 170 | ); 171 | } 172 | 173 | sub libs { 174 | my $self = shift; 175 | my $libs = ref $_[0] ? shift : [ shift ]; 176 | $self->makemaker_args( LIBS => $libs ); 177 | } 178 | 179 | sub inc { 180 | my $self = shift; 181 | $self->makemaker_args( INC => shift ); 182 | } 183 | 184 | sub _wanted_t { 185 | } 186 | 187 | sub tests_recursive { 188 | my $self = shift; 189 | my $dir = shift || 't'; 190 | unless ( -d $dir ) { 191 | die "tests_recursive dir '$dir' does not exist"; 192 | } 193 | my %tests = map { $_ => 1 } split / /, ($self->tests || ''); 194 | require File::Find; 195 | File::Find::find( 196 | sub { /\.t$/ and -f $_ and $tests{"$File::Find::dir/*.t"} = 1 }, 197 | $dir 198 | ); 199 | $self->tests( join ' ', sort keys %tests ); 200 | } 201 | 202 | sub write { 203 | my $self = shift; 204 | die "&Makefile->write() takes no arguments\n" if @_; 205 | 206 | # Check the current Perl version 207 | my $perl_version = $self->perl_version; 208 | if ( $perl_version ) { 209 | eval "use $perl_version; 1" 210 | or die "ERROR: perl: Version $] is installed, " 211 | . "but we need version >= $perl_version"; 212 | } 213 | 214 | # Make sure we have a new enough MakeMaker 215 | require ExtUtils::MakeMaker; 216 | 217 | if ( $perl_version and $self->_cmp($perl_version, '5.006') >= 0 ) { 218 | # This previous attempted to inherit the version of 219 | # ExtUtils::MakeMaker in use by the module author, but this 220 | # was found to be untenable as some authors build releases 221 | # using future dev versions of EU:MM that nobody else has. 222 | # Instead, #toolchain suggests we use 6.59 which is the most 223 | # stable version on CPAN at time of writing and is, to quote 224 | # ribasushi, "not terminally fucked, > and tested enough". 225 | # TODO: We will now need to maintain this over time to push 226 | # the version up as new versions are released. 227 | $self->build_requires( 'ExtUtils::MakeMaker' => 6.59 ); 228 | $self->configure_requires( 'ExtUtils::MakeMaker' => 6.59 ); 229 | } else { 230 | # Allow legacy-compatibility with 5.005 by depending on the 231 | # most recent EU:MM that supported 5.005. 232 | $self->build_requires( 'ExtUtils::MakeMaker' => 6.36 ); 233 | $self->configure_requires( 'ExtUtils::MakeMaker' => 6.36 ); 234 | } 235 | 236 | # Generate the MakeMaker params 237 | my $args = $self->makemaker_args; 238 | $args->{DISTNAME} = $self->name; 239 | $args->{NAME} = $self->module_name || $self->name; 240 | $args->{NAME} =~ s/-/::/g; 241 | $args->{VERSION} = $self->version or die <<'EOT'; 242 | ERROR: Can't determine distribution version. Please specify it 243 | explicitly via 'version' in Makefile.PL, or set a valid $VERSION 244 | in a module, and provide its file path via 'version_from' (or 245 | 'all_from' if you prefer) in Makefile.PL. 246 | EOT 247 | 248 | if ( $self->tests ) { 249 | my @tests = split ' ', $self->tests; 250 | my %seen; 251 | $args->{test} = { 252 | TESTS => (join ' ', grep {!$seen{$_}++} @tests), 253 | }; 254 | } elsif ( $Module::Install::ExtraTests::use_extratests ) { 255 | # Module::Install::ExtraTests doesn't set $self->tests and does its own tests via harness. 256 | # So, just ignore our xt tests here. 257 | } elsif ( -d 'xt' and ($Module::Install::AUTHOR or $ENV{RELEASE_TESTING}) ) { 258 | $args->{test} = { 259 | TESTS => join( ' ', map { "$_/*.t" } grep { -d $_ } qw{ t xt } ), 260 | }; 261 | } 262 | if ( $] >= 5.005 ) { 263 | $args->{ABSTRACT} = $self->abstract; 264 | $args->{AUTHOR} = join ', ', @{$self->author || []}; 265 | } 266 | if ( $self->makemaker(6.10) ) { 267 | $args->{NO_META} = 1; 268 | #$args->{NO_MYMETA} = 1; 269 | } 270 | if ( $self->makemaker(6.17) and $self->sign ) { 271 | $args->{SIGN} = 1; 272 | } 273 | unless ( $self->is_admin ) { 274 | delete $args->{SIGN}; 275 | } 276 | if ( $self->makemaker(6.31) and $self->license ) { 277 | $args->{LICENSE} = $self->license; 278 | } 279 | 280 | my $prereq = ($args->{PREREQ_PM} ||= {}); 281 | %$prereq = ( %$prereq, 282 | map { @$_ } # flatten [module => version] 283 | map { @$_ } 284 | grep $_, 285 | ($self->requires) 286 | ); 287 | 288 | # Remove any reference to perl, PREREQ_PM doesn't support it 289 | delete $args->{PREREQ_PM}->{perl}; 290 | 291 | # Merge both kinds of requires into BUILD_REQUIRES 292 | my $build_prereq = ($args->{BUILD_REQUIRES} ||= {}); 293 | %$build_prereq = ( %$build_prereq, 294 | map { @$_ } # flatten [module => version] 295 | map { @$_ } 296 | grep $_, 297 | ($self->configure_requires, $self->build_requires) 298 | ); 299 | 300 | # Remove any reference to perl, BUILD_REQUIRES doesn't support it 301 | delete $args->{BUILD_REQUIRES}->{perl}; 302 | 303 | # Delete bundled dists from prereq_pm, add it to Makefile DIR 304 | my $subdirs = ($args->{DIR} || []); 305 | if ($self->bundles) { 306 | my %processed; 307 | foreach my $bundle (@{ $self->bundles }) { 308 | my ($mod_name, $dist_dir) = @$bundle; 309 | delete $prereq->{$mod_name}; 310 | $dist_dir = File::Basename::basename($dist_dir); # dir for building this module 311 | if (not exists $processed{$dist_dir}) { 312 | if (-d $dist_dir) { 313 | # List as sub-directory to be processed by make 314 | push @$subdirs, $dist_dir; 315 | } 316 | # Else do nothing: the module is already present on the system 317 | $processed{$dist_dir} = undef; 318 | } 319 | } 320 | } 321 | 322 | unless ( $self->makemaker('6.55_03') ) { 323 | %$prereq = (%$prereq,%$build_prereq); 324 | delete $args->{BUILD_REQUIRES}; 325 | } 326 | 327 | if ( my $perl_version = $self->perl_version ) { 328 | eval "use $perl_version; 1" 329 | or die "ERROR: perl: Version $] is installed, " 330 | . "but we need version >= $perl_version"; 331 | 332 | if ( $self->makemaker(6.48) ) { 333 | $args->{MIN_PERL_VERSION} = $perl_version; 334 | } 335 | } 336 | 337 | if ($self->installdirs) { 338 | warn qq{old INSTALLDIRS (probably set by makemaker_args) is overriden by installdirs\n} if $args->{INSTALLDIRS}; 339 | $args->{INSTALLDIRS} = $self->installdirs; 340 | } 341 | 342 | my %args = map { 343 | ( $_ => $args->{$_} ) } grep {defined($args->{$_} ) 344 | } keys %$args; 345 | 346 | my $user_preop = delete $args{dist}->{PREOP}; 347 | if ( my $preop = $self->admin->preop($user_preop) ) { 348 | foreach my $key ( keys %$preop ) { 349 | $args{dist}->{$key} = $preop->{$key}; 350 | } 351 | } 352 | 353 | my $mm = ExtUtils::MakeMaker::WriteMakefile(%args); 354 | $self->fix_up_makefile($mm->{FIRST_MAKEFILE} || 'Makefile'); 355 | } 356 | 357 | sub fix_up_makefile { 358 | my $self = shift; 359 | my $makefile_name = shift; 360 | my $top_class = ref($self->_top) || ''; 361 | my $top_version = $self->_top->VERSION || ''; 362 | 363 | my $preamble = $self->preamble 364 | ? "# Preamble by $top_class $top_version\n" 365 | . $self->preamble 366 | : ''; 367 | my $postamble = "# Postamble by $top_class $top_version\n" 368 | . ($self->postamble || ''); 369 | 370 | local *MAKEFILE; 371 | open MAKEFILE, "+< $makefile_name" or die "fix_up_makefile: Couldn't open $makefile_name: $!"; 372 | eval { flock MAKEFILE, LOCK_EX }; 373 | my $makefile = do { local $/; }; 374 | 375 | $makefile =~ s/\b(test_harness\(\$\(TEST_VERBOSE\), )/$1'inc', /; 376 | $makefile =~ s/( -I\$\(INST_ARCHLIB\))/ -Iinc$1/g; 377 | $makefile =~ s/( "-I\$\(INST_LIB\)")/ "-Iinc"$1/g; 378 | $makefile =~ s/^(FULLPERL = .*)/$1 "-Iinc"/m; 379 | $makefile =~ s/^(PERL = .*)/$1 "-Iinc"/m; 380 | 381 | # Module::Install will never be used to build the Core Perl 382 | # Sometimes PERL_LIB and PERL_ARCHLIB get written anyway, which breaks 383 | # PREFIX/PERL5LIB, and thus, install_share. Blank them if they exist 384 | $makefile =~ s/^PERL_LIB = .+/PERL_LIB =/m; 385 | #$makefile =~ s/^PERL_ARCHLIB = .+/PERL_ARCHLIB =/m; 386 | 387 | # Perl 5.005 mentions PERL_LIB explicitly, so we have to remove that as well. 388 | $makefile =~ s/(\"?)-I\$\(PERL_LIB\)\1//g; 389 | 390 | # XXX - This is currently unused; not sure if it breaks other MM-users 391 | # $makefile =~ s/^pm_to_blib\s+:\s+/pm_to_blib :: /mg; 392 | 393 | seek MAKEFILE, 0, SEEK_SET; 394 | truncate MAKEFILE, 0; 395 | print MAKEFILE "$preamble$makefile$postamble" or die $!; 396 | close MAKEFILE or die $!; 397 | 398 | 1; 399 | } 400 | 401 | sub preamble { 402 | my ($self, $text) = @_; 403 | $self->{preamble} = $text . $self->{preamble} if defined $text; 404 | $self->{preamble}; 405 | } 406 | 407 | sub postamble { 408 | my ($self, $text) = @_; 409 | $self->{postamble} ||= $self->admin->postamble; 410 | $self->{postamble} .= $text if defined $text; 411 | $self->{postamble} 412 | } 413 | 414 | 1; 415 | 416 | __END__ 417 | 418 | #line 544 419 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/inc/Module/Install/Repository.pm: -------------------------------------------------------------------------------- 1 | #line 1 2 | package Module::Install::Repository; 3 | 4 | use strict; 5 | use 5.005; 6 | use vars qw($VERSION); 7 | $VERSION = '0.06'; 8 | 9 | use base qw(Module::Install::Base); 10 | 11 | sub _execute { 12 | my ($command) = @_; 13 | `$command`; 14 | } 15 | 16 | sub auto_set_repository { 17 | my $self = shift; 18 | 19 | return unless $Module::Install::AUTHOR; 20 | 21 | my $repo = _find_repo(\&_execute); 22 | if ($repo) { 23 | $self->repository($repo); 24 | } else { 25 | warn "Cannot determine repository URL\n"; 26 | } 27 | } 28 | 29 | sub _find_repo { 30 | my ($execute) = @_; 31 | 32 | if (-e ".git") { 33 | # TODO support remote besides 'origin'? 34 | if ($execute->('git remote show -n origin') =~ /URL: (.*)$/m) { 35 | # XXX Make it public clone URL, but this only works with github 36 | my $git_url = $1; 37 | $git_url =~ s![\w\-]+\@([^:]+):!git://$1/!; 38 | return $git_url; 39 | } elsif ($execute->('git svn info') =~ /URL: (.*)$/m) { 40 | return $1; 41 | } 42 | } elsif (-e ".svn") { 43 | if (`svn info` =~ /URL: (.*)$/m) { 44 | return $1; 45 | } 46 | } elsif (-e "_darcs") { 47 | # defaultrepo is better, but that is more likely to be ssh, not http 48 | if (my $query_repo = `darcs query repo`) { 49 | if ($query_repo =~ m!Default Remote: (http://.+)!) { 50 | return $1; 51 | } 52 | } 53 | 54 | open my $handle, '<', '_darcs/prefs/repos' or return; 55 | while (<$handle>) { 56 | chomp; 57 | return $_ if m!^http://!; 58 | } 59 | } elsif (-e ".hg") { 60 | if ($execute->('hg paths') =~ /default = (.*)$/m) { 61 | my $mercurial_url = $1; 62 | $mercurial_url =~ s!^ssh://hg\@(bitbucket\.org/)!https://$1!; 63 | return $mercurial_url; 64 | } 65 | } elsif (-e "$ENV{HOME}/.svk") { 66 | # Is there an explicit way to check if it's an svk checkout? 67 | my $svk_info = `svk info` or return; 68 | SVK_INFO: { 69 | if ($svk_info =~ /Mirrored From: (.*), Rev\./) { 70 | return $1; 71 | } 72 | 73 | if ($svk_info =~ m!Merged From: (/mirror/.*), Rev\.!) { 74 | $svk_info = `svk info /$1` or return; 75 | redo SVK_INFO; 76 | } 77 | } 78 | 79 | return; 80 | } 81 | } 82 | 83 | 1; 84 | __END__ 85 | 86 | =encoding utf-8 87 | 88 | #line 128 89 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/inc/Module/Install/Win32.pm: -------------------------------------------------------------------------------- 1 | #line 1 2 | package Module::Install::Win32; 3 | 4 | use strict; 5 | use Module::Install::Base (); 6 | 7 | use vars qw{$VERSION @ISA $ISCORE}; 8 | BEGIN { 9 | $VERSION = '1.08'; 10 | @ISA = 'Module::Install::Base'; 11 | $ISCORE = 1; 12 | } 13 | 14 | # determine if the user needs nmake, and download it if needed 15 | sub check_nmake { 16 | my $self = shift; 17 | $self->load('can_run'); 18 | $self->load('get_file'); 19 | 20 | require Config; 21 | return unless ( 22 | $^O eq 'MSWin32' and 23 | $Config::Config{make} and 24 | $Config::Config{make} =~ /^nmake\b/i and 25 | ! $self->can_run('nmake') 26 | ); 27 | 28 | print "The required 'nmake' executable not found, fetching it...\n"; 29 | 30 | require File::Basename; 31 | my $rv = $self->get_file( 32 | url => 'http://download.microsoft.com/download/vc15/Patch/1.52/W95/EN-US/Nmake15.exe', 33 | ftp_url => 'ftp://ftp.microsoft.com/Softlib/MSLFILES/Nmake15.exe', 34 | local_dir => File::Basename::dirname($^X), 35 | size => 51928, 36 | run => 'Nmake15.exe /o > nul', 37 | check_for => 'Nmake.exe', 38 | remove => 1, 39 | ); 40 | 41 | die <<'END_MESSAGE' unless $rv; 42 | 43 | ------------------------------------------------------------------------------- 44 | 45 | Since you are using Microsoft Windows, you will need the 'nmake' utility 46 | before installation. It's available at: 47 | 48 | http://download.microsoft.com/download/vc15/Patch/1.52/W95/EN-US/Nmake15.exe 49 | or 50 | ftp://ftp.microsoft.com/Softlib/MSLFILES/Nmake15.exe 51 | 52 | Please download the file manually, save it to a directory in %PATH% (e.g. 53 | C:\WINDOWS\COMMAND\), then launch the MS-DOS command line shell, "cd" to 54 | that directory, and run "Nmake15.exe" from there; that will create the 55 | 'nmake.exe' file needed by this module. 56 | 57 | You may then resume the installation process described in README. 58 | 59 | ------------------------------------------------------------------------------- 60 | END_MESSAGE 61 | 62 | } 63 | 64 | 1; 65 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/inc/Module/Install/WriteAll.pm: -------------------------------------------------------------------------------- 1 | #line 1 2 | package Module::Install::WriteAll; 3 | 4 | use strict; 5 | use Module::Install::Base (); 6 | 7 | use vars qw{$VERSION @ISA $ISCORE}; 8 | BEGIN { 9 | $VERSION = '1.08'; 10 | @ISA = qw{Module::Install::Base}; 11 | $ISCORE = 1; 12 | } 13 | 14 | sub WriteAll { 15 | my $self = shift; 16 | my %args = ( 17 | meta => 1, 18 | sign => 0, 19 | inline => 0, 20 | check_nmake => 1, 21 | @_, 22 | ); 23 | 24 | $self->sign(1) if $args{sign}; 25 | $self->admin->WriteAll(%args) if $self->is_admin; 26 | 27 | $self->check_nmake if $args{check_nmake}; 28 | unless ( $self->makemaker_args->{PL_FILES} ) { 29 | # XXX: This still may be a bit over-defensive... 30 | unless ($self->makemaker(6.25)) { 31 | $self->makemaker_args( PL_FILES => {} ) if -f 'Build.PL'; 32 | } 33 | } 34 | 35 | # Until ExtUtils::MakeMaker support MYMETA.yml, make sure 36 | # we clean it up properly ourself. 37 | $self->realclean_files('MYMETA.yml'); 38 | 39 | if ( $args{inline} ) { 40 | $self->Inline->write; 41 | } else { 42 | $self->Makefile->write; 43 | } 44 | 45 | # The Makefile write process adds a couple of dependencies, 46 | # so write the META.yml files after the Makefile. 47 | if ( $args{meta} ) { 48 | $self->Meta->write; 49 | } 50 | 51 | # Experimental support for MYMETA 52 | if ( $ENV{X_MYMETA} ) { 53 | if ( $ENV{X_MYMETA} eq 'JSON' ) { 54 | $self->Meta->write_mymeta_json; 55 | } else { 56 | $self->Meta->write_mymeta_yaml; 57 | } 58 | } 59 | 60 | return 1; 61 | } 62 | 63 | 1; 64 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/pm_to_blib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/Daemon-Control-0.001006/pm_to_blib -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/00_load.t: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Test::More; 5 | 6 | use_ok( $_ ) for qw| Daemon::Control File::Spec POSIX |; 7 | 8 | done_testing; 9 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/01_lsb_file.t: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Test::More; 5 | 6 | my ( $file, $ilib ); 7 | 8 | # Let's make it so people can test in t/ or in the dist directory. 9 | if ( -f 't/bin/01_lsb.pl' ) { # Dist Directory. 10 | $file = "t/bin/01_lsb.pl"; 11 | $ilib = "lib"; 12 | } elsif ( -f 'bin/01_lsb.pl' ) { 13 | $file = "bin/01_lsb.pl"; 14 | $ilib = "../lib"; 15 | } else { 16 | die "Tests should be run in the dist directory or t/"; 17 | } 18 | 19 | 20 | open my $lf, "-|", $^X, "-I$ilib", $file, "get_init_file" 21 | or die "Failed to open pipe to $file: $!"; 22 | my $content = do { local $/; <$lf> }; 23 | close $lf; 24 | 25 | my $content_expected = do { local $/; }; 26 | 27 | like $content, qr/$content_expected/, "LSB File Generation Works."; 28 | 29 | done_testing; 30 | 31 | __DATA__ 32 | #!/bin/sh 33 | 34 | # Generated at [\w: ]+ with Daemon::Control (?:DEV|[\d.]+) 35 | 36 | ### BEGIN INIT INFO 37 | # Provides: My Daemon 38 | # Required-Start: \$syslog \$remote_fs 39 | # Required-Stop: \$syslog 40 | # Default-Start: 2 3 4 5 41 | # Default-Stop: 0 1 6 42 | # Short-Description: My Daemon Short 43 | # Description: My Daemon controls the My Daemon daemon. 44 | ### END INIT INFO` 45 | 46 | 47 | 48 | 49 | 50 | if \[ -x /usr/sbin/mydaemon/init.pl \]; 51 | then 52 | /usr/sbin/mydaemon/init.pl \$1 53 | else 54 | echo "Required program /usr/sbin/mydaemon/init.pl not found!" 55 | exit 1; 56 | fi 57 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/01_lsb_file_with_init_code.t: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Test::More; 5 | 6 | my ( $file, $ilib ); 7 | 8 | # Let's make it so people can test in t/ or in the dist directory. 9 | if ( -f 't/bin/01_lsb_03.pl' ) { # Dist Directory. 10 | $file = "t/bin/01_lsb_03.pl"; 11 | $ilib = "lib"; 12 | } elsif ( -f 'bin/01_lsb_03.pl' ) { 13 | $file = "bin/01_lsb_03.pl"; 14 | $ilib = "../lib"; 15 | } else { 16 | die "Tests should be run in the dist directory or t/"; 17 | } 18 | 19 | 20 | open my $lf, "-|", $^X, "-I$ilib", $file, "get_init_file" 21 | or die "Failed to open pipe to $file: $!"; 22 | my $content = do { local $/; <$lf> }; 23 | close $lf; 24 | 25 | my $content_expected = do { local $/; }; 26 | 27 | like $content, qr/$content_expected/, "LSB File Generation Works."; 28 | 29 | done_testing; 30 | 31 | __DATA__ 32 | #!/bin/sh 33 | 34 | # Generated at [\w: ]+ with Daemon::Control (?:DEV|[\d.]+) 35 | 36 | ### BEGIN INIT INFO 37 | # Provides: My Daemon 38 | # Required-Start: \$syslog \$remote_fs 39 | # Required-Stop: \$syslog 40 | # Default-Start: 2 3 4 5 41 | # Default-Stop: 0 1 6 42 | # Short-Description: My Daemon Short 43 | # Description: My Daemon controls the My Daemon daemon. 44 | ### END INIT INFO` 45 | 46 | 47 | 48 | Test This 49 | One Block 50 | 51 | if \[ -x /usr/sbin/mydaemon/init.pl \]; 52 | then 53 | /usr/sbin/mydaemon/init.pl \$1 54 | else 55 | echo "Required program /usr/sbin/mydaemon/init.pl not found!" 56 | exit 1; 57 | fi 58 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/01_lsb_file_with_init_config.t: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Test::More; 5 | 6 | my ( $file, $ilib ); 7 | 8 | # Let's make it so people can test in t/ or in the dist directory. 9 | if ( -f 't/bin/01_lsb_02.pl' ) { # Dist Directory. 10 | $file = "t/bin/01_lsb_02.pl"; 11 | $ilib = "lib"; 12 | } elsif ( -f 'bin/01_lsb_02.pl' ) { 13 | $file = "bin/01_lsb_02.pl"; 14 | $ilib = "../lib"; 15 | } else { 16 | die "Tests should be run in the dist directory or t/"; 17 | } 18 | 19 | 20 | open my $lf, "-|", $^X, "-I$ilib", $file, "get_init_file" 21 | or die "Failed to open pipe to $file: $!"; 22 | my $content = do { local $/; <$lf> }; 23 | close $lf; 24 | 25 | my $content_expected = do { local $/; }; 26 | 27 | like $content, qr/$content_expected/, "LSB File Generation Works."; 28 | 29 | done_testing; 30 | 31 | __DATA__ 32 | #!/bin/sh 33 | 34 | # Generated at [\w: ]+ with Daemon::Control (?:DEV|[\d.]+) 35 | 36 | ### BEGIN INIT INFO 37 | # Provides: My Daemon 38 | # Required-Start: \$syslog \$remote_fs 39 | # Required-Stop: \$syslog 40 | # Default-Start: 2 3 4 5 41 | # Default-Stop: 0 1 6 42 | # Short-Description: My Daemon Short 43 | # Description: My Daemon controls the My Daemon daemon. 44 | ### END INIT INFO` 45 | 46 | \[ -r /etc/default/my_program \] && . /etc/default/my_program 47 | 48 | 49 | 50 | if \[ -x /usr/sbin/mydaemon/init.pl \]; 51 | then 52 | /usr/sbin/mydaemon/init.pl \$1 53 | else 54 | echo "Required program /usr/sbin/mydaemon/init.pl not found!" 55 | exit 1; 56 | fi 57 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/02_sleep_perl.t: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Test::More; 5 | 6 | my ( $file, $ilib ); 7 | 8 | # Let's make it so people can test in t/ or in the dist directory. 9 | if ( -f 't/bin/02_sleep_perl.pl' ) { # Dist Directory. 10 | $file = "t/bin/02_sleep_perl.pl"; 11 | $ilib = "lib"; 12 | } elsif ( -f 'bin/02_sleep_perl.pl' ) { 13 | $file = "bin/02_sleep_perl.pl"; 14 | $ilib = "../lib"; 15 | } else { 16 | die "Tests should be run in the dist directory or t/"; 17 | } 18 | 19 | 20 | sub get_command_output { 21 | my ( @command ) = @_; 22 | open my $lf, "-|", @command 23 | or die "Couldn't get pipe to '@command': $!"; 24 | my $content = do { local $/; <$lf> }; 25 | close $lf; 26 | return $content; 27 | } 28 | 29 | my $out; 30 | 31 | ok $out = get_command_output( "$^X -I$ilib $file start" ), "Started perl daemon"; 32 | like $out, qr/\[Started\]/, "Daemon started."; 33 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of perl daemon."; 34 | like $out, qr/\[Running\]/, "Daemon running."; 35 | 36 | sleep 10; 37 | 38 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of perl daemon."; 39 | like $out, qr/\[Not Running\]/, "Daemon not running"; 40 | 41 | # Testing restart. 42 | ok $out = get_command_output( "$^X -I$ilib $file start" ), "Started system daemon"; 43 | like $out, qr/\[Started\]/, "Daemon started for restarting."; 44 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of system daemon."; 45 | like $out, qr/\[Running\]/, "Daemon running for restarting."; 46 | ok $out = get_command_output( "$^X -I$ilib $file restart" ), "Get status of system daemon."; 47 | like $out, qr/\[Stopped\].*\[Started\]/s, "Daemon restarted."; 48 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of system daemon."; 49 | like $out, qr/\[Running\]/, "Daemon running after restart."; 50 | ok $out = get_command_output( "$^X -I$ilib $file stop" ), "Get status of system daemon."; 51 | like $out, qr/\[Stopped\]/, "Daemon stopped after restart."; 52 | 53 | done_testing; 54 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/02_sleep_perl_array.t: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Test::More; 5 | 6 | my ( $file, $ilib ); 7 | 8 | # Let's make it so people can test in t/ or in the dist directory. 9 | if ( -f 't/bin/02_sleep_perl_array.pl' ) { # Dist Directory. 10 | $file = "t/bin/02_sleep_perl_array.pl"; 11 | $ilib = "lib"; 12 | } elsif ( -f 'bin/02_sleep_perl_array.pl' ) { 13 | $file = "bin/02_sleep_perl_array.pl"; 14 | $ilib = "../lib"; 15 | } else { 16 | die "Tests should be run in the dist directory or t/"; 17 | } 18 | 19 | 20 | sub get_command_output { 21 | my ( @command ) = @_; 22 | open my $lf, "-|", @command 23 | or die "Couldn't get pipe to '@command': $!"; 24 | my $content = do { local $/; <$lf> }; 25 | close $lf; 26 | return $content; 27 | } 28 | 29 | my $out; 30 | 31 | ok $out = get_command_output( "$^X -I$ilib $file start" ), "Started perl daemon"; 32 | like $out, qr/\[Started\]/, "Daemon started."; 33 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of perl daemon."; 34 | like $out, qr/\[Running\]/, "Daemon running."; 35 | 36 | sleep 10; 37 | 38 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of perl daemon."; 39 | like $out, qr/\[Not Running\]/, "Daemon not running"; 40 | 41 | # Testing restart. 42 | ok $out = get_command_output( "$^X -I$ilib $file start" ), "Started system daemon"; 43 | like $out, qr/\[Started\]/, "Daemon started for restarting."; 44 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of system daemon."; 45 | like $out, qr/\[Running\]/, "Daemon running for restarting."; 46 | ok $out = get_command_output( "$^X -I$ilib $file restart" ), "Get status of system daemon."; 47 | like $out, qr/\[Stopped\].*\[Started\]/s, "Daemon restarted."; 48 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of system daemon."; 49 | like $out, qr/\[Running\]/, "Daemon running after restart."; 50 | ok $out = get_command_output( "$^X -I$ilib $file stop" ), "Get status of system daemon."; 51 | like $out, qr/\[Stopped\]/, "Daemon stopped after restart."; 52 | 53 | done_testing; 54 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/02_sleep_system.t: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Test::More; 5 | 6 | my ( $file, $ilib ); 7 | 8 | # Let's make it so people can test in t/ or in the dist directory. 9 | if ( -f 't/bin/02_sleep_system.pl' ) { # Dist Directory. 10 | $file = "t/bin/02_sleep_system.pl"; 11 | $ilib = "lib"; 12 | } elsif ( -f 'bin/02_sleep_system.pl' ) { 13 | $file = "bin/02_sleep_system.pl"; 14 | $ilib = "../lib"; 15 | } else { 16 | die "Tests should be run in the dist directory or t/"; 17 | } 18 | 19 | 20 | sub get_command_output { 21 | my ( @command ) = @_; 22 | open my $lf, "-|", @command 23 | or die "Couldn't get pipe to '@command': $!"; 24 | my $content = do { local $/; <$lf> }; 25 | close $lf; 26 | return $content; 27 | } 28 | 29 | my $out; 30 | 31 | ok $out = get_command_output( "$^X -I$ilib $file start" ), "Started system daemon"; 32 | like $out, qr/\[Started\]/, "Daemon started."; 33 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of system daemon."; 34 | like $out, qr/\[Running\]/, "Daemon running."; 35 | 36 | sleep 10; 37 | 38 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of system daemon."; 39 | like $out, qr/\[Not Running\]/, "Daemon not running."; 40 | 41 | # Testing restart. 42 | ok $out = get_command_output( "$^X -I$ilib $file start" ), "Started system daemon"; 43 | like $out, qr/\[Started\]/, "Daemon started for restarting"; 44 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of system daemon."; 45 | like $out, qr/\[Running\]/, "Daemon running for restarting."; 46 | ok $out = get_command_output( "$^X -I$ilib $file restart" ), "Get status of system daemon."; 47 | like $out, qr/\[Stopped\].*\[Started\]/s, "Daemon restarted."; 48 | ok $out = get_command_output( "$^X -I$ilib $file status" ), "Get status of system daemon."; 49 | like $out, qr/\[Running\]/, "Daemon running after restart."; 50 | ok $out = get_command_output( "$^X -I$ilib $file stop" ), "Get status of system daemon."; 51 | like $out, qr/\[Stopped\]/, "Daemon stopped after restart."; 52 | 53 | done_testing; 54 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/03_perl_gets_control.t: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Test::More; 5 | 6 | my ( $file, $ilib ); 7 | 8 | # Let's make it so people can test in t/ or in the dist directory. 9 | if ( -f 't/bin/03_perl_gets_control.pl' ) { # Dist Directory. 10 | $file = "t/bin/03_perl_gets_control.pl"; 11 | $ilib = "lib"; 12 | } elsif ( -f 'bin/03_perl_gets_control.pl' ) { 13 | $file = "bin/03_perl_gets_control.pl"; 14 | $ilib = "../lib"; 15 | } else { 16 | die "Tests should be run in the dist directory or t/"; 17 | } 18 | 19 | 20 | sub get_command_output { 21 | my ( @command ) = @_; 22 | open my $lf, "-|", @command 23 | or die "Couldn't get pipe to '@command': $!"; 24 | my $content = do { local $/; <$lf> }; 25 | close $lf; 26 | return $content; 27 | } 28 | 29 | my $out; 30 | 31 | ok $out = get_command_output( "$^X -I$ilib $file start" ), "Started perl daemon"; 32 | unlike $out, qr/FAILED/, "Code ref gets Daemon::Control instance."; 33 | 34 | done_testing; 35 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/04_show_warnings.t: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Test::More; 5 | 6 | my ( $file, $ilib ); 7 | 8 | # Let's make it so people can test in t/ or in the dist directory. 9 | my $stub = "04_show_warnings.pl"; 10 | 11 | if ( -f "t/bin/$stub" ) { # Dist Directory. 12 | $file = "t/bin/$stub"; 13 | $ilib = "lib"; 14 | } elsif ( -f "bin/$stub" ) { 15 | $file = "bin/$stub"; 16 | $ilib = "../lib"; 17 | } else { 18 | die "Tests should be run in the dist directory or t/"; 19 | } 20 | 21 | 22 | sub get_command_output { 23 | my ( @command ) = @_; 24 | open my $lf, "-|", @command 25 | or die "Couldn't get pipe to '@command': $!"; 26 | my $content = do { local $/; <$lf> }; 27 | close $lf; 28 | return $content; 29 | } 30 | 31 | my $out; 32 | 33 | ok $out = get_command_output( "$^X -I$ilib $file show_warnings 2>&1" ), "Get warnings"; 34 | 35 | is $out, do { local $/; }, "Got warnings."; 36 | 37 | done_testing; 38 | __DATA__ 39 | stdout_file undefined. Will not redirect file handle. 40 | stderr_file undefined. Will not redirect file handle. 41 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/bin/01_lsb.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Daemon::Control; 5 | 6 | Daemon::Control->new({ 7 | name => "My Daemon", 8 | lsb_start => '$syslog $remote_fs', 9 | lsb_stop => '$syslog', 10 | lsb_sdesc => 'My Daemon Short', 11 | lsb_desc => 'My Daemon controls the My Daemon daemon.', 12 | path => '/usr/sbin/mydaemon/init.pl', 13 | 14 | program => sub { sleep shift }, 15 | program_args => [ 10 ], 16 | 17 | pid_file => '/tmp/mydaemon.pid', 18 | stderr_file => '/dev/null', 19 | stdout_file => '/dev/null', 20 | 21 | })->run; 22 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/bin/01_lsb_02.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Daemon::Control; 5 | 6 | Daemon::Control->new({ 7 | name => "My Daemon", 8 | lsb_start => '$syslog $remote_fs', 9 | lsb_stop => '$syslog', 10 | lsb_sdesc => 'My Daemon Short', 11 | lsb_desc => 'My Daemon controls the My Daemon daemon.', 12 | path => '/usr/sbin/mydaemon/init.pl', 13 | init_config => '/etc/default/my_program', 14 | 15 | program => sub { sleep shift }, 16 | program_args => [ 10 ], 17 | 18 | pid_file => '/tmp/mydaemon.pid', 19 | stderr_file => '/dev/null', 20 | stdout_file => '/dev/null', 21 | 22 | })->run; 23 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/bin/01_lsb_03.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Daemon::Control; 5 | 6 | Daemon::Control->new({ 7 | name => "My Daemon", 8 | lsb_start => '$syslog $remote_fs', 9 | lsb_stop => '$syslog', 10 | lsb_sdesc => 'My Daemon Short', 11 | lsb_desc => 'My Daemon controls the My Daemon daemon.', 12 | path => '/usr/sbin/mydaemon/init.pl', 13 | init_code => "Test This\nOne Block", 14 | 15 | program => sub { sleep shift }, 16 | program_args => [ 10 ], 17 | 18 | pid_file => '/tmp/mydaemon.pid', 19 | stderr_file => '/dev/null', 20 | stdout_file => '/dev/null', 21 | 22 | })->run; 23 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/bin/02_sleep_perl.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Daemon::Control; 5 | 6 | Daemon::Control->new({ 7 | name => "My Daemon", 8 | lsb_start => '$syslog $remote_fs', 9 | lsb_stop => '$syslog', 10 | lsb_sdesc => 'My Daemon Short', 11 | lsb_desc => 'My Daemon controls the My Daemon daemon.', 12 | path => '/usr/sbin/mydaemon/init.pl', 13 | 14 | program => sub { sleep $_[1] }, 15 | program_args => [ 10 ], 16 | 17 | pid_file => 'pid_tmp', 18 | stderr_file => '/dev/null', 19 | stdout_file => '/dev/null', 20 | 21 | fork => 2, 22 | 23 | })->run; 24 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/bin/02_sleep_perl_array.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Daemon::Control; 5 | 6 | Daemon::Control->new( 7 | name => "My Daemon", 8 | lsb_start => '$syslog $remote_fs', 9 | lsb_stop => '$syslog', 10 | lsb_sdesc => 'My Daemon Short', 11 | lsb_desc => 'My Daemon controls the My Daemon daemon.', 12 | path => '/usr/sbin/mydaemon/init.pl', 13 | 14 | program => sub { sleep $_[1] }, 15 | program_args => [ 10 ], 16 | 17 | pid_file => 'pid_tmp', 18 | stderr_file => '/dev/null', 19 | stdout_file => '/dev/null', 20 | 21 | fork => 2, 22 | 23 | )->run; 24 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/bin/02_sleep_system.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Daemon::Control; 5 | 6 | Daemon::Control->new({ 7 | name => "My Daemon", 8 | lsb_start => '$syslog $remote_fs', 9 | lsb_stop => '$syslog', 10 | lsb_sdesc => 'My Daemon Short', 11 | lsb_desc => 'My Daemon controls the My Daemon daemon.', 12 | path => '/usr/sbin/mydaemon/init.pl', 13 | 14 | program => 'sleep', 15 | program_args => [ 10 ], 16 | 17 | pid_file => 'pid_tmp', 18 | 19 | stderr_file => '/dev/null', 20 | stdout_file => '/dev/null', 21 | 22 | fork => 2, 23 | 24 | })->run; 25 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/bin/03_perl_gets_control.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Daemon::Control; 5 | 6 | Daemon::Control->new({ 7 | name => "My Daemon", 8 | lsb_start => '$syslog $remote_fs', 9 | lsb_stop => '$syslog', 10 | lsb_sdesc => 'My Daemon Short', 11 | lsb_desc => 'My Daemon controls the My Daemon daemon.', 12 | path => '/usr/sbin/mydaemon/init.pl', 13 | 14 | program => sub { 15 | if ( ref $_[0] ne 'Daemon::Control' ) { 16 | print "FAILED\n"; 17 | } 18 | }, 19 | program_args => [ ], 20 | 21 | redirect_before_fork => 0, 22 | pid_file => '/dev/null', # I don't want to leave tmp files for testing. 23 | stderr_file => '/dev/null', 24 | stdout_file => '/dev/null', 25 | 26 | fork => 2, 27 | 28 | })->run; 29 | -------------------------------------------------------------------------------- /Daemon-Control-0.001006/t/bin/04_show_warnings.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use warnings; 3 | use strict; 4 | use Daemon::Control; 5 | 6 | Daemon::Control->new({ 7 | name => "My Daemon", 8 | lsb_start => '$syslog $remote_fs', 9 | lsb_stop => '$syslog', 10 | lsb_sdesc => 'My Daemon Short', 11 | lsb_desc => 'My Daemon controls the My Daemon daemon.', 12 | path => '/usr/sbin/mydaemon/init.pl', 13 | 14 | program => sub { 1 }, 15 | program_args => [ ], 16 | 17 | redirect_before_fork => 0, 18 | pid_file => '/dev/null', # I don't want to leave tmp files for testing. 19 | 20 | fork => 2, 21 | 22 | })->run; 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ##Makes an AV install a demo box for fun and potential profit 2 | 3 | - Author: PacketInspector ([@pkt_inspector](https://twitter.com/pkt_inspector)) 4 | 5 | This will add named assets with properties, logged in users, netflow, vulnerability scan, and more.... 6 | 7 | demo. demo. Dance! 8 | 9 | 10 | 11 | ####To install: 12 | 13 | ``` 14 | git clone https://github.com/packetinspector/Alienvault-Demo 15 | cd Alienvault-Demo 16 | perl install.pl 17 | ``` 18 | ####Fast Install: 19 | ``` 20 | apt-get -y install git;git clone https://github.com/packetinspector/Alienvault-Demo;cd Alienvault-Demo/;perl install.pl 21 | ``` 22 | 23 | The script will do all the work. Nothing to do beforehand. Nothing to do afterhand. 24 | You can re-run it with no consequences 25 | 26 | Need to start over? 27 | 28 | ``` 29 | alienvault-reconfig -c -d -v --rebuild_db;sleep 15;perl install.pl 30 | ``` 31 | 32 | The installer will install the generators, add them to startup, and run them. In case you want to start/stop them yourself.. 33 | 34 | ``` 35 | /etc/init.d/runpcaps [start|stop|restart] 36 | /etc/init.d/runlogs [start|stop|restart] 37 | ``` 38 | ####Want to add your own pcaps? 39 | 40 | - Add them to the `./pcaps` directory 41 | - Done 42 | - The IPs will be rewritten on playback to match the assets 43 | 44 | ####Want to add your own plugins/logs? 45 | - Add them to the plugins directory. Everything must have the same basename. 46 | - You can add .sql/.log/.cfg files. 47 | - Re-run the installer 48 | 49 | ####Log Samples 50 | Your .log files can just be copies of logs right off a system. No need to do anything. 51 | 52 | You can have IPs substituted for you automatically by adding a variable into your logs 53 | 54 | **Key** | **Replaced With** 55 | --- | --- 56 | `` | Random IP, Totally made up. No bounds. 57 | `` | IP From OTX. Uses DB from install 58 | 59 | #### Where are all the logfiles going? 60 | All the generated log files are put in 61 | `/var/log/demologs` 62 | They will be separated by plugin. A logrotate script for them is installed automatically. 63 | 64 | ####Screenshot 65 | ![ScreenShot](https://raw.githubusercontent.com/packetinspector/Alienvault-Demo/master/screenshots/image1.png) 66 | 67 | - 68 | 69 | ![ScreenShot](https://raw.githubusercontent.com/packetinspector/Alienvault-Demo/master/screenshots/image2.png) 70 | 71 | - 72 | 73 | ![ScreenShot](https://raw.githubusercontent.com/packetinspector/Alienvault-Demo/master/screenshots/image6.png) 74 | 75 | 76 | Forked from Santiago Bassett ([@santiagobassett](https://twitter.com/santiagobassett)) 77 | 78 | -------------------------------------------------------------------------------- /assets/asset-playback: -------------------------------------------------------------------------------- 1 | 192.168.100.45;Nitrogen;Windows2008;00:c0:07:00:fb:4c; 2 | 192.168.100.45,0,25,6,SERVER,[smtp:d], 3 | 192.168.100.45,0,22,6,SERVER,[ssh:d], 4 | 192.168.100.45,0,80,6,SERVER,[http:d], 5 | 192.168.100.45,0,22,6,SERVER,[ssh:d], 6 | 192.168.100.45,0,993,6,SERVER,[imaps:d], 7 | 192.168.100.46;Niobium;Darwin;00:57:c9:89:97:76; 8 | 192.168.100.47;Nickel;OpenBSD;00:89:16:34:5a:6a;john 9 | 192.168.100.47,0,25,6,SERVER,[smtp:d], 10 | 192.168.100.47,0,161,6,SERVER,[snmp:d], 11 | 192.168.100.48;Neptunium;Linux;00:f3:37:0c:f7:97;mary 12 | 192.168.100.48,0,137,6,SERVER,[netbios:d], 13 | 192.168.100.48,0,22,6,SERVER,[ssh:d], 14 | 192.168.100.48,0,137,6,SERVER,[netbios:d], 15 | 192.168.100.49;Neon;OpenBSD;00:4e:0d:0a:a2:73;john 16 | 192.168.100.49,0,636,6,SERVER,[ldaps:d], 17 | 192.168.100.49,0,53,6,SERVER,[dns:d], 18 | 192.168.100.49,0,25,6,SERVER,[smtp:d], 19 | 192.168.100.49,0,445,6,SERVER,[microsoft-ds:d], 20 | 192.168.100.49,0,137,6,SERVER,[netbios:d], 21 | 192.168.100.50;Neodymium;WindowsXP;00:86:63:d5:d5:7c;paul 22 | 192.168.100.51;Molybdenum;Android;00:e3:26:94:60:15;paul 23 | 192.168.100.51,0,80,6,SERVER,[http:d], 24 | 192.168.100.52;Mercury;OpenBSD;00:24:a1:35:96:a4;john 25 | 192.168.100.52,0,123,6,SERVER,[ntp:d], 26 | 192.168.100.52,0,443,6,SERVER,[https:d], 27 | 192.168.100.52,0,25,6,SERVER,[smtp:d], 28 | 192.168.100.52,0,22,6,SERVER,[ssh:d], 29 | 192.168.100.52,0,123,6,SERVER,[ntp:d], 30 | 192.168.100.53;Mendelevium;FreeBSD;00:d6:09:2a:6d:66;mary 31 | 192.168.100.53,0,123,6,SERVER,[ntp:d], 32 | 192.168.100.53,0,80,6,SERVER,[http:d], 33 | 192.168.100.53,0,22,6,SERVER,[ssh:d], 34 | 192.168.100.53,0,137,6,SERVER,[netbios:d], 35 | 192.168.100.53,0,123,6,SERVER,[ntp:d], 36 | 192.168.100.54;Meitnerium;WindowsVista;00:ab:54:07:e5:a9;Administrator 37 | 192.168.100.54,0,443,6,SERVER,[https:d], 38 | 192.168.100.55;Manganese;Windows2008;00:3a:5b:d3:0c:b9; 39 | 192.168.100.55,0,25,6,SERVER,[smtp:d], 40 | 192.168.100.55,0,25,6,SERVER,[smtp:d], 41 | 192.168.100.56;Magnesium;Linux;00:e6:07:41:30:70;mary 42 | 192.168.100.56,0,22,6,SERVER,[ssh:d], 43 | 192.168.100.56,0,25,6,SERVER,[smtp:d], 44 | 192.168.100.57;Lutetium;WindowsVista;00:80:3f:d3:2e:9a;someuser 45 | 192.168.100.57,0,161,6,SERVER,[snmp:d], 46 | 192.168.100.57,0,53,6,SERVER,[dns:d], 47 | 192.168.100.58;Livermorium;Linux;00:ec:e6:c2:da:2a;ringo 48 | 192.168.100.59;Lithium;WindowsXP;00:32:87:fc:18:0c;john 49 | 192.168.100.59,0,80,6,SERVER,[http:d], 50 | 192.168.100.59,0,25,6,SERVER,[smtp:d], 51 | 192.168.100.59,0,80,6,SERVER,[http:d], 52 | 192.168.100.59,0,445,6,SERVER,[microsoft-ds:d], 53 | 192.168.100.59,0,53,6,SERVER,[dns:d], 54 | 192.168.100.60;Lead;HP-UX;00:e9:06:69:bf:b8;mary 55 | 192.168.100.60,0,53,6,SERVER,[dns:d], 56 | 192.168.100.60,0,25,6,SERVER,[smtp:d], 57 | 192.168.100.60,0,443,6,SERVER,[https:d], 58 | 192.168.100.60,0,993,6,SERVER,[imaps:d], 59 | 192.168.100.60,0,636,6,SERVER,[ldaps:d], 60 | 192.168.100.61;Lawrencium;Unix;00:f6:9b:c4:80:da;root 61 | 192.168.100.62;Lanthanum;Linux;00:de:b0:dd:54:54;admin 62 | 192.168.100.62,0,53,6,SERVER,[dns:d], 63 | 192.168.100.62,0,993,6,SERVER,[imaps:d], 64 | 192.168.100.62,0,137,6,SERVER,[netbios:d], 65 | 192.168.100.62,0,993,6,SERVER,[imaps:d], 66 | 192.168.100.63;Krypton;Unix;00:87:ab:c6:f1:9a;paul 67 | 192.168.100.63,0,137,6,SERVER,[netbios:d], 68 | 192.168.100.63,0,443,6,SERVER,[https:d], 69 | 192.168.100.64;Iron;Unix;00:27:07:94:63:f8;Administrator 70 | 192.168.100.64,0,443,6,SERVER,[https:d], 71 | 192.168.100.64,0,514,6,SERVER,[syslog:d], 72 | 192.168.100.64,0,636,6,SERVER,[ldaps:d], 73 | 192.168.100.64,0,636,6,SERVER,[ldaps:d], 74 | 192.168.100.64,0,514,6,SERVER,[syslog:d], 75 | 192.168.100.65;Iridium;IOS;00:b9:12:18:34:51;mary 76 | 192.168.100.65,0,993,6,SERVER,[imaps:d], 77 | 192.168.100.66;Iodine;WindowsXP;00:dd:63:95:0a:df;admin 78 | 192.168.100.66,0,993,6,SERVER,[imaps:d], 79 | 192.168.100.66,0,514,6,SERVER,[syslog:d], 80 | 192.168.100.66,0,445,6,SERVER,[microsoft-ds:d], 81 | 192.168.100.66,0,443,6,SERVER,[https:d], 82 | 192.168.100.66,0,443,6,SERVER,[https:d], 83 | 192.168.100.67;Indium;Linux;00:f3:a1:b3:6b:fd;root 84 | 192.168.100.67,0,22,6,SERVER,[ssh:d], 85 | 192.168.100.67,0,123,6,SERVER,[ntp:d], 86 | 192.168.100.67,0,636,6,SERVER,[ldaps:d], 87 | 192.168.100.67,0,636,6,SERVER,[ldaps:d], 88 | 192.168.100.68;Hydrogen;Android;00:3b:be:c0:78:62;mary 89 | 192.168.100.68,0,22,6,SERVER,[ssh:d], 90 | 192.168.100.68,0,53,6,SERVER,[dns:d], 91 | 192.168.100.68,0,53,6,SERVER,[dns:d], 92 | 192.168.100.68,0,445,6,SERVER,[microsoft-ds:d], 93 | 192.168.100.68,0,514,6,SERVER,[syslog:d], 94 | 192.168.100.69;Holmium;FreeBSD;00:b3:a8:4a:2e:ce;root 95 | 192.168.100.69,0,445,6,SERVER,[microsoft-ds:d], 96 | 192.168.100.69,0,22,6,SERVER,[ssh:d], 97 | 192.168.100.70;Helium;Android;00:1d:53:00:64:09;root 98 | 192.168.100.71;Hassium;IOS;00:83:6f:5b:92:4f;admin 99 | 192.168.100.71,0,161,6,SERVER,[snmp:d], 100 | 192.168.100.71,0,25,6,SERVER,[smtp:d], 101 | 192.168.100.72;Hafnium;Darwin;00:af:6e:cb:4a:83;john 102 | 192.168.100.73;Gold;OpenBSD;00:10:61:d8:df:61;john 103 | 192.168.100.73,0,123,6,SERVER,[ntp:d], 104 | 192.168.100.73,0,636,6,SERVER,[ldaps:d], 105 | 192.168.100.73,0,993,6,SERVER,[imaps:d], 106 | 192.168.100.73,0,443,6,SERVER,[https:d], 107 | 192.168.100.74;Germanium;Linux;00:68:4b:17:24:90;mary 108 | 192.168.100.75;Gallium;MacOSX;00:6c:ab:72:be:ab;john 109 | 192.168.100.75,0,514,6,SERVER,[syslog:d], 110 | 192.168.100.75,0,22,6,SERVER,[ssh:d], 111 | 192.168.100.75,0,53,6,SERVER,[dns:d], 112 | 192.168.100.76;Gadolinium;Solaris;00:21:77:44:9d:b0;john 113 | 192.168.100.76,0,53,6,SERVER,[dns:d], 114 | 192.168.100.76,0,445,6,SERVER,[microsoft-ds:d], 115 | 192.168.100.76,0,22,6,SERVER,[ssh:d], 116 | 192.168.100.77;Francium;Solaris;00:a7:d7:69:70:7d;root 117 | 192.168.100.77,0,137,6,SERVER,[netbios:d], 118 | 192.168.100.77,0,25,6,SERVER,[smtp:d], 119 | 192.168.100.78;Fluorine;WindowsXP;00:e2:7e:1b:39:45;root 120 | 192.168.100.78,0,80,6,SERVER,[http:d], 121 | 192.168.100.78,0,443,6,SERVER,[https:d], 122 | 192.168.100.78,0,636,6,SERVER,[ldaps:d], 123 | 192.168.100.79;Flerovium;HP-UX;00:de:44:62:aa:06;john 124 | 192.168.100.79,0,161,6,SERVER,[snmp:d], 125 | 192.168.100.79,0,993,6,SERVER,[imaps:d], 126 | 192.168.100.79,0,137,6,SERVER,[netbios:d], 127 | 192.168.100.80;Fermium;WindowsXP;00:4b:27:17:2b:af;mary 128 | 192.168.100.81;Europium;WindowsXP;00:48:53:f0:36:70; 129 | 192.168.100.82;Erbium;WindowsVista;00:1c:71:b8:11:3b;paul 130 | 192.168.100.82,0,123,6,SERVER,[ntp:d], 131 | 192.168.100.82,0,80,6,SERVER,[http:d], 132 | 192.168.100.82,0,53,6,SERVER,[dns:d], 133 | 192.168.100.82,0,161,6,SERVER,[snmp:d], 134 | 192.168.100.82,0,53,6,SERVER,[dns:d], 135 | 192.168.100.83;Einsteinium;Linux;00:29:75:4c:2f:36;paul 136 | 192.168.100.84;Dubnium;WindowsXP;00:06:d3:50:7e:5a;admin 137 | 192.168.100.84,0,53,6,SERVER,[dns:d], 138 | 192.168.100.84,0,123,6,SERVER,[ntp:d], 139 | 192.168.100.84,0,137,6,SERVER,[netbios:d], 140 | 192.168.100.84,0,25,6,SERVER,[smtp:d], 141 | 192.168.100.85;Curium;Windows2008;00:60:02:4f:ca:99;someuser 142 | 192.168.100.86;Copper;MacOSX;00:53:b1:09:1d:9c;john 143 | 192.168.100.86,0,514,6,SERVER,[syslog:d], 144 | 192.168.100.86,0,514,6,SERVER,[syslog:d], 145 | 192.168.100.86,0,443,6,SERVER,[https:d], 146 | 192.168.100.87;Cobalt;OpenBSD;00:48:4a:9c:e4:bf;someuser 147 | 192.168.100.87,0,137,6,SERVER,[netbios:d], 148 | 192.168.100.88;Chromium;AtheOS;00:59:37:2d:f2:23;someuser 149 | 192.168.100.88,0,445,6,SERVER,[microsoft-ds:d], 150 | 192.168.100.89;Paradox;AtheOS;00:cc:be:cc:10:c0;ringo 151 | 192.168.100.89,0,22,6,SERVER,[ssh:d], 152 | 192.168.100.89,0,636,6,SERVER,[ldaps:d], 153 | 192.168.100.89,0,514,6,SERVER,[syslog:d], 154 | 192.168.100.90;Glados;ReactOS;00:9a:e0:1b:5f:55;ringo 155 | 192.168.100.90,0,443,6,SERVER,[https:d], 156 | 192.168.100.90,0,161,6,SERVER,[snmp:d], 157 | 192.168.100.91;Phoenix;IOS;00:57:c2:31:b2:29;ringo 158 | 192.168.100.91,0,443,6,SERVER,[https:d], 159 | 192.168.100.91,0,993,6,SERVER,[imaps:d], 160 | 192.168.100.91,0,445,6,SERVER,[microsoft-ds:d], 161 | 192.168.100.92;Fusion;WindowsXP;00:34:9b:90:54:0f;john 162 | 192.168.100.93;Skynet;Unix;00:17:a3:3c:8f:72;root 163 | 192.168.100.93,0,445,6,SERVER,[microsoft-ds:d], 164 | 192.168.100.94;Orion;AtheOS;00:3a:76:5a:21:42;ringo 165 | 192.168.100.94,0,443,6,SERVER,[https:d], 166 | 192.168.100.94,0,993,6,SERVER,[imaps:d], 167 | 192.168.100.94,0,445,6,SERVER,[microsoft-ds:d], 168 | -------------------------------------------------------------------------------- /assets/make_assets.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | my $num = 50; 4 | my $start = 45; 5 | my $range = '192.168.100.'; 6 | my @os_list = qw/Linux 7 | MacOSX 8 | Unix 9 | FreeBSD 10 | ReactOS 11 | Solaris 12 | OpenBSD 13 | AtheOS 14 | Darwin 15 | HP-UX 16 | Android 17 | Linux 18 | WindowsXP 19 | WindowsVista 20 | Windows2008 21 | IOS/; 22 | 23 | my @hostnames = qw/Axiom 24 | Jarvis 25 | Helios 26 | Nexus 27 | Orion 28 | Skynet 29 | Fusion 30 | Phoenix 31 | Glados 32 | Paradox 33 | Chromium 34 | Cobalt 35 | Copper 36 | Curium 37 | Dubnium 38 | Einsteinium 39 | Erbium 40 | Europium 41 | Fermium 42 | Flerovium 43 | Fluorine 44 | Francium 45 | Gadolinium 46 | Gallium 47 | Germanium 48 | Gold 49 | Hafnium 50 | Hassium 51 | Helium 52 | Holmium 53 | Hydrogen 54 | Indium 55 | Iodine 56 | Iridium 57 | Iron 58 | Krypton 59 | Lanthanum 60 | Lawrencium 61 | Lead 62 | Lithium 63 | Livermorium 64 | Lutetium 65 | Magnesium 66 | Manganese 67 | Meitnerium 68 | Mendelevium 69 | Mercury 70 | Molybdenum 71 | Neodymium 72 | Neon 73 | Neptunium 74 | Nickel 75 | Niobium 76 | Nitrogen 77 | /; 78 | 79 | my @usernames = qw/Administrator 80 | admin 81 | root 82 | someuser 83 | john 84 | paul 85 | ringo 86 | mary 87 | /; 88 | #Support no user logged in... 89 | push @usernames, ''; 90 | 91 | my @services = qw/http:80 92 | https:443 93 | dns:53 94 | ssh:22 95 | ntp:123 96 | netbios:137 97 | snmp:161 98 | smtp:25 99 | microsoft-ds:445 100 | syslog:514 101 | ldaps:636 102 | imaps:993 103 | /; 104 | 105 | 106 | for (my $i = $start; $i < $num + $start; $i++) { 107 | my $service_string = "%s,0,%s,%s,SERVER,[%s:d],\n"; 108 | my $mac = '00:'; 109 | my $ip = $range . $i; 110 | $mac .= sprintf("%.2x:",rand(255)) for (1..4); 111 | $mac .= sprintf("%.2x",rand(255)); 112 | my $os = $os_list[rand @os_list]; 113 | my $username = $usernames[rand @usernames]; 114 | my $hostname = pop @hostnames; 115 | print "$ip;$hostname;$os;$mac;$username\n"; 116 | for (1..rand(6)) { 117 | my ($proto, $port) = (split /:/, $services[rand @services])[0,1]; 118 | printf ($service_string, $ip, $port, 6, $proto) 119 | } 120 | } 121 | 122 | 123 | -------------------------------------------------------------------------------- /assets/prads_dummy0.cfg.local: -------------------------------------------------------------------------------- 1 | [config] 2 | location=/var/log/demologs/prads.log 3 | 4 | [009 - everythidfdfgng] 5 | #'service','hostname','os','ip','mac','login', 6 | event_type=idm-event 7 | inventory_source=6 8 | ip={$asset_ip} 9 | hostname={$s} 10 | os={$os} 11 | mac={$mac} 12 | username={$username} 13 | plugin_sid=2 14 | regexp="(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3});(?P[^;]*);(?P[^;]*);(?P[^;]*);(?P[^;]*)" 15 | 16 | [010 - dfgdfgdfg] 17 | #'service','hostname','os','ip','mac','login', 18 | event_type=idm-event 19 | inventory_source=6 20 | ip={$asset_ip} 21 | hostname={$s} 22 | os={$os} 23 | plugin_sid=2 24 | regexp="(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3});(?P[^;]*);(?P[^;]*)" 25 | 26 | [011 - dfgfdgdfgdfg] 27 | #'service','hostname','os','ip','mac','login', 28 | event_type=idm-event 29 | inventory_source=6 30 | ip={$asset_ip} 31 | hostname={$s} 32 | plugin_sid=2 33 | regexp="(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3});(?P[^;]*)" 34 | 35 | -------------------------------------------------------------------------------- /install.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use Term::ANSIColor qw(:constants); 3 | use Net::Ping; 4 | 5 | #Installer 6 | # Add plugins and logs for plugins to ./plugins They must all have the same basename!!!! 7 | # Add Pcaps to ./pcaps 8 | # Asset stuff in ./assets/ 9 | # 10 | # 11 | # This script can be run over and over, so when in doubt just re-run this... 12 | # Just felt like using perl this time, dunno... 13 | 14 | 15 | my $plugin_dir = './plugins'; 16 | opendir(DIR, $plugin_dir) or die $!; 17 | 18 | my @plugins = grep { /\.cfg$/ && -f "$plugin_dir/$_" } readdir(DIR); 19 | closedir(DIR); 20 | 21 | 22 | # Check Internet connection 23 | my $p = Net::Ping->new("icmp"); 24 | print MAGENTA,, "+ Checking Internet connection\n", RESET; 25 | if ($p->ping("www.cisco.com")){ 26 | print GREEN, " - Internet connection is active!\n\n", RESET; 27 | 28 | #Installing tcpreplay. Removed in 5.1, we need it back 29 | print "Installing tcpreplay....\n"; 30 | `apt-get -y install tcpreplay`; 31 | print "Done.\n"; 32 | } 33 | else{ 34 | print RED, "+ Internet connection not active! Sleeping..\n\n", RESET; 35 | printf " - Is neccesary to install tcpreplay. Do you want to continue (Y/N)?"; 36 | my $input = ; 37 | chomp $input; 38 | if ($input =~ m/^[N]$/i){ 39 | printf " - Check your connection and try again\n\n\n"; 40 | exit 0; 41 | } 42 | } 43 | 44 | print " - Done\n\n"; 45 | 46 | #Save names for ossim_setup 47 | my @plugin_names; 48 | 49 | 50 | print "+ Installing plugins for Demo use...........................\n"; 51 | foreach my $plugin (@plugins) { 52 | #Get basename 53 | my ($base) = (split /\./, $plugin)[0]; 54 | print " - Found ", GREEN, "$base", RESET, ". Installing...\n"; 55 | #I want to overwrite, so not checking for existance... 56 | print " - Copying..."; 57 | `cp $plugin_dir/$plugin /etc/ossim/agent/plugins/`; 58 | my $local = "[config]\nlocation=/var/log/demologs/$base.log\n"; 59 | print " - Adding Local Config..."; 60 | `echo "$local" > /etc/ossim/agent/plugins/$plugin.local`; 61 | if (-e "$plugin_dir/$base.sql") { 62 | print YELLOW, " - Found SQL...Adding..", RESET; 63 | `cat $plugin_dir/$base.sql | ossim-db`; 64 | print " - Added."; 65 | } 66 | push @plugin_names, $base; 67 | print " - Done\n\n"; 68 | } 69 | 70 | print "+ Bringing Up Dummy Network...\n"; 71 | `modprobe dummy`; 72 | `ifconfig dummy0 up`; 73 | `ifconfig dummy0 promisc`; 74 | print " - Done\n\n"; 75 | 76 | print YELLOW, "+ Adding Rsyslog config...", RESET; 77 | `cp ./misc/aa-demo.conf /etc/rsyslog.d/`; 78 | print CYAN, " - Restarting rsyslog...", RESET; 79 | `service rsyslog restart`; 80 | print " - Done\n\n"; 81 | 82 | print CYAN, "+ Adding logrotate file...", RESET; 83 | `cp ./misc/logrotate /etc/logrotate.d/demologs`; 84 | print " - Done\n\n"; 85 | 86 | if (-e "/etc/ossim/ossim_setup.conf.demo") { 87 | print CYAN, "+ Backup file already exists.\n", RESET; 88 | } else { 89 | `cp /etc/ossim/ossim_setup.conf /etc/ossim/ossim_setup.conf.demo`; 90 | print GREEN, "+ Created Backup File of ossim_setup.\n", RESET; 91 | } 92 | print " - Done\n\n"; 93 | 94 | 95 | my $detectors = `grep detectors= /etc/ossim/ossim_setup.conf`; 96 | my ($d) = (split /=/, $detectors)[1]; 97 | chomp($d); 98 | my @d2 = split /\,\s/, $d; 99 | my %dupecheck; 100 | my @d3 = grep( !$dupecheck{$_}++, @d2, @plugin_names); 101 | my $to_insert = join(', ', @d3); 102 | print "+ Adding detectors... $to_insert ....\n"; 103 | `sed -i -e 's/detectors=.*/detectors=$to_insert/' /etc/ossim/ossim_setup.conf`; 104 | 105 | #Adding Dummy Interface.. 106 | #I'll likely playback files with suricata, this may go away or be used only for netflow... 107 | my $interfaces = `grep interfaces= /etc/ossim/ossim_setup.conf`; 108 | my ($i) = (split /=/, $interfaces)[1]; 109 | chomp($i); 110 | my @i2 = split /\,\s*/, $i; 111 | my %dupecheck2; 112 | my @interface_name = ('dummy0'); 113 | my @i3 = grep( !$dupecheck2{$_}++, @i2, @interface_name); 114 | $to_insert = join(',', @i3); 115 | print "+ Adding dummy interface... $to_insert ....\n"; 116 | `sed -i -e 's/interfaces=.*/interfaces=$to_insert/' /etc/ossim/ossim_setup.conf`; 117 | 118 | print "+ Adding Modified ossec.conf...."; 119 | `cp ./ossecwin/ossec.conf /var/ossec/etc/`; 120 | print " - Done\n"; 121 | 122 | print "+ Adding prads local..."; 123 | `cp ./assets/prads_dummy0.cfg.local /etc/ossim/agent/plugins/`; 124 | print " - Done\n"; 125 | 126 | print "+ Finished updating ", CYAN, "ossim_setup", RESET, ". Running re-config...\n"; 127 | `ossim-reconfig -c -v`; 128 | print " - Waiting a bit for reconfig...\n\n"; 129 | `sleep 10`; 130 | print YELLOW, "+ Adding assets...", RESET; 131 | #This makes the agent wake up. Putting these in their own place so pcaps dont change things. 132 | `mkdir /var/log/demologs` if (!-d "/var/log/demologs"); 133 | `touch /var/log/demologs/prads.log`; 134 | `cat ./assets/asset-playback >> /var/log/demologs/prads.log`; 135 | `sleep 2`; 136 | `cat ./assets/asset-playback >> /var/log/demologs/prads.log`; 137 | print CYAN, " - Done!\n\n", RESET; 138 | 139 | 140 | print MAGENTA, "+ Checking for vulnscan...\n", RESET; 141 | 142 | $check_query = "select report_id from vuln_nessus_reports WHERE name = 'test3';"; 143 | $is_added = `echo "$check_query" | ossim-db`; 144 | if (length($is_added)) { 145 | print " - Scan already there...skipping\n\n"; 146 | } else { 147 | print MAGENTA, " - Adding in a Vulnerability Scan...", RESET; 148 | $ctx_query = "select hex(id) as id from acl_entities WHERE entity_type = 'context' AND parent_id = unhex('00000000000000000000000000000000')"; 149 | $ctx = `echo "$ctx_query" | ossim-db | tail -1`; 150 | chomp($ctx); 151 | print " - Using context id: ", MAGENTA, $ctx, RESET, "\n\n"; 152 | `/usr/bin/perl -w /usr/share/ossim/scripts/vulnmeter/import_nbe.pl ./misc/demo.nbe dGVzdDM7OTg5OEVBNzExMDZBMTFFNDhDNzQwMDBDMjlCQzNGMDE= 1 -4 $ctx 0`; 153 | } 154 | 155 | print BLUE, "+ Stopping the generators...You may see errors if this is the first run.\n", RESET; 156 | `service runlogs stop`; 157 | `service runpcaps stop`; 158 | 159 | print BLUE, "+ Adding the generators...\n", RESET; 160 | `chmod 755 ./runlogs.pl`; 161 | `chmod 755 ./runpcaps.pl`; 162 | `./runlogs.pl get_init_file > /etc/init.d/runlogs`; 163 | `./runpcaps.pl get_init_file > /etc/init.d/runpcaps`; 164 | `chmod 755 /etc/init.d/runlogs`; 165 | `chmod 755 /etc/init.d/runpcaps`; 166 | print BLUE, " - Adding the generators to startup...\n\n", RESET; 167 | `update-rc.d runlogs defaults`; 168 | `update-rc.d runpcaps defaults`; 169 | print BLUE, " - Starting Generators...\n\n", RESET; 170 | `service runlogs start`; 171 | `service runpcaps start`; 172 | print GREEN, "+ Adding Assets Again...\n\n\n", RESET; 173 | `cat ./assets/asset-playback >> /var/log/demologs/prads.log`; 174 | 175 | print "All Done. Really that's it. Login and enjoy.\n\n"; 176 | 177 | -------------------------------------------------------------------------------- /misc/aa-demo.conf: -------------------------------------------------------------------------------- 1 | $template DEMOPath,"/var/log/demologs/%programname%.log" 2 | $template DemoFormat,"%TIMESTAMP% %hostname%%msg%\n" 3 | #scripts send this fac.pri combo. write them raw to avoid duplicate tags 4 | if $syslogseverity == '7' AND $syslogfacility == '6' then ?DEMOPath;DemoFormat 5 | & ~ 6 | #if $syslogseverity == '7' AND $syslogfacility == '6' then /var/log/debugfmt;RSYSLOG_DebugFormat 7 | #& ?DEMOlog 8 | #if $syslogseverity == '7' AND $syslogfacility == '6' then /var/log/debugfmt;DEMOlog 9 | 10 | #Quiet AV Stuff 11 | if ($programname == 'sshd' OR $programname == 'sudo') AND ($msg contains 'avapi' OR $msg contains 'disconnected by user') then ~ 12 | -------------------------------------------------------------------------------- /misc/demo.conf: -------------------------------------------------------------------------------- 1 | 2 | RewriteEngine on 3 | RewriteBase /ossim/ 4 | RewriteRule ^action/deleteaction.php okay.php [PT,L] 5 | RewriteRule ^action/modifyactions.php okay.php [PT,L] 6 | #RewriteRule ^alarm/controllers/alarm_actions.php okay.php [PT,L] 7 | RewriteRule ^alarm/controllers/alarm_group_actions.php okay.php [PT,L] 8 | RewriteRule ^alarm/controllers/alarms_check_delete.php okay.php [PT,L] 9 | RewriteRule ^av_asset/asset/controllers/asset_actions.php okay.php [PT,L] 10 | RewriteRule ^av_asset/asset/controllers/bk_asset_actions.php okay.php [PT,L] 11 | RewriteRule ^av_asset/asset/controllers/bk_delete.php okay.php [PT,L] 12 | RewriteRule ^av_asset/asset/controllers/bk_save_assets.php okay.php [PT,L] 13 | RewriteRule ^av_asset/asset/controllers/deploy_hids.php okay.php [PT,L] 14 | RewriteRule ^av_asset/asset/controllers/import_all_hosts_ajax.php okay.php [PT,L] 15 | RewriteRule ^av_asset/asset/controllers/import_all_hosts_from_siem_ajax.php okay.php [PT,L] 16 | RewriteRule ^av_asset/asset/controllers/save_asset.php okay.php [PT,L] 17 | RewriteRule ^av_asset/asset/views/config.php okay.php [PT,L] 18 | RewriteRule ^av_asset/common/controllers/save_selection.php okay.php [PT,L] 19 | RewriteRule ^av_asset/group/controllers/bk_delete.php okay.php [PT,L] 20 | RewriteRule ^av_asset/group/controllers/save_group.php okay.php [PT,L] 21 | RewriteRule ^av_asset/group/views/new_group.php okay.php [PT,L] 22 | RewriteRule ^av_asset/network/controllers/bk_delete.php okay.php [PT,L] 23 | RewriteRule ^av_asset/network/controllers/save_net.php okay.php [PT,L] 24 | RewriteRule ^av_asset/network/views/import_all_nets.php okay.php [PT,L] 25 | RewriteRule ^av_asset/network/views/net_form.php okay.php [PT,L] 26 | RewriteRule ^av_schedule_scan/controllers/save_schedule.php okay.php [PT,L] 27 | RewriteRule ^backup/index.php okay.php [PT,L] 28 | #RewriteRule ^conf/category.php okay.php [PT,L] 29 | RewriteRule ^conf/index.php* okay.php [PT,L] 30 | RewriteRule ^conf/modifypluginref.php okay.php [PT,L] 31 | RewriteRule ^conf/modifypluginsid_ajax.php okay.php [PT,L] 32 | RewriteRule ^conf/modifypluginsid.php okay.php [PT,L] 33 | RewriteRule ^conf/modifypluginsidform.php okay.php [PT,L] 34 | RewriteRule ^conf/plugin.php okay.php [PT,L] 35 | RewriteRule ^conf/pluginref_ajax.php okay.php [PT,L] 36 | RewriteRule ^conf/pluginref.php okay.php [PT,L] 37 | RewriteRule ^conf/pluginsid.php okay.php [PT,L] 38 | RewriteRule ^dashboard/sections/tabs/tab_add.php okay.php [PT,L] 39 | RewriteRule ^dashboard/sections/tabs/tab_menu.php okay.php [PT,L] 40 | RewriteRule ^directives/save_attribute.php okay.php [PT,L] 41 | RewriteRule ^directives/test.php okay.php [PT,L] 42 | RewriteRule ^directives/wizard_directive.php okay.php [PT,L] 43 | RewriteRule ^directives/wizard_rule.php okay.php [PT,L] 44 | #RewriteRule ^directives/directives_ajax.php okay.php [PT,L] 45 | RewriteRule ^forensics/custom_view_delete.php okay.php [PT,L] 46 | RewriteRule ^forensics/custom_view_edit.php okay.php [PT,L] 47 | RewriteRule ^forensics/custom_view_save.php okay.php [PT,L] 48 | RewriteRule ^netgroup/netgroup_actions.php okay.php [PT,L] 49 | RewriteRule ^netgroup/newnetgroup.php okay.php [PT,L] 50 | RewriteRule ^netscan/new_scan.php.* okay.php [PT,L] 51 | RewriteRule ^nfsen/process.php okay.php [PT,L] 52 | RewriteRule ^ossec/controllers/agentless/actions.php okay.php [PT,L] 53 | RewriteRule ^ossec/controllers/agentless/al_applyconf.php okay.php [PT,L] 54 | RewriteRule ^ossec/controllers/agentless/al_delete.php okay.php [PT,L] 55 | RewriteRule ^ossec/controllers/agentless/al_enable.php okay.php [PT,L] 56 | RewriteRule ^ossec/controllers/agentless/al_save.php okay.php [PT,L] 57 | RewriteRule ^ossec/controllers/agents/a_deployment_actions.php okay.php [PT,L] 58 | RewriteRule ^ossec/controllers/agents/a_deployment.php okay.php [PT,L] 59 | RewriteRule ^ossec/controllers/agents/agent_actions.php okay.php [PT,L] 60 | RewriteRule ^ossec/controllers/agents/check_agent_ip.php okay.php [PT,L] 61 | RewriteRule ^ossec/controllers/agents/link_asset_to_agent.php okay.php [PT,L] 62 | RewriteRule ^ossec/controllers/agents/save_agent.php okay.php [PT,L] 63 | RewriteRule ^ossec/controllers/agents/save_cnf.php okay.php [PT,L] 64 | RewriteRule ^ossec/controllers/agents/syscheck_actions.php okay.php [PT,L] 65 | RewriteRule ^ossec/controllers/ossec_config/actions.php okay.php [PT,L] 66 | RewriteRule ^ossec/controllers/ossec_config/save_tabs.php okay.php [PT,L] 67 | RewriteRule ^ossec/controllers/ossec_control/actions.php okay.php [PT,L] 68 | RewriteRule ^ossec/controllers/ossec_rules/modify_rule.php okay.php [PT,L] 69 | RewriteRule ^ossec/controllers/ossec_rules/save.php okay.php [PT,L] 70 | RewriteRule ^ossec/views/agents/a_deployment_form.php okay.php [PT,L] 71 | #RewriteRule ^ossec/views/agents/agent.php okay.php [PT,L] 72 | #RewriteRule ^otx/views/config.php okay.php [PT,L] 73 | RewriteRule ^policy/changepolicy.php okay.php [PT,L] 74 | RewriteRule ^policy/changepolicygroup.php okay.php [PT,L] 75 | RewriteRule ^policy/deletepolicy.php okay.php [PT,L] 76 | RewriteRule ^policy/deletepolicygroup.php okay.php [PT,L] 77 | RewriteRule ^policy/modifyplugingroups.php okay.php [PT,L] 78 | RewriteRule ^policy/modifyplugingroupsform.php okay.php [PT,L] 79 | RewriteRule ^policy/newpolicy.php okay.php [PT,L] 80 | RewriteRule ^policy/newpolicygroup.php okay.php [PT,L] 81 | RewriteRule ^policy/reorderpolicies.php okay.php [PT,L] 82 | RewriteRule ^port/deleteport.php okay.php [PT,L] 83 | RewriteRule ^port/deleteportgroup.php okay.php [PT,L] 84 | RewriteRule ^port/modifyport.php okay.php [PT,L] 85 | RewriteRule ^port/modifyportgroup.php okay.php [PT,L] 86 | RewriteRule ^port/newport.php okay.php [PT,L] 87 | RewriteRule ^port/newportgroup.php okay.php [PT,L] 88 | RewriteRule ^remote_interfaces/get_ri.php okay.php [PT,L] 89 | RewriteRule ^remote_interfaces/index.php okay.php [PT,L] 90 | RewriteRule ^remote_interfaces/launch_ri.php okay.php [PT,L] 91 | RewriteRule ^remote_interfaces/modify_ri.php okay.php [PT,L] 92 | RewriteRule ^remote_interfaces/new_ri_form.php okay.php [PT,L] 93 | RewriteRule ^remote_interfaces/new_ri.php okay.php [PT,L] 94 | RewriteRule ^remote_interfaces/ri_actions.php okay.php [PT,L] 95 | RewriteRule ^repository/change_user.php okay.php [PT,L] 96 | RewriteRule ^repository/repository_attachment.php okay.php [PT,L] 97 | RewriteRule ^repository/repository_delete.php okay.php [PT,L] 98 | RewriteRule ^repository/repository_editdocument.php okay.php [PT,L] 99 | RewriteRule ^repository/repository_newdocument.php okay.php [PT,L] 100 | RewriteRule ^risk_maps/changemap.php okay.php [PT,L] 101 | RewriteRule ^risk_maps/modify.php okay.php [PT,L] 102 | RewriteRule ^risk_maps/save.php okay.php [PT,L] 103 | RewriteRule ^risk_maps/upload_map.php okay.php [PT,L] 104 | RewriteRule ^risk_maps/riskmaps_functions.php okay.php [PT,L] 105 | RewriteRule ^risk_maps/change_user.php okay.php [PT,L] 106 | RewriteRule ^risk_maps/map_options.php okay.php [PT,L] 107 | RewriteRule ^risk_maps/get_indicators.php okay.php [PT,L] 108 | RewriteRule ^sensor/deletelocations.php okay.php [PT,L] 109 | #RewriteRule ^sensor/get_sensor_info.php okay.php [PT,L] 110 | RewriteRule ^sensor/get_sensor_leads.php okay.php [PT,L] 111 | #RewriteRule ^sensor/get_sensors.php okay.php [PT,L] 112 | RewriteRule ^sensor/getlocations.php okay.php [PT,L] 113 | #RewriteRule ^sensor/getsensor.php okay.php [PT,L] 114 | RewriteRule ^sensor/interfaces.php okay.php [PT,L] 115 | RewriteRule ^sensor/locations.php okay.php [PT,L] 116 | RewriteRule ^sensor/modifylocations.php okay.php [PT,L] 117 | RewriteRule ^sensor/modifysensor.php okay.php [PT,L] 118 | RewriteRule ^sensor/newlocations.php okay.php [PT,L] 119 | RewriteRule ^sensor/newlocationsform.php okay.php [PT,L] 120 | RewriteRule ^sensor/newsensor.php okay.php [PT,L] 121 | RewriteRule ^sensor/newsensorform.php okay.php [PT,L] 122 | RewriteRule ^sensor/nfsen_config.php okay.php [PT,L] 123 | RewriteRule ^sensor/nfsen_functions.php okay.php [PT,L] 124 | RewriteRule ^sensor/sensor_actions.php okay.php [PT,L] 125 | RewriteRule ^sensor/sensor_plugins.php okay.php [PT,L] 126 | #RewriteRule ^sensor/sensor.php okay.php [PT,L] 127 | RewriteRule ^sensor/test_nagios.php okay.php [PT,L] 128 | RewriteRule ^server/dbs_actions.php okay.php [PT,L] 129 | RewriteRule ^server/dbs.php okay.php [PT,L] 130 | RewriteRule ^server/deleteserver.php okay.php [PT,L] 131 | RewriteRule ^server/engine_ajax.php okay.php [PT,L] 132 | RewriteRule ^server/forward_server.php okay.php [PT,L] 133 | #RewriteRule ^server/getdbs.php okay.php [PT,L] 134 | #RewriteRule ^server/getserver.php okay.php [PT,L] 135 | RewriteRule ^server/modifydbs.php okay.php [PT,L] 136 | RewriteRule ^server/modifyserver.php okay.php [PT,L] 137 | RewriteRule ^server/modifyserverform.php okay.php [PT,L] 138 | RewriteRule ^server/newdbs.php okay.php [PT,L] 139 | RewriteRule ^server/newdbsform.php okay.php [PT,L] 140 | RewriteRule ^server/newserver.php okay.php [PT,L] 141 | RewriteRule ^server/newserverform.php okay.php [PT,L] 142 | #RewriteRule ^server/server.php okay.php [PT,L] 143 | #RewriteRule ^server/server_get_servers.php okay.php [PT,L] 144 | RewriteRule ^session/deleteuser.php okay.php [PT,L] 145 | #RewriteRule ^session/users.php okay.php [PT,L] 146 | RewriteRule ^session/users_edit.php okay.php [PT,L] 147 | RewriteRule ^userlog/forced_logout.php okay.php [PT,L] 148 | RewriteRule ^vulnmeter/add_hosts.php okay.php [PT,L] 149 | RewriteRule ^vulnmeter/change_user.php okay.php [PT,L] 150 | RewriteRule ^vulnmeter/check_credential.php okay.php [PT,L] 151 | RewriteRule ^vulnmeter/config.php okay.php [PT,L] 152 | RewriteRule ^vulnmeter/download_results.php okay.php [PT,L] 153 | RewriteRule ^vulnmeter/export_nbe.php okay.php [PT,L] 154 | RewriteRule ^vulnmeter/import_nbe.php okay.php [PT,L] 155 | RewriteRule ^vulnmeter/import_nbe.php okay.php [PT,L] 156 | RewriteRule ^vulnmeter/manage_jobs.php okay.php [PT,L] 157 | RewriteRule ^vulnmeter/manage_jobs.php* okay.php [PT,L] 158 | RewriteRule ^vulnmeter/new_scan.php okay.php [PT,L] 159 | RewriteRule ^vulnmeter/sched.php* okay.php [PT,L] 160 | RewriteRule ^vulnmeter/settings.php okay.php [PT,L] 161 | RewriteRule ^vulnmeter/webconfig.php okay.php [PT,L] 162 | RewriteRule ^wireless/setup.php okay.php [PT,L] 163 | 164 | -------------------------------------------------------------------------------- /misc/logrotate: -------------------------------------------------------------------------------- 1 | /var/log/demologs/*.log 2 | { 3 | rotate 4 4 | daily 5 | missingok 6 | notifempty 7 | compress 8 | delaycompress 9 | sharedscripts 10 | postrotate 11 | invoke-rc.d rsyslog reload > /dev/null 12 | endscript 13 | } 14 | 15 | -------------------------------------------------------------------------------- /misc/okay.php: -------------------------------------------------------------------------------- 1 | "OK", "output" => "Not available in Demo Mode"); 5 | echo json_encode($okay); 6 | 7 | ?> 8 | -------------------------------------------------------------------------------- /ossecwin/brutewin.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Santiago Bassett 3 | 4 | line='AV - Alert - "1367083144" --> RID: "18106"; RL: "5"; RG: "windows,win_authentication_failed,"; RC: "Windows Logon Failure."; USER: "None"; SRCIP: "None"; HOSTNAME: "(windows70) 10.0.0.70->WinEvtLog"; LOCATION: "(windows70) 10.0.0.70->WinEvtLog"; EVENT: "[INIT]WinEvtLog: Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: AMAZONA-D4ONP5E: An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: ADMINISTRATOR Account Domain: 10.0.0.70 Failure Information: Failure Reason: %2313 Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: 10.0.0.70 Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. [END]";' 5 | 6 | 7 | while true 8 | do 9 | 10 | let "times = ($RANDOM % 30) + 10" 11 | 12 | for ((i = 0; i <= $times ; i++ )) 13 | do 14 | date=`date "+%s"` 15 | newline=`echo $line | sed -r "s/[0-9]{10}/$date/"` 16 | echo $newline >> /var/ossec/logs/alerts/alerts.log 17 | let "sleeptime = $RANDOM % 3" 18 | sleep $sleeptime 19 | done 20 | 21 | let "sleeptime = ($RANDOM * 1000) % 86400" 22 | sleep $sleeptime 23 | 24 | done 25 | -------------------------------------------------------------------------------- /ossecwin/ossec.conf: -------------------------------------------------------------------------------- 1 | 2 | 3 | no 4 | AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; 5 | 6 | 7 | 8 | 9 | 10 | 21600 11 | 12 | 13 | /etc,/usr/bin,/usr/sbin 14 | /bin,/sbin 15 | 16 | 17 | /etc/mtab 18 | /etc/mnttab 19 | /etc/hosts.deny 20 | /etc/mail/statistics 21 | /etc/random-seed 22 | /etc/adjtime 23 | /etc/httpd/logs 24 | /etc/utmpx 25 | /etc/wtmpx 26 | /etc/cups/certs 27 | /etc/dumpdates 28 | /etc/svc/volatile 29 | 30 | 31 | C:\WINDOWS/System32/LogFiles 32 | C:\WINDOWS/Debug 33 | C:\WINDOWS/WindowsUpdate.log 34 | C:\WINDOWS/iis6.log 35 | C:\WINDOWS/system32/wbem/Logs 36 | C:\WINDOWS/system32/wbem/Repository 37 | C:\WINDOWS/Prefetch 38 | C:\WINDOWS/PCHEALTH/HELPCTR/DataColl 39 | C:\WINDOWS/SoftwareDistribution 40 | C:\WINDOWS/Temp 41 | C:\WINDOWS/system32/config 42 | C:\WINDOWS/system32/spool 43 | C:\WINDOWS/system32/CatRoot 44 | 45 | 46 | 47 | /var/ossec/etc/shared/rootkit_files.txt 48 | /var/ossec/etc/shared/rootkit_trojans.txt 49 | /var/ossec/etc/shared/system_audit_rcl.txt 50 | /var/ossec/etc/shared/cis_debian_linux_rcl.txt 51 | /var/ossec/etc/shared/cis_rhel_linux_rcl.txt 52 | /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt 53 | 54 | 55 | 56 | yes 57 | 58 | 59 | 60 | 61 | secure 62 | 63 | 64 | 65 | 1 66 | 67 | 68 | 69 | 70 | syslog 71 | /var/log/dpkg.log 72 | 73 | 74 | 75 | rules_config.xml 76 | pam_rules.xml 77 | sshd_rules.xml 78 | telnetd_rules.xml 79 | syslog_rules.xml 80 | arpwatch_rules.xml 81 | symantec-av_rules.xml 82 | symantec-ws_rules.xml 83 | pix_rules.xml 84 | named_rules.xml 85 | smbd_rules.xml 86 | vsftpd_rules.xml 87 | pure-ftpd_rules.xml 88 | proftpd_rules.xml 89 | ms_ftpd_rules.xml 90 | ftpd_rules.xml 91 | hordeimp_rules.xml 92 | vpopmail_rules.xml 93 | vmpop3d_rules.xml 94 | courier_rules.xml 95 | web_rules.xml 96 | apache_rules.xml 97 | mysql_rules.xml 98 | postgresql_rules.xml 99 | ids_rules.xml 100 | squid_rules.xml 101 | firewall_rules.xml 102 | cisco-ios_rules.xml 103 | netscreenfw_rules.xml 104 | sonicwall_rules.xml 105 | postfix_rules.xml 106 | sendmail_rules.xml 107 | imapd_rules.xml 108 | mailscanner_rules.xml 109 | ms-exchange_rules.xml 110 | racoon_rules.xml 111 | vpn_concentrator_rules.xml 112 | spamd_rules.xml 113 | msauth_rules.xml 114 | mcafee_av_rules.xml 115 | 116 | zeus_rules.xml 117 | solaris_bsm_rules.xml 118 | vmware_rules.xml 119 | ossec_rules.xml 120 | attack_rules.xml 121 | local_rules.xml 122 | 123 | 124 | -------------------------------------------------------------------------------- /ossecwin/ossec.conf.orig: -------------------------------------------------------------------------------- 1 | 2 | 3 | no 4 | AV - Alert - "$TIMESTAMP" --> RID: "$RULEID"; RL: "$RULELEVEL"; RG: "$RULEGROUP"; RC: "$RULECOMMENT"; USER: "$DSTUSER"; SRCIP: "$SRCIP"; HOSTNAME: "$HOSTNAME"; LOCATION: "$LOCATION"; EVENT: "[INIT]$FULLLOG[END]"; 5 | 6 | 7 | 8 | 9 | 10 | 21600 11 | 12 | 13 | /etc,/usr/bin,/usr/sbin 14 | /bin,/sbin 15 | 16 | 17 | /etc/mtab 18 | /etc/mnttab 19 | /etc/hosts.deny 20 | /etc/mail/statistics 21 | /etc/random-seed 22 | /etc/adjtime 23 | /etc/httpd/logs 24 | /etc/utmpx 25 | /etc/wtmpx 26 | /etc/cups/certs 27 | /etc/dumpdates 28 | /etc/svc/volatile 29 | 30 | 31 | C:\WINDOWS/System32/LogFiles 32 | C:\WINDOWS/Debug 33 | C:\WINDOWS/WindowsUpdate.log 34 | C:\WINDOWS/iis6.log 35 | C:\WINDOWS/system32/wbem/Logs 36 | C:\WINDOWS/system32/wbem/Repository 37 | C:\WINDOWS/Prefetch 38 | C:\WINDOWS/PCHEALTH/HELPCTR/DataColl 39 | C:\WINDOWS/SoftwareDistribution 40 | C:\WINDOWS/Temp 41 | C:\WINDOWS/system32/config 42 | C:\WINDOWS/system32/spool 43 | C:\WINDOWS/system32/CatRoot 44 | 45 | 46 | 47 | /var/ossec/etc/shared/rootkit_files.txt 48 | /var/ossec/etc/shared/rootkit_trojans.txt 49 | /var/ossec/etc/shared/system_audit_rcl.txt 50 | /var/ossec/etc/shared/cis_debian_linux_rcl.txt 51 | /var/ossec/etc/shared/cis_rhel_linux_rcl.txt 52 | /var/ossec/etc/shared/cis_rhel5_linux_rcl.txt 53 | 54 | 55 | 56 | yes 57 | 58 | 59 | 60 | 61 | secure 62 | 63 | 64 | 65 | 1 66 | 67 | 68 | 69 | 70 | syslog 71 | /var/log/messages 72 | 73 | 74 | 75 | syslog 76 | /var/log/auth.log 77 | 78 | 79 | 80 | syslog 81 | /var/log/syslog 82 | 83 | 84 | 85 | syslog 86 | /var/log/mail.info 87 | 88 | 89 | 90 | syslog 91 | /var/log/dpkg.log 92 | 93 | 94 | 95 | apache 96 | /var/log/apache2/error.log 97 | 98 | 99 | 100 | apache 101 | /var/log/apache2/access.log 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | rules_config.xml 114 | pam_rules.xml 115 | sshd_rules.xml 116 | telnetd_rules.xml 117 | syslog_rules.xml 118 | arpwatch_rules.xml 119 | symantec-av_rules.xml 120 | symantec-ws_rules.xml 121 | pix_rules.xml 122 | named_rules.xml 123 | smbd_rules.xml 124 | vsftpd_rules.xml 125 | pure-ftpd_rules.xml 126 | proftpd_rules.xml 127 | ms_ftpd_rules.xml 128 | ftpd_rules.xml 129 | hordeimp_rules.xml 130 | vpopmail_rules.xml 131 | vmpop3d_rules.xml 132 | courier_rules.xml 133 | web_rules.xml 134 | apache_rules.xml 135 | mysql_rules.xml 136 | postgresql_rules.xml 137 | ids_rules.xml 138 | squid_rules.xml 139 | firewall_rules.xml 140 | cisco-ios_rules.xml 141 | netscreenfw_rules.xml 142 | sonicwall_rules.xml 143 | postfix_rules.xml 144 | sendmail_rules.xml 145 | imapd_rules.xml 146 | mailscanner_rules.xml 147 | ms-exchange_rules.xml 148 | racoon_rules.xml 149 | vpn_concentrator_rules.xml 150 | spamd_rules.xml 151 | msauth_rules.xml 152 | mcafee_av_rules.xml 153 | 154 | zeus_rules.xml 155 | solaris_bsm_rules.xml 156 | vmware_rules.xml 157 | ossec_rules.xml 158 | attack_rules.xml 159 | local_rules.xml 160 | 161 | 162 | -------------------------------------------------------------------------------- /pcaps/2014-02-09-Neutrino-EK-traffic.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/2014-02-09-Neutrino-EK-traffic.pcap -------------------------------------------------------------------------------- /pcaps/2014-02-11-Fiesta-EK-traffic.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/2014-02-11-Fiesta-EK-traffic.pcap -------------------------------------------------------------------------------- /pcaps/2014-03-05-Goon-EK-traffic.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/2014-03-05-Goon-EK-traffic.pcap -------------------------------------------------------------------------------- /pcaps/2014-03-27-Nuclear-EK-traffic.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/2014-03-27-Nuclear-EK-traffic.pcap -------------------------------------------------------------------------------- /pcaps/2014-04-14-Magnitude-EK-traffic.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/2014-04-14-Magnitude-EK-traffic.pcap -------------------------------------------------------------------------------- /pcaps/2015-07-11-traffic-analysis-exercise.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/2015-07-11-traffic-analysis-exercise.pcap -------------------------------------------------------------------------------- /pcaps/44ef5251789e8f63f687a44a3004ff44_20140327.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/44ef5251789e8f63f687a44a3004ff44_20140327.pcap -------------------------------------------------------------------------------- /pcaps/473b3ddf5b3db7be3a716db349889839_20140322.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/473b3ddf5b3db7be3a716db349889839_20140322.pcap -------------------------------------------------------------------------------- /pcaps/EXPLOIT_CVE-2007-5020_Acrobat_mailto_URI_Handler_EvilFingers.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/EXPLOIT_CVE-2007-5020_Acrobat_mailto_URI_Handler_EvilFingers.pcap -------------------------------------------------------------------------------- /pcaps/EXPLOIT_Jet_DB_BufferOverflow_EvilFingers.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/EXPLOIT_Jet_DB_BufferOverflow_EvilFingers.pcap -------------------------------------------------------------------------------- /pcaps/InvestigationExtractionRussianCryptolocker.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/InvestigationExtractionRussianCryptolocker.pcap -------------------------------------------------------------------------------- /pcaps/MALW_CRIME_blaster_PracticalPacketAnalysis.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/MALW_CRIME_blaster_PracticalPacketAnalysis.pcap -------------------------------------------------------------------------------- /pcaps/abuse.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/abuse.pcap -------------------------------------------------------------------------------- /pcaps/armageddon.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/armageddon.pcap -------------------------------------------------------------------------------- /pcaps/botnet.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/botnet.pcap -------------------------------------------------------------------------------- /pcaps/cnc1.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/cnc1.pcap -------------------------------------------------------------------------------- /pcaps/cnc2.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/cnc2.pcap -------------------------------------------------------------------------------- /pcaps/cnc3.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/cnc3.pcap -------------------------------------------------------------------------------- /pcaps/cnc4.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/cnc4.pcap -------------------------------------------------------------------------------- /pcaps/d9soft.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/d9soft.pcap -------------------------------------------------------------------------------- /pcaps/fake-antivirus1.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/fake-antivirus1.pcap -------------------------------------------------------------------------------- /pcaps/forbes.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/forbes.pcap -------------------------------------------------------------------------------- /pcaps/heart2.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/heart2.pcap -------------------------------------------------------------------------------- /pcaps/inject_pcaps.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # JS 3 | 4 | #Just in case.... 5 | modprobe dummy 6 | ifconfig dummy0 up 7 | ifconfig dummy0 promisc 8 | 9 | SCRIPTPATH=$( cd $(dirname $0) ; pwd -P ) 10 | cd $SCRIPTPATH 11 | while true 12 | do 13 | for pcap in `ls *.pcap` 14 | do 15 | tcpreplay-edit -T nano -N '10.0.0.0/8:192.168.100.76/30,192.168.0.0/16:192.168.100.74/28' -i dummy0 --pps=10 $pcap 16 | done 17 | sleep 1200 18 | done 19 | -------------------------------------------------------------------------------- /pcaps/input.cache: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/input.cache -------------------------------------------------------------------------------- /pcaps/m-androme.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/m-androme.pcap -------------------------------------------------------------------------------- /pcaps/old/2014-02-26-Angler-EK-traffic.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/old/2014-02-26-Angler-EK-traffic.pcap -------------------------------------------------------------------------------- /pcaps/old/2014-03-29-FlashPack-EK-traffic.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/old/2014-03-29-FlashPack-EK-traffic.pcap -------------------------------------------------------------------------------- /pcaps/old/2015-03-24-traffic-analysis-exercise.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/old/2015-03-24-traffic-analysis-exercise.pcap -------------------------------------------------------------------------------- /pcaps/old/2015-05-29-traffic-analysis-exercise.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/old/2015-05-29-traffic-analysis-exercise.pcap -------------------------------------------------------------------------------- /pcaps/old/fake-antivirus2.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/old/fake-antivirus2.pcap -------------------------------------------------------------------------------- /pcaps/slammer.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/slammer.pcap -------------------------------------------------------------------------------- /pcaps/spambot.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/spambot.pcap -------------------------------------------------------------------------------- /pcaps/spyware.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/spyware.pcap -------------------------------------------------------------------------------- /pcaps/zeus.pcap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/pcaps/zeus.pcap -------------------------------------------------------------------------------- /plugins/aruba-6.cfg: -------------------------------------------------------------------------------- 1 | # Alienvault plugin 2 | # Author: Alienvault Team at devel@alienvault.com 3 | # Plugin aruba-6 id:1624 version: 0.0.3 4 | # Last modification: 2015-05-13 16:11 5 | # 6 | # Plugin Selection Info: 7 | # Aruba Networks:Wireless:- 8 | # 9 | # END-HEADER 10 | # Accepted products: 11 | # Aruba Networks - Wireless_6.x 6.1.3.5 12 | # Description: 13 | # 14 | # Aruba Wireless 6.x 15 | # author: jschreiber 16 | # 17 | # Syslog Configuration. 18 | # In order to configure this plugin to read the logs in the correct place, 19 | # please add the below configuration to your rsyslog configuration folder: 20 | # file: /etc/rsyslog.d/zzzzz_aruba6.conf 21 | # -- begin file 22 | # if $fromhost-ip isequal 'YOUR_DEVICE_IP' then /var/log/ossim/aruba.log 23 | # if $fromhost isequal 'YOUR_DEVICE_HOSTNAME' then /var/log/ossim/aruba.log 24 | # & ~ 25 | # -- end file 26 | # 27 | # 28 | 29 | [DEFAULT] 30 | plugin_id=1690 31 | 32 | [config] 33 | type=detector 34 | enable=yes 35 | 36 | source=log 37 | location=/var/log/ossim/aruba.log 38 | create_file=false 39 | 40 | process= 41 | start=no ; launch plugin process when agent starts 42 | stop=no ; shutdown plugin process when agent stops 43 | startup= 44 | shutdown= 45 | 46 | 47 | 48 | [0001- aruba - RogueAP] 49 | event_type=event 50 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+)\[.*?\<(?P\d+)\>.*client\s(?P\S{2}:\S{2}:\S{2}:\S{2}:\S{2}:\S{2}).*BSSID\s+(?P\S{2}:\S{2}:\S{2}:\S{2}:\S{2}:\S{2}).*SSID\s+(?P\S+)" 51 | device={resolv($device)} 52 | precheck="127037" 53 | plugin_sid={$sid} 54 | date={normalize_date($date)} 55 | userdata1={$mac1} 56 | userdata2={$mac2} 57 | userdata3={$SSID} 58 | 59 | [0002 - aruba - RogueAP2] 60 | event_type=event 61 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+)\[.*?\<(?P\d+)\>.*client\s(?P\S{2}:\S{2}:\S{2}:\S{2}:\S{2}:\S{2}).*BSSID\s+(?P\S{2}:\S{2}:\S{2}:\S{2}:\S{2}:\S{2}).*SSID\s+(?P\S+)" 62 | device={resolv($device)} 63 | precheck="127038" 64 | plugin_sid={$sid} 65 | date={normalize_date($date)} 66 | userdata1={$mac1} 67 | userdata2={$mac2} 68 | userdata3={$SSID} 69 | 70 | [0003 - aruba - RogueAP3] 71 | event_type=event 72 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+)\[.*?\<(?P\d+)\>.*MAC\s+\((?P\S{2}:\S{2}:\S{2}:\S{2}:\S{2}:\S{2})\)\swith\sIP\s+\((?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\)" 73 | device={resolv($device)} 74 | precheck="127000" 75 | plugin_sid={$sid} 76 | date={normalize_date($date)} 77 | userdata1={$mac1} 78 | src_ip={$srcip} 79 | 80 | 81 | [0004 - aruba - Double Mac] 82 | event_type=event 83 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+)\[.*?\<(?P\d+)\>.*(?P\S{2}:\S{2}:\S{2}:\S{2}:\S{2}:\S{2})\s+(?P\S{2}:\S{2}:\S{2}:\S{2}:\S{2}:\S{2})" 84 | device={resolv($device)} 85 | plugin_sid={$sid} 86 | date={normalize_date($date)} 87 | userdata1={$mac1} 88 | userdata2={$mac2} 89 | 90 | [0005 - aruba - Blacklist] 91 | event_type=event 92 | precheck="124008" 93 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+)\[.*?\<(?P\d+)\>.*MAC\=(?P\S{2}:\S{2}:\S{2}:\S{2}:\S{2}:\S{2}).*IP\=(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 94 | device={resolv($device)} 95 | plugin_sid={$sid} 96 | date={normalize_date($date)} 97 | userdata1={$mac1} 98 | src_ip={$srcip} 99 | 100 | 101 | [0006 - aruba - Radius] 102 | event_type=event 103 | precheck="132207" 104 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+)\[.*?\<(?P\d+)\>.*station\s(?P\S+)\s+(?P\S{2}:\S{2}:\S{2}:\S{2}:\S{2}:\S{2}).*server\s(?P\S+)" 105 | device={resolv($device)} 106 | plugin_sid={$sid} 107 | date={normalize_date($date)} 108 | userdata1={$mac1} 109 | userdata2={$host} 110 | userdata3={$auth_host} 111 | 112 | 113 | [0007 - aruba - malformed frame] 114 | event_type=event 115 | precheck="126085" 116 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P\d+)\>.+?AP\((?P\w+:\w+:\w+:\w+:\w+:\w+)\@(?P\S+)\): Malformed Frame.*?MAC address (?P\w+:\w+:\w+:\w+:\w+:\w+).*?" 117 | device={resolv($device)} 118 | plugin_sid={$sid} 119 | date={normalize_date($date)} 120 | userdata1={$radio_mac} 121 | userdata2={$radio_name} 122 | userdata3={$device_mac} 123 | 124 | 125 | [0008 - aruba - firewall rule hit] 126 | event_type=event 127 | precheck="124006" 128 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P\d+)\>.+?srcip=(?P\S+)( srcport=(?P\d+))? dstip=(?P\S+)( dstport=(?P\d+))?.*?" 129 | device={resolv($device)} 130 | plugin_sid={$sid} 131 | date={normalize_date($date)} 132 | src_ip={$srcip} 133 | src_port={$srcport} 134 | dst_ip={$dstip} 135 | dst_port={$dstport} 136 | 137 | 138 | [0009 - aruba - interfering AP] 139 | event_type=event 140 | precheck="126005" 141 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P\d+)\>.+?Interfering AP.*BSSID (?P\S+) and SSID ((?P\S+))?.*?" 142 | device={resolv($device)} 143 | plugin_sid={$sid} 144 | date={normalize_date($date)} 145 | userdata1={$ap_bssid} 146 | userdata2={$ap_ssid} 147 | 148 | 149 | [0010 - aruba - Block ACK DoS Attack] 150 | event_type=event 151 | precheck="126087" 152 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P\d+)\>.+?AP\((?P\w+:\w+:\w+:\w+:\w+:\w+)\@(?P\S+)\): Block ACK DoS Attack.*?Block ACK DoS Attack.*?The frame from (?P\S+) to (?P\S+).*?" 153 | device={resolv($device)} 154 | plugin_sid={$sid} 155 | date={normalize_date($date)} 156 | userdata1={$src_mac} 157 | userdata2={$dst_mac} 158 | 159 | 160 | [0011 - aruba - MIC Failed] 161 | event_type=event 162 | precheck="132094" 163 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P\d+)\>.+? MIC failed.*? Station (?P\S+) (?P\S+) (?P\S+)" 164 | device={resolv($device)} 165 | plugin_sid={$sid} 166 | date={normalize_date($date)} 167 | userdata1={$mac} 168 | userdata2={$bssid} 169 | userdata3={$apname} 170 | 171 | 172 | [0012 - aruba - Suspect Rogue AP] 173 | event_type=event 174 | precheck="126048" 175 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P\d+)\>.+?Suspect Rogue AP.*?BSSID (?P\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2}), SSID( (?P\S+))?.*?" 176 | device={resolv($device)} 177 | plugin_sid={$sid} 178 | date={normalize_date($date)} 179 | userdata1={$bssid} 180 | userdata2={$ssid} 181 | 182 | 183 | [0013 - aruba - Internal error message] 184 | event_type=event 185 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P124251|124252|124253|124254|124255|124256|124257|124258|124259|124260|124261|124262|124263|124264|124265|124266|124267)\>.*?" 186 | device={resolv($device)} 187 | plugin_sid={$sid} 188 | date={normalize_date($date)} 189 | 190 | 191 | [0014 - aruba - Disconnect Station Attack] 192 | event_type=event 193 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P126035)\>.*?AP\((?P\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2})@(?P\S+)\).*?disconnect attack of client (?P\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2}).*?" 194 | device={resolv($device)} 195 | plugin_sid={$sid} 196 | date={normalize_date($date)} 197 | userdata1={$radio_mac} 198 | userdata2={$radio_name} 199 | userdata3={$src_mac} 200 | 201 | 202 | [0015 - aruba - Station and AP’s replay counter does not match] 203 | event_type=event 204 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P132093)\>.*?WPA2 Key message \d from Station (?P\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2}) (?P\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2}) (?P\S+) did not match the replay counter (?P\S+) vs (?P\S+)" 205 | device={resolv($device)} 206 | plugin_sid={$sid} 207 | date={normalize_date($date)} 208 | userdata1={$src_mac} 209 | userdata2={$bssid} 210 | userdata3={$name} 211 | userdata4={$value1} 212 | userdata4={$value2} 213 | 214 | 215 | [0016 - aruba - alerts] 216 | event_type=event 217 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P126\d\d\d)\>.*?AP\((?P\w{2}:\w{2}:\w{2}:\w{2}:\w{2}:\w{2})@(?P\S+)\).*?" 218 | device={resolv($device)} 219 | plugin_sid={$sid} 220 | date={normalize_date($date)} 221 | userdata1={$radio_mac} 222 | userdata2={$radio_name} 223 | 224 | 225 | [0017 - aruba - Aruba System Message] 226 | event_type=event 227 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P311\d\d\d)\>.*?Rebooting: (?P[\S\s]+)" 228 | device={resolv($device)} 229 | plugin_sid={$sid} 230 | date={normalize_date($date)} 231 | userdata1={$message} 232 | 233 | 234 | [0018 - aruba - Aruba System Crash] 235 | event_type=event 236 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P30308\d)\>(?P[\S\s]+)" 237 | device={resolv($device)} 238 | plugin_sid={$sid} 239 | date={normalize_date($date)} 240 | userdata1={$message} 241 | 242 | 243 | [0019 - aruba - Aruba Settings] 244 | event_type=event 245 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P32608\d)\>.*?AM: (?P[\S\s]+)" 246 | device={resolv($device)} 247 | plugin_sid={$sid} 248 | date={normalize_date($date)} 249 | userdata1={$message} 250 | 251 | 252 | [0020 - aruba - Aruba Reboot] 253 | event_type=event 254 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P303022)\>.*?Reboot Reason: (?P[\S\s]+)" 255 | device={resolv($device)} 256 | plugin_sid={$sid} 257 | date={normalize_date($date)} 258 | userdata1={$message} 259 | 260 | 261 | [0021 - aruba - Internal Server Error] 262 | event_type=event 263 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P399803)\> (?P[\S\s]+)" 264 | device={resolv($device)} 265 | plugin_sid={$sid} 266 | date={normalize_date($date)} 267 | userdata1={$message} 268 | 269 | 270 | [0022 - aruba - STOP Signal] 271 | event_type=event 272 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P304011|312000|312100|339307|334307|312100|335107|336007)\> (?P[\S\s]+)" 273 | device={resolv($device)} 274 | plugin_sid={$sid} 275 | date={normalize_date($date)} 276 | userdata1={$message} 277 | 278 | [0023 - aruba - Unexpected condition on station manager] 279 | event_type=event 280 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P30400[0-1])\> (?P[\S\s]+)" 281 | device={resolv($device)} 282 | plugin_sid={$sid} 283 | date={normalize_date($date)} 284 | userdata1={$message} 285 | 286 | 287 | 288 | [0024 - aruba - VRRP state has changed] 289 | event_type=event 290 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+(?P\S+)\s+(?P\S+).*?\<(?P313328)\> .*?vrid \"(?P\d+)\" - VRRP state transitioned from (?P\S+) to (?P\S+)" 291 | device={resolv($device)} 292 | plugin_sid={$sid} 293 | date={normalize_date($date)} 294 | userdata1={$vrid} 295 | userdata2={$vrrpold} 296 | userdata3={$newvrrp} 297 | 298 | 299 | [9999 - aruba - generic] 300 | event_type=event 301 | regexp="(?P\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2})\s+?(?P\S+)\s+?(?P\S+?).*?\<(?P\d+?)\>" 302 | device={resolv($device)} 303 | plugin_sid={$sid} 304 | date={normalize_date($date)} 305 | -------------------------------------------------------------------------------- /plugins/aruba-6.log: -------------------------------------------------------------------------------- 1 | Mar 11 08:23:35 2014 aruba1.demo authmgr[2004]: <522008> User Authentication Successful: username=testuser MAC=90:18:7c:7c:79:e7 IP=192.168.100.209 role=R-Fast VLAN=422 AP=DEMOP5CONST1 SSID=R-Fast AAA profile=AAA-R-Fast auth method=802.1x auth server=W2K8-DEMOA 2 | Mar 11 08:23:35 2014 aruba1.demo authmgr[2004]: <522042> User Authentication Failed: username=testuser MAC=40:0e:85:1b:ff:4b IP=192.168.100.64 auth method=802.1x auth server=W2K8-DEMOA 3 | Oct 28 04:34:46 2006 [10.0.0.254] sapd(00:0b:86:ba:3a:f4@10.0.0.252)[147]: <127018> |AP 00:0b:86:ba:3a:f4@10.0.0.252 sapd| AM 00:0b:86:ba:3a:f4: Interfering AP detected with SSID AlienWireless and BSSID 00:17:df:6e:3d:b6 4 | Apr 10 13:05:22 2008 [10.0.0.253] sapd[190]: <127036> |AP sanmateo@10.0.0.127 sapd| AM 00:0b:86:61:31:60: Wireless bridge detected with Transmitter 00:03:52:e7:c5:20, Receiver 00:03:52:e7:90:30, Channel 4 and RSSI=12 5 | Feb 25 06:51:09 10.54.43.73 sapd[820]: <127037> |AP HWISE-d8:c7:c8:cc:3f:80@192.168.100.81 sapd| |ids-ap| AP(d8:c7:c8:43:f8:00): Station Associated to Rogue AP: An AP detected a client e8:92:a4:f9:ac:df associated to a rogue access point (BSSID 00:13:f7:ca:71:0f and SSID DWISEGEN on CHANNEL 7) 6 | Feb 25 07:02:27 10.54.44.37 sapd[920]: <127000> |AP HWISE-d8:c7:c8:ce:dc:78@192.168.100.37 sapd| |ids-ap| AP(d8:c7:c8:6d:c7:80): Rogue AP: An AP classified an access point(BSSID 00:1d:7e:53:92:a6 and SSID linksys on CHANNEL 6) as rogue because it matched the MAC (00:1d:7e:53:92:a6) with IP (192.168.100.43) 7 | Feb 25 07:04:47 10.54.43.33 sapd[822]: <127038> |AP HWISE-d8:c7:c8:cc:3f:7c@192.168.100.33 sapd| |ids-ap| AP(d8:c7:c8:43:f7:c0): Cleared Station Associated to Rogue AP: An AP is no longer detecting a client e8:92:a4:f9:ac:df associated to a rogue access point (BSSID 00:13:f7:ca:71:0f and SSID DWISEGEN on CHANNEL 7) 8 | -------------------------------------------------------------------------------- /plugins/cisco-asa.log: -------------------------------------------------------------------------------- 1 | Apr 10 15:36:00 10.2.2.169 %ASA-6-302016: Teardown UDP connection 595155 for outside:192.168.100.69/61960 to inside:192.168.100.55/53 duration 0:00:00 bytes 158 (demouser) 2 | Apr 10 15:36:00 10.2.2.169 %ASA-6-302016: Teardown UDP connection 595156 for outside:192.168.100.69/50338 to inside:192.168.100.55/53 duration 0:00:00 bytes 160 (demouser) 3 | Apr 10 15:36:00 10.2.2.169 %ASA-6-302016: Teardown UDP connection 595157 for outside:192.168.100.69/56637 to inside:192.168.100.55/53 duration 0:00:00 bytes 162 (demouser) 4 | Apr 10 15:36:00 10.2.2.169 %ASA-6-302015: Built inbound UDP connection 595141 for outside:192.168.100.69/59358 (192.168.100.69/59358) to inside:192.168.100.55/53 (192.168.100.55/53) (demouser) 5 | Apr 10 15:36:00 10.2.2.169 %ASA-6-302015: Built inbound UDP connection 595142 for outside:/54440 (/54440) to inside:192.168.100.55/53 (192.168.100.55/53) (demouser) 6 | Apr 10 15:36:00 10.2.2.169 %ASA-6-302015: Built inbound UDP connection 595143 for outside:/59374 (/59374) to inside:192.168.100.55/53 (192.168.100.55/53) (demouser) 7 | Apr 10 15:37:57 10.2.2.169 %ASA-6-302014: Teardown TCP connection 595239 for outside:192.168.100.69/59238 to inside:192.168.100.71/5900 duration 0:00:30 bytes 0 SYN Timeout (demouser) 8 | Apr 10 15:38:29 10.2.2.169 %ASA-6-302014: Teardown TCP connection 595257 for outside:192.168.100.69/59239 to inside:192.168.100.71/5900 duration 0:00:30 bytes 0 SYN Timeout (demouser) 9 | Apr 10 19:56:04 10.2.2.169 %ASA-6-302014: Teardown TCP connection 606994 for outside:192.168.100.69/60896 to inside:10.9.24.250/3389 duration 0:00:05 bytes 2560 TCP FINs (demouser) 10 | Apr 10 15:35:59 10.2.2.169 %ASA-4-722051: Group User IP <71.86.229.252> Address <192.168.100.69> assigned to session 11 | Apr 10 15:35:57 10.2.2.169 %ASA-7-734003: DAP: User demouser, Addr 71.86.229.252: Session Attribute aaa.radius["25"]["1"] = Group VPN Programmer,Group VPN Web Design,Group VPN Network Services 12 | Apr 10 15:35:57 10.2.2.169 %ASA-7-734003: DAP: User demouser, Addr 71.86.229.252: Session Attribute aaa.cisco.grouppolicy = Group VPN Network Services 13 | Apr 10 19:55:43 10.2.2.169 %ASA-7-734003: DAP: User demouser, Addr 68.187.64.79: Session Attribute aaa.radius["25"]["1"] = Group VPN Programmer,Group VPN Web Design,Group VPN Network Services 14 | Apr 10 15:37:27 10.2.2.169 %ASA-6-302013: Built inbound TCP connection 595239 for outside:/59238 (/59238) to inside:192.168.100.71/5900 (192.168.100.71/5900) (demouser) 15 | Apr 10 15:37:59 10.2.2.169 %ASA-6-302013: Built inbound TCP connection 595257 for outside:/59239 (/59239) to inside:192.168.100.71/5900 (192.168.100.71/5900) (demouser) 16 | May 24 14:05:20 141.110.190.4 %ASA-4-113019: Group = VPN_User, Username = superm, IP = 77.191.113.13, Session disconnected. Session Type: SSL, Duration: 0h:32m:27s, Bytes xmt: 21569001, Bytes rcv: 3432044, Reason: User Requested 17 | May 24 14:16:43 testbox %ASA-5-111010: User 'cisco', running 'N/A' from IP 192.168.100.71, executed 'write memory' 18 | May 24 13:52:32 141.110.190.4 %ASA-6-716059: Group User IP <2.240.123.69> AnyConnect session resumed connection from IP <2.240.123.69>. 19 | Mar 28 12:01:35 testbox %ASA-6-302014: Teardown TCP connection 144527 for outside:/4743 to inside:10.18.144.10/10011 duration 0:00:13 bytes 23810 TCP Reset-O (anht) 20 | Mar 28 12:01:19 testbox %ASA-6-302014: Teardown TCP connection 144524 for outside:172.31.184.254/2452 to inside:10.224.64.1/2748 duration 0:00:00 bytes 0 TCP FINs (pac) 21 | Mar 28 12:00:52 testbox %ASA-6-302014: Teardown TCP connection 144488 for outside:/4734 to inside:10.0.116.22/80 duration 0:00:21 bytes 1438 TCP FINs (anht) 22 | Mar 28 12:01:22 testbox %ASA-4-419001: Dropping TCP packet from inside:10.18.144.10/10011 to outside:/4743, reason: MSS exceeded, MSS 1260, data 1460 23 | Aug 20 05:52:09 ASA-84560-4246 %ASA-2-106007: Deny inbound UDP from 192.195.204.11/56586 to /53 due to DNS Query 24 | Aug 20 05:59:37 ASA-149195-4248 %ASA-6-734001: DAP: User Flor3171, Addr 72.78.207.231, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy#012 25 | Aug 20 05:59:17 10.200.5.3 %ASA-5-722033: Group User IP <96.245.65.48> First UDP SVC connection established for SVC session. 26 | Aug 20 05:59:43 ASA-149195-4248 %ASA-5-722033: Group User IP <> First TCP SVC connection established for SVC session. 27 | Aug 20 06:15:31 ASA-149195-4248 %ASA-7-713221: Group = 204.232.243.189, IP = 204.232.243.189, Static Crypto Map check, checking map = demo, seq = 40... 28 | Aug 20 06:20:02 10.200.5.3 %ASA-4-113019: Group = DEMO-Laptop-PhoneFactor, Username = loug3814, IP = 68.80.169.105, Session disconnected. Session Type: SSL, Duration: 0h:03m:14s, Bytes xmt: 995503, Bytes rcv: 530359, Reason: User Requested 29 | Aug 20 07:35:12 10.200.5.3 %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:192.168.100.76/56450 (/56450) to outside:/80 (/80), destination resolved from dynamic list: /255.255.255.255, threat-level: very-high, category: Malware 30 | Aug 20 07:35:15 10.200.5.3 %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:192.168.100.76/56450 (/56450) to outside:/80 (/80), destination resolved from dynamic list: /255.255.255.255, threat-level: very-high, category: Malware 31 | Aug 20 07:35:21 10.200.5.3 %ASA-4-338008: Dynamic Filter dropped blacklisted TCP traffic from inside:192.168.100.76/56450 (/56450) to outside:/80 (/80), destination resolved from dynamic list: /255.255.255.255, threat-level: very-high, category: Malware 32 | Aug 20 07:35:12 10.200.5.3 %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:192.168.100.76/56450 (/56450) to outside:/80 (/80), destination resolved from dynamic list: /255.255.255.255, threat-level: very-high, category: Malware 33 | Aug 20 07:35:15 10.200.5.3 %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:192.168.100.76/56450 (/56450) to outside:/80 (/80), destination resolved from dynamic list: /255.255.255.255, threat-level: very-high, category: Malware 34 | Aug 20 07:35:21 10.200.5.3 %ASA-4-338004: Dynamic Filter monitored blacklisted TCP traffic from inside:192.168.100.76/56450 (/56450) to outside:/80 (/80), destination resolved from dynamic list: /255.255.255.255, threat-level: very-high, category: Malware 35 | Aug 20 06:40:50 10.200.5.3 %ASA-5-713050: Group = 206.65.171.137, IP = 206.65.171.137, Connection terminated for peer 206.65.171.137. Reason: IPSec SA Idle Timeout Remote Proxy 206.65.166.0, Local Proxy 10.200.99.23 36 | Aug 20 06:40:50 10.200.5.3 %ASA-5-713259: Group = 206.65.171.137, IP = 206.65.171.137, Session is being torn down. Reason: Idle Timeout 37 | Aug 20 06:50:10 ASA-149195-4248 %ASA-5-713259: Group = 204.232.243.189, IP = 204.232.243.189, Session is being torn down. Reason: Idle Timeout 38 | Aug 20 06:57:50 10.200.5.3 %ASA-5-713259: Group = 69.67.67.14, IP = 69.67.67.14, Session is being torn down. Reason: Max time exceeded 39 | Aug 20 06:05:29 1BCAPFWL01 %ASA-3-313001: Denied ICMP type=8, code=0 from 95.66.141.13 on interface outside 40 | Aug 20 10:00:40 ASA-84560-4246 %ASA-5-611103: User logged out: Uname: demo_infosec 41 | Aug 20 10:00:46 ASA-149195-4248 %ASA-5-611103: User logged out: Uname: demo_infosec 42 | Aug 20 10:00:02 10.200.5.3 %ASA-6-605005: Login permitted from 192.168.100.40/52035 to inside:10.200.5.3/ssh for user "demo_infosec" 43 | Aug 20 10:00:02 ASA-84560-4246 %ASA-6-605005: Login permitted from 192.168.100.40/52039 to inside:10.240.5.3/ssh for user "demo_infosec" 44 | Aug 20 10:00:02 1BCAPFWL01 %ASA-6-605005: Login permitted from 192.168.100.40/52038 to inside:10.192.5.3/ssh for user "demo_infosec" 45 | Aug 20 10:00:06 10.200.5.3 %ASA-5-502103: User priv level changed: Uname: demo_infosec From: 1 To: 15 46 | Aug 20 10:00:06 ASA-84560-4246 %ASA-5-502103: User priv level changed: Uname: demo_infosec From: 1 To: 15 47 | Aug 20 07:00:01 10.200.5.3 %ASA-6-303002: FTP connection from inside:192.168.100.29/3331 to outside:/21, user demoftp Retrieved file demogl.pgp 48 | Aug 20 07:00:01 10.200.5.3 %ASA-6-303002: FTP connection from inside:192.168.100.29/3330 to outside:/21, user demoftp Retrieved file demodda.pgp 49 | -------------------------------------------------------------------------------- /plugins/clamav.cfg: -------------------------------------------------------------------------------- 1 | # Alienvault plugin 2 | # Author: Alienvault Team at avteam@alienvault.com 3 | # Plugin clamav id:1555 version: 0.0.2 4 | # Last modification: 2015-05-13 16:11 5 | # 6 | # Plugin Selection Info: 7 | # ClamAV:ClamAV:- 8 | # 9 | # END-HEADER 10 | # Accepted products: 11 | # clamav - clamav 0.97.6 12 | # Description: 13 | # Clam AV 14 | # 15 | # 16 | 17 | [DEFAULT] 18 | plugin_id=1555 19 | 20 | [config] 21 | type=detector 22 | enable=yes 23 | source=log 24 | location=/var/log/clamav/clamav.log 25 | create_file=false 26 | 27 | process=clamd 28 | start=yes 29 | stop=no 30 | startup=/etc/init.d/clamav-daemon start 31 | shutdown=/etc/init.d/clamav-daemon stop 32 | 33 | [clamav-virus-found] 34 | event_type=event 35 | regexp=\S+ (?P\S+ \S+ \S+ \S+) -> (?P\S+): (?P\S+) FOUND$ 36 | date={normalize_date($date)} 37 | plugin_sid=1 38 | filename={$file} 39 | userdata1={$virus} 40 | 41 | -------------------------------------------------------------------------------- /plugins/clamav.log: -------------------------------------------------------------------------------- 1 | clamav: 00fda472cb4d1ff4d84ee093d4149f93: W32.Virut-54 FOUND 2 | clamav: 013f5083bbf260abb2e1404a12c67bc3: Worm.Padobot.M FOUND 3 | clamav: c84fd20a4ffc038592a4ccd9a9a5218f: Worm.Padobot.M FOUND 4 | -------------------------------------------------------------------------------- /plugins/fortigate.log: -------------------------------------------------------------------------------- 1 | May 14 06:25:07 192.168.84.1 date=2014-05-14 time=06:25:42 devname=JLL_FW devid=FG200B3910602686 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=192.168.100.72 srcport=54781 srcintf="port1" dstip= dstport=53 dstintf="port2" sessionid=2722472 status=accept policyid=12 dstcountry="United States" srccountry="Reserved" trandisp=snat transip=200.74.141.50 transport=54781 service=DNS proto=17 duration=180 sentbyte=78 rcvdbyte=94 sentpkt=1 rcvdpkt=1 2 | May 14 06:25:07 192.168.84.1 date=2014-05-14 time=06:25:42 devname=JLL_FW devid=FG200B3910602686 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=192.168.100.41 srcport=2461 srcintf="port1" dstip= dstport=80 dstintf="port2" sessionid=2720779 status=close user="CARLOSC" group="NAVEGACION_LLCCO" policyid=75 dstcountry="United States" srccountry="Reserved" trandisp=snat transip=200.74.141.50 transport=62877 service=HTTP proto=6 duration=414 sentbyte=8535 rcvdbyte=3603 sentpkt=30 rcvdpkt=30 identidx=3 utmaction=passthrough utmevent=webfilter utmsubtype=ftgd-cat urlcnt=13 hostname="ping.chartbeat.net" catdesc="Information Technology" 3 | May 13 06:25:07 192.168.84.1 date=2014-05-13 time=06:25:31 devname=JLL_FW devid=FG200B3910602686 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=192.168.100.40 srcport=51980 srcintf="Etek_Soc_1" dstip=192.168.6.3 dstport=161 dstintf="port1" sessionid=1817499 status=accept policyid=37 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=SNMP proto=17 duration=180 sentbyte=77 rcvdbyte=105 sentpkt=1 rcvdpkt=1 vpn="Etek_Soc_1" vpntype=ipsec-static 4 | May 13 06:25:08 192.168.84.1 date=2014-05-13 time=06:25:32 devname=JLL_FW devid=FG200B3910602686 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=192.168.100.40 srcport=51996 srcintf="Etek_Soc_1" dstip=192.168.6.3 dstport=161 dstintf="port1" sessionid=1817504 status=accept policyid=37 dstcountry="Reserved" srccountry="Reserved" trandisp=noop service=SNMP proto=17 duration=180 sentbyte=77 rcvdbyte=105 sentpkt=1 rcvdpkt=1 vpn="Etek_Soc_1" vpntype=ipsec-static 5 | May 11 05:35:37 192.168.84.1 date=2014-05-11 time=05:35:40 devname=JLL_FW devid=FG200B3910602686 logid=0100032001 type=event subtype=system level=information vd="root" user="ringo" ui=https(200.31.77.163) action=login status=success reason=none profile="prof_admin" msg="Administrator ctriana logged in successfully from https()" 6 | May 11 14:25:42 192.168.84.1 date=2014-05-11 time=14:25:49 devname=JLL_FW devid=FG200B3910602686 logid=0100032003 type=event subtype=system level=information vd="root" user="paul" ui=https(200.31.77.163) action=logout status=success duration=31809 state="Config-Changed" reason=timeout msg="Administrator ctriana timed out on https()" 7 | May 11 17:41:22 192.168.84.1 date=2014-05-11 time=17:41:31 devname=JLL_FW devid=FG200B3910602686 logid=0100032010 type=event subtype=system level=information vd="root" msg="Memory log is 75% full" 8 | May 9 07:23:04 192.168.84.1 date=2014-05-09 time=07:28:53 devname=JLL_FW devid=FG200B3910602686 logid=0100046085 type=event subtype=system level=information vd="root" action=reputation_purge status=success msg="Completed reputation db maintenance" 9 | May 9 19:22:58 192.168.84.1 date=2014-05-09 time=19:28:53 devname=JLL_FW devid=FG200B3910602686 logid=0100046085 type=event subtype=system level=information vd="root" action=reputation_purge status=success msg="Completed reputation db maintenance" 10 | May 14 06:28:07 192.168.84.1 date=2014-05-14 time=06:28:42 devname=JLL_FW devid=FG200B3910602686 logid=0101037122 type=event subtype=vpn level=notice vd="root" msg="negotiate IPsec phase 2" action=negotiate remip=200.21.231.154 locip=200.74.141.50 remport=500 locport=500 outintf="port2" cookies="9a8163cb891b07ea/5ac113a79ec5d5fd" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="Etek_Soc_2" status=success role=responder esptransform=ESP_3DES espauth="HMAC_MD5" 11 | May 14 06:49:42 192.168.84.1 date=2014-05-14 time=06:50:17 devname=JLL_FW devid=FG200B3910602686 logid=0101037122 type=event subtype=vpn level=notice vd="root" msg="negotiate IPsec phase 2" action=negotiate remip=200.31.77.163 locip=200.74.141.50 remport=500 locport=500 outintf="port2" cookies="585404cd348ce142/f1c8665ea971b994" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="Etek_Soc_1" status=success role=responder esptransform=ESP_3DES espauth="HMAC_MD5" 12 | May 13 06:37:47 192.168.84.1 date=2014-05-13 time=06:38:12 devname=JLL_FW devid=FG200B3910602686 logid=0101037122 type=event subtype=vpn level=notice vd="root" msg="negotiate IPsec phase 2" action=negotiate remip=200.21.231.154 locip=200.74.141.50 remport=500 locport=500 outintf="port2" cookies="a4b8bfcf63b1b6c9/c38f64c965befbd8" user="N/A" group="N/A" xauthuser="N/A" xauthgroup="N/A" vpntunnel="Etek_Soc_2" status=success role=responder esptransform=ESP_3DES espauth="HMAC_MD5" 13 | May 13 14:08:20 192.168.84.1 date=2014-05-13 time=14:08:48 devname=JLL_FW devid=FG200B3910602686 logid=0101039424 type=event subtype=vpn level=information vd="root" action="tunnel-up" tunneltype="ssl-web" tunnel_id=1417548483 remote_ip=192.168.50.178 tunnel_ip=(null) user="SAL" group="VPN_LLOREDA" dst_host="N/A" reason="login successfully" msg="SSL tunnel established" 14 | May 14 06:25:10 192.168.84.1 date=2014-05-14 time=06:25:45 devname=JLL_FW devid=FG200B3910602686 logid=0102043011 type=event subtype=user level=notice vd="root" src=192.168.100.65 dst=N/A policyid=0 user="guest" group="FSSO_Guest_Users" ui="guest(192.168.6.65)" action=authentication status=timed_out reason="Authentication timed out" msg="User from 192.168.100.65 was timed out" 15 | May 14 06:25:31 192.168.84.1 date=2014-05-14 time=06:26:05 devname=JLL_FW devid=FG200B3910602686 logid=0102043011 type=event subtype=user level=notice vd="root" src=192.168.100.47 dst=N/A policyid=0 user="guest" group="FSSO_Guest_Users" ui="guest(192.168.7.47)" action=authentication status=timed_out reason="Authentication timed out" msg="User from 192.168.100.47 was timed out" 16 | May 13 06:25:11 192.168.84.1 date=2014-05-13 time=06:25:35 devname=JLL_FW devid=FG200B3910602686 logid=0102043011 type=event subtype=user level=notice vd="root" src=192.168.100.183 dst=N/A policyid=0 user="guest" group="FSSO_Guest_Users" ui="guest(192.168.7.183)" action=authentication status=timed_out reason="Authentication timed out" msg="User from 192.168.100.183 was timed out" 17 | May 14 06:33:45 192.168.84.1 date=2014-05-14 time=06:34:20 devname=JLL_FW devid=FG200B3910602686 logid=0213008705 type=utm subtype=virus eventtype=oversize level=notice vd="root" msg="Size limit is exceeded." status="passthrough" service="http" srcip=192.168.100.74 dstip=206.111.1.82 srcport=3935 dstport=80 srcintf="port1" dstintf="port2" policyid=75 identidx=3 sessionid=2727880 url="http://r7---sn-mv-hp5e.c.pack.google.com/edgedl/chrome/win/A9D81880A47854C4/34.0.1847.137_chrome_installer.exe?cms_redirect=yes&expire" profiletype="Protocol_Options_Profile" profile="Protocol" user="CAROLINAM" agent="Google" 18 | May 9 08:37:09 192.168.84.1 date=2014-05-09 time=08:42:58 devname=JLL_FW devid=FG200B3910602686 logid=0315012546 type=utm subtype=webfilter eventtype=urlfilter level=information vd="root" urlfilteridx=10 urlfilterlist="dsfdsfdsf" policyid=75 identidx=3 sessionid=117836698 user="SARA" srcip=192.168.7.41 srcport=2034 srcintf="port1" dstip=173.193.169.232 dstport=80 dstintf="port2" service="http" hostname="www.noticiasrcn.com" profiletype="Webfilter_Profile" profile="IPS_WebFiltering" status="passthrough" reqtype="referral" url="/sites/all/modules/backup_custome/rcnnoticias_generico/css/block_noticias.css?n4srhf" sentbyte=474 rcvdbyte=370 msg="URL was allowed because it is in the URL filter list" 19 | May 11 18:52:06 192.168.84.1 date=2014-05-11 time=18:52:15 devname=JLL_FW devid=FG200B3910602686 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd="root" severity=low srcip=61.19.246.69 dstip=192.168.100.55 srcintf="port2" dstintf="Vlan_3" policyid=49 identidx=0 sessionid=388908 status=detected proto=6 service=http count=1 attackname="ZmEu.Vulnerability.Scanner" srcport=38182 dstport=80 attackid=30024 sensor="all_default_pass" ref="http://www.fortinet.com/ids/VID30024" incidentserialno=1432164120 msg="web_app3: ZmEu.Vulnerability.Scanner," 20 | May 11 18:52:07 192.168.84.1 date=2014-05-11 time=18:52:15 devname=JLL_FW devid=FG200B3910602686 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd="root" severity=low srcip= dstip=192.168.100.45 srcintf="port2" dstintf="Vlan_3" policyid=49 identidx=0 sessionid=388914 status=detected proto=6 service=http count=1 attackname="ZmEu.Vulnerability.Scanner" srcport=38281 dstport=80 attackid=30024 sensor="all_default_pass" ref="http://www.fortinet.com/ids/VID30024" incidentserialno=1432164121 msg="web_app3: ZmEu.Vulnerability.Scanner," 21 | 22 | -------------------------------------------------------------------------------- /plugins/oracle-syslog.cfg: -------------------------------------------------------------------------------- 1 | # Alienvault plugin 2 | # Author: Alienvault Team at devel@alienvault.com 3 | # Plugin oracle-syslog id:1651 version: 0.0.2 4 | # Last modification: 2015-05-13 16:11 5 | # 6 | # Plugin Selection Info: 7 | # Oracle:Database Server:- 8 | # 9 | # END-HEADER 10 | # Accepted products: 11 | # oracle - database_server 1.0.2.2 12 | # Description: 13 | # 14 | # 15 | # 16 | 17 | [DEFAULT] 18 | plugin_id=1651 19 | 20 | [config] 21 | type=detector 22 | enable=yes 23 | 24 | source=log 25 | location=/var/log/oracle.log 26 | create_file=false 27 | 28 | process= 29 | start=no 30 | stop=no 31 | startup= 32 | shutdown= 33 | 34 | [translation] 35 | 36 | UNKNOWN=1 37 | CREATE TABLE=1 38 | INSERT=2 39 | SELECT=3 40 | CREATE CLUSTER=4 41 | ALTER CLUSTER=5 42 | UPDATE=6 43 | DELETE=7 44 | DROP CLUSTER=8 45 | CREATE INDEX=9 46 | DROP INDEX=10 47 | ALTER INDEX=11 48 | DROP TABLE=12 49 | CREATE SEQUENCE=13 50 | ALTER SEQUENCE=14 51 | ALTER TABLE=15 52 | DROP SEQUENCE=16 53 | GRANT OBJECT=17 54 | REVOKE OBJECT=18 55 | CREATE SYNONYM=19 56 | DROP SYNONYM=20 57 | CREATE VIEW=21 58 | DROP VIEW=22 59 | VALIDATE INDEX=23 60 | CREATE PROCEDURE=24 61 | ALTER PROCEDURE=25 62 | LOCK=26 63 | NO-OP=27 64 | RENAME=28 65 | COMMENT=29 66 | AUDIT OBJECT=30 67 | NOAUDIT OBJECT=31 68 | CREATE DATABASE LINK=32 69 | DROP DATABASE LINK=33 70 | CREATE DATABASE=34 71 | ALTER DATABASE=35 72 | ALTER DATABASE MOUNT=35 73 | ALTER DATABASE OPEN=35 74 | CREATE ROLLBACK SEG=36 75 | ALTER ROLLBACK SEG=37 76 | DROP ROLLBACK SEG=38 77 | CREATE TABLESPACE=39 78 | ALTER TABLESPACE=40 79 | DROP TABLESPACE=41 80 | ALTER SESSION=42 81 | ALTER USER=43 82 | COMMIT=44 83 | ROLLBACK=45 84 | SAVEPOINT=46 85 | PL\/SQL EXECUTE=47 86 | SET TRANSACTION=48 87 | ALTER SYSTEM=49 88 | EXPLAIN=50 89 | CREATE USER=51 90 | CREATE ROLE=52 91 | DROP USER=53 92 | DROP ROLE=54 93 | SET ROLE=55 94 | CREATE SCHEMA=56 95 | CREATE CONTROL FILE=57 96 | CREATE TRIGGER=59 97 | ALTER TRIGGER=60 98 | DROP TRIGGER=61 99 | ANALYZE TABLE=62 100 | ANALYZE INDEX=63 101 | ANALYZE CLUSTER=64 102 | CREATE PROFILE=65 103 | DROP PROFILE=66 104 | ALTER PROFILE=67 105 | DROP PROCEDURE=68 106 | ALTER RESOURCE COST=70 107 | CREATE MATERIALIZED VIEW LOG=71 108 | ALTER MATERIALIZED VIEW LOG=72 109 | DROP MATERIALIZED VIEW LOG=73 110 | CREATE MATERIALIZED VIEW=74 111 | ALTER MATERIALIZED VIEW=75 112 | DROP MATERIALIZED VIEW=76 113 | CREATE TYPE=77 114 | DROP TYPE=78 115 | ALTER ROLE=79 116 | ALTER TYPE=80 117 | CREATE TYPE BODY=81 118 | ALTER TYPE BODY=82 119 | DROP TYPE BODY=83 120 | DROP LIBRARY=84 121 | TRUNCATE TABLE=85 122 | TRUNCATE CLUSTER=86 123 | CREATE FUNCTION=91 124 | ALTER FUNCTION=92 125 | DROP FUNCTION=93 126 | CREATE PACKAGE=94 127 | ALTER PACKAGE=95 128 | DROP PACKAGE=96 129 | CREATE PACKAGE BODY=97 130 | ALTER PACKAGE BODY=98 131 | DROP PACKAGE BODY=99 132 | LOGON=100 133 | LOGOFF=101 134 | LOGOFF BY CLEANUP=102 135 | SESSION REC=103 136 | SYSTEM AUDIT=104 137 | SYSTEM NOAUDIT=105 138 | AUDIT DEFAULT=106 139 | NOAUDIT DEFAULT=107 140 | SYSTEM GRANT=108 141 | SYSTEM REVOKE=109 142 | CREATE PUBLIC SYNONYM=110 143 | DROP PUBLIC SYNONYM=111 144 | CREATE PUBLIC DATABASE LINK=112 145 | DROP PUBLIC DATABASE LINK=113 146 | GRANT ROLE=114 147 | REVOKE ROLE=115 148 | EXECUTE PROCEDURE=116 149 | USER COMMENT=117 150 | ENABLE TRIGGER=118 151 | DISABLE TRIGGER=119 152 | ENABLE ALL TRIGGERS=120 153 | DISABLE ALL TRIGGERS=121 154 | NETWORK ERROR=122 155 | EXECUTE TYPE=123 156 | FLASHBACK=128 157 | CREATE SESSION=129 158 | CREATE DIRECTORY=157 159 | DROP DIRECTORY=158 160 | CREATE LIBRARY=159 161 | CREATE JAVA=160 162 | ALTER JAVA=161 163 | DROP JAVA=162 164 | CREATE OPERATOR=163 165 | CREATE INDEXTYPE=164 166 | DROP INDEXTYPE=165 167 | DROP OPERATOR=167 168 | ASSOCIATE STATISTICS=168 169 | DISASSOCIATE STATISTICS=169 170 | CALL METHOD=170 171 | CREATE SUMMARY=171 172 | ALTER SUMMARY=172 173 | DROP SUMMARY=173 174 | CREATE DIMENSION=174 175 | ALTER DIMENSION=175 176 | DROP DIMENSION=176 177 | CREATE CONTEXT=177 178 | DROP CONTEXT=178 179 | ALTER OUTLINE=179 180 | CREATE OUTLINE=180 181 | DROP OUTLINE=181 182 | UPDATE INDEXES=182 183 | ALTER OPERATOR=183 184 | PURGE USER_RECYCLEBIN=197 185 | PURGE DBA_RECYCLEBIN=198 186 | PURGE TABLESPACE=199 187 | PURGE TABLE=200 188 | PURGE INDEX=201 189 | UNDROP OBJECT=202 190 | FLASHBACK DATABASE=204 191 | FLASHBACK TABLE=205 192 | CREATE RESTORE POINT=206 193 | DROP RESTORE POINT=207 194 | PROXY AUTHENTICATION ONLY=208 195 | DECLARE REWRITE EQUIVALENCE=209 196 | ALTER REWRITE EQUIVALENCE=210 197 | DROP REWRITE EQUIVALENCE=211 198 | SUPER USER LOGON=212 199 | SUPER USER DDL=213 200 | SUPER USER DML=214 201 | STARTUP=215 202 | SHUTDOWN=216 203 | SUPER USER UNKNOWN=217 204 | FACTOR EVALUATION=1000 205 | FACTOR ASSIGNMENT=1001 206 | FACTOR EXPRESSION=1002 207 | REALM VIOLATION=1003 208 | REALM AUTHORIZATION=1004 209 | COMMAND AUTHORIZATION=1005 210 | SECURE ROLE=1006 211 | LBL SEC SESSION INIT=1007 212 | ACCESS CTRL COMMAND AUTH=1008 213 | ACCESS CTRL SESSION INIT=1009 214 | LBL SEC ATTEMPT TO UPGRADE=1010 215 | CONNECT=9000 216 | INVALID RECORD=30000 217 | ALTER=10000 218 | create=10001 219 | drop=10002 220 | 221 | 222 | [0001 - Oracle: Rule1] 223 | event_type=event 224 | regexp="(\S+\s+\d+\s+\d+:\d+:\d+)\s+Oracle\s+Audit\[\d+\]:\s+(?:LENGTH:\s+\"(.*?)\".*)?SESSIONID:(?:\[\d+\])?\s+\"(\d+)\".*?ENTRYID:(?:\[\d+\])?\s+\"(\d+)\".*?STATEMENT:(?:\[\d+\])?\s+\"(.*?)\".*?USERID:(?:\[\d+\])?\s+\"(.*?)\".*?USERHOST:(?:\[\d+\])?\s+\"(.*?)\".*?TERMINAL:(?:\[\d+\])?\s+\"(.*?)\".*?ACTION:(?:\[\d+\])?\s+\"(\d+)\".*?RETURNCODE:(?:\[\d+\])?\s+\"(.*?)\".*?COMMENT\$TEXT:(?:\[\d+\])?.*?\"Authenticated\s+by:\s+(\S+)\;\s+Client\s+address:\s+\(ADDRESS\=\(PROTOCOL\=tcp\)\(HOST\=(\d+\.\d+\.\d+\.\d+)\)\(PORT\=(\d+)\)\)\".*?OS\$USERID:(?:\[\d+\])?\s+\"(.*?)\".*?PRIV\$USED:(?:\[\d+\])?\s+(\S*)" 225 | date={normalize_date($1)} 226 | device={resolv($7)} 227 | plugin_sid={$9} 228 | src_ip={resolv($12)} 229 | src_port={$13} 230 | username={$6} 231 | userdata1={$14} 232 | userdata2={$8} 233 | userdata3={$11} 234 | 235 | [0002 - Oracle: Rule2] 236 | event_type=event 237 | regexp=(\S+\s+\d+\s+\d+:\d+:\d+)\s+Oracle\s+Audit\[\d+\]:.*?ACTION\s+:(?:\[\d+\])?\s+'([A-Z\s\/\-_]*)'.*?DATABASE\s+USER:(?:\[\d+\])?\s+'([^']*)'.*?PRIVILEGE\s+:(?:\[\d+\])?\s+'?([^']*)'?.*?CLIENT\s+USER:(?:\[\d+\])?\s+'?([^']*)'?.*?CLIENT\s+TERMINAL:(?:\[\d+\])?\s+'?([^']*)'?.*?STATUS:(?:\[\d+\])?\s+'?([^']*)'? 238 | date={normalize_date($1)} 239 | device=127.0.0.1 240 | plugin_sid={translate($2)} 241 | src_ip=127.0.0.1 242 | username={$3} 243 | userdata1={$4} 244 | userdata2={$5} 245 | userdata3={$6} 246 | userdata4={$7} 247 | 248 | [0003 - Oracle: Rule2 Generic Event] 249 | event_type=event 250 | regexp=(\S+\s+\d+\s+\d+:\d+:\d+)\s+Oracle\s+Audit\[\d+\]:.*?ACTION\s+:(?:\[\d+\])?\s+'(.*)'.*?DATABASE\s+USER:(?:\[\d+\])?\s+'([^']*)'.*?PRIVILEGE\s+:(?:\[\d+\])?\s+'?([^']*)'?.*?CLIENT\s+USER:(?:\[\d+\])?\s+'?([^']*)'?.*?CLIENT\s+TERMINAL:(?:\[\d+\])?\s+'?([^']*)'?.*?STATUS:(?:\[\d+\])?\s+'?([^']*)'? 251 | date={normalize_date($1)} 252 | device=127.0.0.1 253 | plugin_sid=2000000000 254 | src_ip=127.0.0.1 255 | username={$3} 256 | userdata1={$4} 257 | userdata2={$5} 258 | userdata3={$6} 259 | userdata4={$7} 260 | userdata5={$2} 261 | 262 | [0004 - Oracle: Rule3] 263 | event_type=event 264 | regexp=(\S+\s+\d+\s+\d+:\d+:\d+)\s+Oracle\s+Audit\[\d+\]:\s+(?:LENGTH:\s+\".*?\".*)?SESSIONID:.*?\"(\d+)\".*?ENTRYID:.*?\"(\S+)\".*?ACTION:.*?\"(\S+)\".*?RETURNCODE:.*?\"(.*?)\".*?LOGOFF\$PREAD:.*?\"(.*?)\".*?LOGOFF\$LREAD:.*?\"(.*?)\".*?LOGOFF\$LWRITE:.*?\"(.*?)\".*?LOGOFF\$DEAD:.*?\"(.*?)\".*?SESSIONCPU:.*?\"(.*?)\".*? 265 | date={normalize_date($1)} 266 | device=127.0.0.1 267 | plugin_sid={$4} 268 | src_ip=127.0.0.1 269 | userdata1={$2} 270 | userdata2={$5} 271 | 272 | [0005 - Oracle: Rule4] 273 | event_type=event 274 | regexp=(\S+\s+\d+\s+\d+:\d+:\d+)\s+Oracle\s+Audit\[\d+\]:\s+LENGTH:\s+\"(.*?)\".*?SESSIONID:.*?\"(\d+)\".*?ENTRYID:.*?\"(\S+)\"\s+STATEMENT:.*?\"(\S+)\"\s+USERID:.*?\"(\S+)\"\s+USERHOST:.*?\"(\S+)\"\s+TERMINAL:.*?\"(\S+)\"\s+ACTION:.*?\"(\S+)\"\s+RETURNCODE:.*?\"(\S+)\"\s+COMMENT.TEXT:.*?\"(.*?)\"\s+OS.USERID:.*?\"(\S+). 275 | date={normalize_date($1)} 276 | device=127.0.0.1 277 | plugin_sid={$9} 278 | src_ip={resolv($7)} 279 | username={$12} 280 | userdata1={$7} 281 | userdata2={$8} 282 | userdata3={$11} 283 | 284 | [0006 - Oracle: Rule5] 285 | event_type=event 286 | regexp=(\S+\s+\d+\s+\d+:\d+:\d+)\s+Oracle\s+Audit\[\d+\]:\s+(?:LENGTH:\s+\".*?\".*?)?SESSIONID:.*?\"(\d+)\".*?ENTRYID:.*?\"(\S+)\"\s+STATEMENT:.*?\"(\S+)\"\s+USERID:.*?\"(\S+)\"\s+USERHOST:.*?\"(\S+)\"\s+ACTION:.*?\"(\S+)\"\s+RETURNCODE:.*?\"(\S+)\"\s+OBJ\$NAME:.*?\"(.*?)\"\s+OS\$USERID:.*?\"(\S+). 287 | date={normalize_date($1)} 288 | device=127.0.0.1 289 | plugin_sid={$7} 290 | src_ip={resolv($6)} 291 | username={$10} 292 | userdata1={$6} 293 | userdata2={$8} 294 | userdata3={$9} 295 | 296 | [0007 - Oracle: Rule6] 297 | event_type=event 298 | regexp=(\S+\s+\d+\s+\d+:\d+:\d+)\s+Oracle\s+Audit\[\d+\]:\s+(?:LENGTH:\s+\".*?\".*?)?SESSIONID:.*?\"(\d+)\".*?ENTRYID:.*?\"(\S+)\"\s+STATEMENT:.*?\"(\S+)\"\s+USERID:.*?\"(\S+)\"\s+USERHOST:.*?\"(\S+)\"\s+ACTION:.*?\"(\S+)\"\s+RETURNCODE:.*?\"(\S+)\"\s+OBJ\$NAME:.*?\"(.*?)\"\s+OS\$USERID:.*?\"(\S+). 299 | date={normalize_date($1)} 300 | device=127.0.0.1 301 | plugin_sid={$7} 302 | src_ip={resolv($7)} 303 | username={$12} 304 | userdata1={$7} 305 | userdata2={$8} 306 | userdata3={$11} 307 | -------------------------------------------------------------------------------- /plugins/oracle-syslog.log: -------------------------------------------------------------------------------- 1 | Jan 14 13:59:14 localhost Oracle Audit[2063]: SESSIONID: 333 ENTRYID: 1 STATEMENT: 1 USERID: SANTIAGO ACTION: 100 RETURNCODE: 0 COMMENT$TEXT: Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.100.70)(PORT=42731)) PRIV$USED: 5 2 | Dec 28 22:32:41 10.0.0.32 Oracle Audit[4958]: LENGTH: 155 ACTION: CONNECT DATABASE USER: oracle PRIVILEGE: SYSDBA CLIENT USER: santiago CLIENT TERMINAL: pts2 STATUS: 0 3 | Jan 12 16:37:47 10.0.0.32 Oracle Audit[18624]: LENGTH: 155 ACTION: STARTUP DATABASE USER: santiago PRIVILEGE: NONE CLIENT USER: oracle CLIENT TERMINAL: pts3 STATUS: 0 4 | Jan 14 13:59:14 localhost Oracle Audit[2063]: SESSIONID: 131 ENTRYID: 1 STATEMENT: 1 USERID: ANONYMOUS ACTION: 100 RETURNCODE: 0 COMMENT$TEXT: Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.100.55)(PORT=42731)) PRIV$USED: 5 5 | -------------------------------------------------------------------------------- /plugins/ssh-demo.cfg: -------------------------------------------------------------------------------- 1 | # Alienvault plugin 2 | # Author: Alienvault Team at devel@alienvault.com 3 | # Plugin ssh-demo id:4003 version: 0.0.1 4 | # Last modification: 2013-06-05 11:45 5 | # 6 | # Accepted products: 7 | # openbsd - openssh 5.4 8 | # openbsd - openssh 5.5 9 | # openbsd - openssh 5.6 10 | # openbsd - openssh 5.7 11 | # openbsd - openssh 5.8 12 | # openbsd - openssh 5.8p2 13 | # openbsd - openssh 5.9 14 | # Description: 15 | # 16 | # 17 | # 18 | 19 | [DEFAULT] 20 | plugin_id=4003 21 | dst_ip=\_CFG(plugin-defaults,sensor) 22 | dst_port=22 23 | 24 | [config] 25 | type=detector 26 | enable=true 27 | source=log 28 | location=/var/log/auth.log 29 | create_file=true 30 | process=sshd 31 | start=no 32 | stop=no 33 | startup=/etc/init.d/ssh start 34 | shutdown=/etc/init.d/ssh stop 35 | 36 | [translation] 37 | none=1 38 | opened=25 39 | publickey=2 40 | version=22 41 | throughput=23 42 | closed=26 43 | password=1 44 | 45 | 46 | [0000 - Failed password] 47 | event_type=event 48 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+) sshd\[\d+\]: Failed password for\s(?Pinvalid user\s)?(?P\S+)\sfrom\s(?P\S+)\sport\s(?P\d{1,5}) 49 | date={normalize_date($date)} 50 | plugin_sid=1 51 | src_ip={resolv($src)} 52 | dst_ip={resolv($dst)} 53 | src_port={$sport} 54 | username={$user} 55 | userdata1={$info} 56 | userdata2={$dst} 57 | device={resolv($dst)} 58 | 59 | 60 | [0001 - Invalid user] 61 | event_type=event 62 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s(?P\S+)\ssshd\[\d+\]: Invalid user (?P\S+) from\s+(?P\S+) 63 | date={normalize_date($date)} 64 | plugin_sid=3 65 | src_ip={resolv($src)} 66 | dst_ip={resolv($dst)} 67 | username={$user} 68 | device={resolv($dst)} 69 | 70 | 71 | [0002 - Illegal user] 72 | event_type=event 73 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Illegal user (?P\S+) from\s+(?P\S+) 74 | date={normalize_date($date)} 75 | plugin_sid=4 76 | src_ip={resolv($src)} 77 | dst_ip={resolv($dst)} 78 | username={$user} 79 | device={resolv($dst)} 80 | 81 | 82 | [0004 - Root login refused] 83 | event_type=event 84 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: ROOT LOGIN REFUSED FROM\s(?P\S+) 85 | date={normalize_date($date)} 86 | plugin_sid=5 87 | src_ip={resolv($src)} 88 | dst_ip={resolv($dst)} 89 | device={resolv($dst)} 90 | username=root 91 | 92 | 93 | [0005 - User not allowed because account is locked] 94 | event_type=event 95 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\s.*ssh.*User (?P\S+) not allowed because account is locked 96 | date={normalize_date($date)} 97 | plugin_sid=13 98 | dst_ip={resolv($dst)} 99 | username={$user} 100 | device={resolv($dst)} 101 | 102 | 103 | [0006 - User not allowed because listed] 104 | event_type=event 105 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: User (?P\S+)\s(from\s+(?P\S+)\s+)?not allowed because (not |none of user's groups are |a group is )?listed in (?P.*) 106 | date={normalize_date($date)} 107 | plugin_sid=6 108 | src_ip={resolv($src)} 109 | dst_ip={resolv($dst)} 110 | username={$user} 111 | userdata1={$info} 112 | device={resolv($dst)} 113 | 114 | 115 | [0007 - Authentication refused] 116 | event_type=event 117 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Authentication refused: bad ownership or modes for file (?P.*) 118 | date={normalize_date($date)} 119 | plugin_sid=12 120 | dst_ip={resolv($dst)} 121 | userdata1={$info} 122 | device={resolv($dst)} 123 | 124 | 125 | [0008 - Login sucessful (Accepted password)] 126 | event_type=event 127 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Accepted password for (?P\S+)\sfrom\s+(?P\S+)\sport\s+(?P\d{1,5}) 128 | date={normalize_date($date)} 129 | plugin_sid=7 130 | src_ip={resolv($src)} 131 | dst_ip={resolv($dst)} 132 | src_port={$sport} 133 | username={$user} 134 | device={resolv($dst)} 135 | 136 | 137 | [0009 - Login sucessful (Accepted publickey)] 138 | event_type=event 139 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Accepted publickey for (?P\S+)\sfrom\s+(?P\S+)\sport\s+(?P\d{1,5}) 140 | date={normalize_date($date)} 141 | plugin_sid=8 142 | src_ip={resolv($src)} 143 | dst_ip={resolv($dst)} 144 | src_port={$sport} 145 | username={$user} 146 | device={resolv($dst)} 147 | 148 | 149 | [0010 - Bad protocol version identification] 150 | event_type=event 151 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Bad protocol version identification (?P.*)from (?P\S+) 152 | date={normalize_date($date)} 153 | plugin_sid=9 154 | src_ip={resolv($src)} 155 | dst_ip={resolv($dst)} 156 | device={resolv($dst)} 157 | userdata1={$version} 158 | 159 | 160 | [0011 - Did not receive identification string] 161 | event_type=event 162 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Did not receive identification string from (?P\S+) 163 | date={normalize_date($date)} 164 | plugin_sid=10 165 | src_ip={resolv($src)} 166 | dst_ip={resolv($dst)} 167 | device={resolv($dst)} 168 | 169 | 170 | [0012 - Refused connect] 171 | event_type=event 172 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: refused connect from\s(?P\S+) 173 | date={normalize_date($date)} 174 | plugin_sid=19 175 | src_ip={resolv($src)} 176 | dst_ip={resolv($dst)} 177 | device={resolv($dst)} 178 | 179 | 180 | [0013 - Received disconnect] 181 | event_type=event 182 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Received disconnect from (?P\S+):\s(?P.*) 183 | date={normalize_date($date)} 184 | plugin_sid=11 185 | device={resolv($dst)} 186 | device={resolv($dst)} 187 | src_ip={resolv($src)} 188 | dst_ip={resolv($dst)} 189 | userdata1={$info} 190 | 191 | 192 | [0014 - PAM X more authentication failures] 193 | event_type=event 194 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: PAM (?P\d+) more authentication failures?; logname=(?P\S*) uid=(?P\S*) euid=(?P\S*) tty=(?P\S*) ruser=(?P\S*) rhost=(?P\S+)\s+user=(?P\S+) 195 | date={normalize_date($date)} 196 | plugin_sid=14 197 | src_ip={resolv($src)} 198 | dst_ip={resolv($dst)} 199 | device={resolv($dst)} 200 | username={$user} 201 | filename={$log} 202 | userdata1={$times} 203 | userdata2={$uid} 204 | userdata3={$euid} 205 | userdata4={$tty} 206 | userdata5={$ruser} 207 | 208 | 209 | [0015 - Reverse mapping failed] 210 | event_type=event 211 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: reverse mapping checking getaddrinfo for\s(?P\S+)\s\[(?P\S+)\] failed - POSSIBLE BREAK-IN ATTEMPT! 212 | date={normalize_date($date)} 213 | plugin_sid=15 214 | src_ip={resolv($src)} 215 | dst_ip={resolv($dst)} 216 | userdata1={$a_map} 217 | device={resolv($dst)} 218 | 219 | 220 | [0016 - Address not mapped] 221 | event_type=event 222 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Address\s(?P\S+)\smaps to\s(?P\S+), 223 | date={normalize_date($date)} 224 | plugin_sid=16 225 | src_ip={resolv($src)} 226 | dst_ip={resolv($dst)} 227 | device={resolv($dst)} 228 | userdata1={$a_map} 229 | 230 | 231 | [0017 - Server listening - Daemon started] 232 | event_type=event 233 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Server listening on\s(?P\S+)\sport\s(?P\d{1,5}) 234 | date={normalize_date($date)} 235 | plugin_sid=17 236 | src_ip={resolv($src)} 237 | dst_ip={resolv($dst)} 238 | dst_port={$d_port} 239 | device={resolv($dst)} 240 | 241 | 242 | [0018 - Server terminated - Daemon stopped] 243 | event_type=event 244 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Received signal\s(?P\d+) 245 | date={normalize_date($date)} 246 | plugin_sid=18 247 | dst_ip={resolv($dst)} 248 | userdata1={$signal} 249 | device={resolv($dst)} 250 | 251 | 252 | [0019 - Denied connection] 253 | event_type=event 254 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Denied connection from by\s(?P\S+) 255 | date={normalize_date($date)} 256 | plugin_sid=20 257 | device={resolv($dst)} 258 | src_ip={resolv($src)} 259 | dst_ip={resolv($dst)} 260 | 261 | 262 | [0020 - Could not get shadow information] 263 | event_type=event 264 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: error: Could not get shadow information for\s+(?P\S*) 265 | date={normalize_date($date)} 266 | plugin_sid=21 267 | dst_ip={resolv($dst)} 268 | device={resolv($dst)} 269 | username={$user} 270 | 271 | 272 | [0021 - Recieved connection] 273 | event_type=event 274 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: SSH: Server;(Ltype|LType):\s+(?P[^;]+);Remote:\s+(?P\S+)-(?P\d{1,5}) 275 | date={normalize_date($date)} 276 | plugin_sid={translate($sid)} 277 | device={resolv($dst)} 278 | src_ip={resolv($src)} 279 | dst_ip={resolv($dst)} 280 | src_port={$port} 281 | 282 | 283 | [0022 - Login sucessful (Accepted keyboard-interactive)] 284 | event_type=event 285 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Accepted keyboard-interactive.* for\s+(?P\S+)\sfrom\s+(?P\S+)\sport\s+(?P\d{1,5}) 286 | date={normalize_date($date)} 287 | plugin_sid=7 288 | src_ip={resolv($src)} 289 | dst_ip={resolv($dst)} 290 | src_port={$port} 291 | device={resolv($dst)} 292 | username={$user} 293 | 294 | 295 | [0023 - Conection closed ] 296 | event_type=event 297 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Connection closed by\s+(?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}) 298 | date={normalize_date($date)} 299 | plugin_sid=27 300 | device={resolv($dst)} 301 | src_ip={resolv($src)} 302 | dst_ip={resolv($dst)} 303 | 304 | 305 | [0024 - PROTOCOL VERSIONS DIFFER ] 306 | event_type=event 307 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: Protocol major versions differ for (?P\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?P.*)vs.(?P.*) 308 | date={normalize_date($date)} 309 | plugin_sid=100 310 | src_ip={resolv($src)} 311 | dst_ip={resolv($dst)} 312 | device={resolv($dst)} 313 | userdata1={$v1} 314 | userdata2={$v2} 315 | 316 | 317 | [0025 - Input_userauth_request] 318 | event_type=event 319 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]: input_userauth_request: invalid user (?P.*) 320 | date={normalize_date($date)} 321 | plugin_sid=96 322 | dst_ip={resolv($dst)} 323 | device={resolv($dst)} 324 | username={$user} 325 | 326 | 327 | [0026 - Error retrieving info ] 328 | event_type=event 329 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+)\ssshd\[\d+\]:\spam_succeed_if\(sshd:auth\):\s*error retrieving information about user\s(?P.*) 330 | date={normalize_date($date)} 331 | plugin_sid=97 332 | dst_ip={resolv($dst)} 333 | device={resolv($dst)} 334 | username={$user} 335 | 336 | 337 | [0027 - Failed publickey] 338 | event_type=event 339 | regexp=(?P\w{3}\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P\S+) sshd\[\d+\]: Failed publickey for invalid user (?P\S+)\sfrom\s(?P\S+)\sport\s+(?P\d{1,5}) 340 | device={resolv($dst)} 341 | date={normalize_date($1)} 342 | plugin_sid=2 343 | src_ip={$src} 344 | dst_ip={resolv($dst)} 345 | src_port={$sport} 346 | username={$user} 347 | 348 | 349 | -------------------------------------------------------------------------------- /plugins/ssh-demo.log: -------------------------------------------------------------------------------- 1 | sshd[27377]: Invalid user temp from 2 | sshd[27377]: pam_unix(sshd:auth): check pass; user unknown 3 | sshd[27377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 4 | sshd[27377]: Failed password for invalid user temp from port 44648 ssh2 5 | sshd[27768]: Invalid user temp from 6 | sshd[27768]: pam_unix(sshd:auth): check pass; user unknown 7 | sshd[27768]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 8 | sshd[27768]: Failed password for invalid user temp from port 44803 ssh2 9 | sshd[28275]: Invalid user webmaster from 10 | sshd[28275]: pam_unix(sshd:auth): check pass; user unknown 11 | sshd[28275]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 12 | sshd[28275]: Failed password for invalid user webmaster from port 44976 ssh2 13 | sshd[29057]: Invalid user webmaster from 14 | sshd[29057]: pam_unix(sshd:auth): check pass; user unknown 15 | sshd[29057]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 16 | sshd[29057]: Failed password for invalid user webmaster from port 45148 ssh2 17 | sshd[29554]: Invalid user webmaster from 18 | sshd[29554]: pam_unix(sshd:auth): check pass; user unknown 19 | sshd[29554]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 20 | sshd[29554]: Failed password for invalid user webmaster from port 45481 ssh2 21 | sshd[31335]: pam_unix(sshd:auth): check pass; user unknown 22 | sshd[31335]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 23 | sshd[31335]: Failed password for invalid user webmaster from port 46296 ssh2 24 | sshd[31773]: Invalid user temp from 25 | sshd[31773]: pam_unix(sshd:auth): check pass; user unknown 26 | sshd[31773]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 27 | sshd[31773]: Failed password for invalid user temp from port 46491 ssh2 28 | sshd[32297]: Invalid user temp from 29 | sshd[32297]: pam_unix(sshd:auth): check pass; user unknown 30 | sshd[32297]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 31 | sshd[32297]: Failed password for invalid user temp from port 46766 ssh2 32 | sshd[32687]: Invalid user webmaster from 33 | sshd[32687]: pam_unix(sshd:auth): check pass; user unknown 34 | sshd[32687]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 35 | sshd[32687]: Failed password for invalid user webmaster from port 46949 ssh2 36 | #Make bruteforce 37 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 38 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 39 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 40 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 41 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 42 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 43 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 44 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 45 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 46 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 47 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 48 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 49 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 50 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 51 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 52 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 53 | sshd[32297]: Failed password for invalid user root from 24.34.23.12 port 46766 ssh2 54 | 55 | 56 | -------------------------------------------------------------------------------- /runlogs.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | 3 | #Send Logs 4 | # 5 | #Logs should just be copied from rsyslog files, no parsing necessary 6 | # Your log sample can have: 7 | # - will be replaced with random IP 8 | # - will be replaced with random OTX member 9 | 10 | use Sys::Syslog; # all except setlogsock() 11 | use Sys::Syslog qw(:standard :macros); # standard functions & macros 12 | use Cwd; 13 | use File::Basename; 14 | use Data::Dumper; 15 | use Time::HiRes qw(usleep nanosleep); 16 | 17 | #Set stuff... 18 | my $dir = dirname(Cwd::realpath($0)); 19 | require "$dir/Daemon-Control-0.001006/blib/lib/Daemon/Control.pm"; 20 | 21 | 22 | exit Daemon::Control->new( 23 | name => "Logger Generator", 24 | lsb_start => '$syslog $remote_fs', 25 | lsb_stop => '$syslog', 26 | lsb_sdesc => 'Logger Generator', 27 | lsb_desc => 'Sends Logs', 28 | program => sub { goforever(); }, 29 | pid_file => '/tmp/logger.pid', 30 | stderr_file => '/tmp/logger.error.out', 31 | stdout_file => '/tmp/logger.stdout.out', 32 | )->run; 33 | 34 | 35 | 36 | #goforever(); 37 | 38 | #The hash will be used soon for new feature, right now it is overhead... 39 | sub goforever () { 40 | my %clean_logs = load_logs(); 41 | while (1) { 42 | send_logs(%clean_logs); 43 | print "Logs sent. Sleeping...\n"; 44 | sleep(480); 45 | } 46 | } 47 | 48 | sub send_logs { 49 | my $otx_grab = `shuf -n100 /etc/ossim/server/reputation.data | awk -F\# '{print \$1}'`; 50 | my @otx = split(/\n/, $otx_grab); 51 | my %hash = @_; 52 | #print Dumper(%hash); 53 | foreach my $logname (keys %hash) { 54 | #print $logname; 55 | foreach(@{$hash{$logname}}) { 56 | send_message($logname,$_,@otx); 57 | usleep(200000); 58 | } 59 | } 60 | } 61 | 62 | sub load_logs { 63 | my $plugin_dir = "$dir/plugins"; 64 | opendir(DIR, $plugin_dir) or die $!; 65 | my @logs = grep { /\.log$/ && -f "$plugin_dir/$_" } readdir(DIR); 66 | closedir(DIR); 67 | my %clean_logs; 68 | foreach my $log (@logs) { 69 | #Get basename 70 | my ($base) = (split /\./, $log)[0]; 71 | $data = `head -75 $plugin_dir/$log`; 72 | @lines = split(/\n/, $data); 73 | foreach (@lines) { 74 | next if /^#/; 75 | chomp; 76 | #strip syslog header out.... 77 | #Some have year... 78 | s/^\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2}\s+\d{4}\s+\S+\s+//; 79 | #Some don't.... 80 | s/^\w{3}\s{1,2}\d{1,2}\s\d{2}\:\d{2}\:\d{2}\s+\S+\s+//; 81 | #remove prevaling spaces 82 | s/^\s+//; 83 | #send_message($base,$_); 84 | #usleep(200000); 85 | push(@{$clean_logs{$base}}, $_); 86 | } 87 | } 88 | return %clean_logs; 89 | } 90 | sub send_message { 91 | #send log message, changing IPs if needed.... 92 | my($name, $log, @otx) = @_; 93 | my $rip = join ".", map int rand 255, 1 .. 4; 94 | my $otx_ip = $otx[rand @otx]; 95 | $log =~ s//$rip/g; 96 | $log =~ s//$otx_ip/g; 97 | openlog($name, '', 'lpr'); # don't forget this 98 | syslog("debug", $log); 99 | closelog(); 100 | } 101 | 102 | -------------------------------------------------------------------------------- /runpcaps.pl: -------------------------------------------------------------------------------- 1 | #!/usr/bin/perl 2 | use Cwd; 3 | use File::Basename; 4 | 5 | #Set stuff... 6 | my $dir = dirname(Cwd::realpath($0)); 7 | require "$dir/Daemon-Control-0.001006/blib/lib/Daemon/Control.pm"; 8 | 9 | exit Daemon::Control->new( 10 | name => "Pcap Player", 11 | lsb_start => '$syslog $remote_fs', 12 | lsb_stop => '$syslog', 13 | lsb_sdesc => 'Pcap Player', 14 | lsb_desc => 'Sends pcaps', 15 | program => "$dir/pcaps/inject_pcaps.sh", 16 | pid_file => '/tmp/pcaps.pid', 17 | stderr_file => '/tmp/pcaps.error.out', 18 | stdout_file => '/tmp/pcaps.stdout.out', 19 | )->run; 20 | 21 | print "Running From $dir Turning into a daemon...\n"; 22 | 23 | -------------------------------------------------------------------------------- /screenshots/image.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/screenshots/image.png -------------------------------------------------------------------------------- /screenshots/image1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/screenshots/image1.png -------------------------------------------------------------------------------- /screenshots/image2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/screenshots/image2.png -------------------------------------------------------------------------------- /screenshots/image3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/screenshots/image3.png -------------------------------------------------------------------------------- /screenshots/image4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/screenshots/image4.png -------------------------------------------------------------------------------- /screenshots/image5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/screenshots/image5.png -------------------------------------------------------------------------------- /screenshots/image6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/santiago-bassett/Alienvault-Demo_scripts/bc8c137fe913ba43a4345850206565b028e8fef8/screenshots/image6.png -------------------------------------------------------------------------------- /sonicwall/read_sonicwall.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Santiago Bassett 3 | 4 | RANGE=40 5 | SCRIPTPATH=$( cd $(dirname $0) ; pwd -P ) 6 | 7 | while true 8 | do 9 | while read line 10 | do 11 | number=$RANDOM; 12 | let "number %= $RANGE"; 13 | sleep $number; 14 | date=`date "+%F %T"`; 15 | newline=`echo $line | sed -r "s/time=\".*[0-9]\"/time=\"$date\"/"`; 16 | logger "$newline"; 17 | done < $SCRIPTPATH/sonicwall.log 18 | done 19 | -------------------------------------------------------------------------------- /sonicwall/sonicwall.conf: -------------------------------------------------------------------------------- 1 | $template SonicwallFormat,"%TIMESTAMP% 10.0.16.46%msg%\n" 2 | 3 | if ($rawmsg contains 'id=firewall') then -/var/log/sonicwall.log;SonicwallFormat 4 | if ($rawmsg contains 'id=firewall') then ~ 5 | -------------------------------------------------------------------------------- /sonicwall/sonicwall.log: -------------------------------------------------------------------------------- 1 | id=firewall sn=0040100E658D time="2003-10-16 18:30:12" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=2780 src=192.168.254.254:33114:LAN dst=192.168.254.1:443:LAN 2 | id=firewall sn=0040100E658D time="2003-10-16 18:31:21" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=3110 src=192.168.254.254:33160:LAN dst=192.168.254.1:443:LAN 3 | id=firewall sn=0040100E658D time="2003-10-16 18:31:22" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=40359 src=209.128.167.208:8:WAN dst=209.128.98.150:8:WAN rule=0 4 | id=firewall sn=0040100E658D time="2003-10-16 18:32:39" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=3975 src=192.168.254.254:33270:LAN dst=192.168.254.1:443:LAN 5 | id=firewall sn=0040100E658D time="2003-10-16 18:33:45" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=4124 src=192.168.254.254:33290:LAN dst=192.168.254.1:443:LAN 6 | id=firewall sn=0040100E658D time="2003-10-16 18:35:29" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=4907 src=192.168.254.254:33399:LAN dst=192.168.254.1:443:LAN 7 | id=firewall sn=0040100E658D time="2003-10-16 18:36:43" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=40360 src=209.128.163.155:8:WAN dst=209.128.98.150:8:WAN rule=0 8 | id=firewall sn=0040100E658D time="2003-10-16 18:37:02" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=5188 src=192.168.254.254:33438:LAN dst=192.168.254.1:443:LAN 9 | id=firewall sn=0040100E658D time="2003-10-16 18:37:02" fw=209.128.98.150 pri=6 c=16 m=261 msg="Administrator logged out" n=1 src=192.168.254.254 dst=192.168.254.1 10 | id=firewall sn=0040100E658D time="2003-10-16 18:37:57" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=40363 src=209.131.223.149:8:WAN dst=209.128.98.150:8:WAN rule=0 11 | id=firewall sn=0040100E658D time="2003-10-16 18:39:02" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=40367 src=209.128.131.56:8:WAN dst=209.128.98.150:8:WAN rule=0 12 | id=firewall sn=0040100E658D time="2003-10-16 18:39:06" fw=209.128.98.150 pri=5 c=64 m=36 msg="TCP connection dropped" n=10645 src=209.213.234.153:1447:WAN dst=209.128.98.150:135:WAN rule=0 13 | id=firewall sn=0040100E658D time="2003-10-17 10:22:29" fw=209.128.98.150 pri=5 c=64 m=36 msg="TCP connection dropped" n=10948 src=142.59.44.128:1839:WAN dst=209.128.98.150:135:WAN rule=0 14 | id=firewall sn=0040100E658D time="2003-10-17 10:22:32" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41102 src=209.128.155.76:8:WAN dst=209.128.98.150:8:WAN rule=0 15 | id=firewall sn=0040100E658D time="2003-10-17 10:23:46" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41103 src=12.235.89.162:8:WAN dst=209.128.98.150:8:WAN rule=0 16 | id=firewall sn=0040100E658D time="2003-10-17 10:25:19" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41109 src=209.128.180.167:8:WAN dst=209.128.98.150:8:WAN rule=0 17 | id=firewall sn=0040100E658D time="2003-10-17 10:25:48" fw=209.128.98.150 pri=5 c=128 m=37 msg="UDP packet dropped" n=1113 src=209.248.156.210:3054:WAN dst=209.128.98.150:137:WAN 18 | id=firewall sn=0040100E658D time="2003-10-17 10:27:58" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41110 src=209.128.231.43:8:WAN dst=209.128.98.150:8:WAN rule=0 19 | id=firewall sn=0040100E658D time="2003-10-17 10:28:09" fw=209.128.98.150 pri=5 c=64 m=36 msg="TCP connection dropped" n=10949 src=12.235.89.162:1557:WAN dst=209.128.98.150:80:WAN rule=0 20 | id=firewall sn=0040100E658D time="2003-10-17 10:31:04" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41112 src=209.128.118.106:8:WAN dst=209.128.98.150:8:WAN rule=0 21 | id=firewall sn=0040100E658D time="2003-10-17 10:32:39" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41114 src=209.130.138.166:8:WAN dst=209.128.98.150:8:WAN rule=0 22 | id=firewall sn=0040100E658D time="2003-10-17 10:33:56" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41117 src=209.130.220.135:8:WAN dst=209.128.98.150:8:WAN rule=0 23 | id=firewall sn=0040100E658D time="2003-10-17 10:35:31" fw=209.128.98.150 pri=5 c=2048 m=173 msg="Denied TCP connection from LAN" n=27 src=192.168.254.254:33445:LAN dst=192.168.254.1:80:LAN 24 | id=firewall sn=0040100E658D time="2003-10-17 10:36:35" fw=209.128.98.150 pri=5 c=2048 m=173 msg="Denied TCP connection from LAN" n=33 src=192.168.254.254:33450:LAN dst=192.168.254.1:435:LAN 25 | id=firewall sn=0040100E658D time="2003-10-17 10:36:36" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=5245 src=192.168.254.254:34974:LAN dst=192.168.254.1:443:LAN 26 | id=firewall sn=0040100E658D time="2003-10-17 10:36:52" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41119 src=209.129.28.97:8:WAN dst=209.128.98.150:8:WAN rule=0 27 | id=firewall sn=00401016C0BA time="2004-08-25 02:53:15" fw=129.33.119.196 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=402 src=129.33.119.196 dst=141.146.183.82 28 | id=firewall sn=00401016C0BA time="2004-08-25 02:53:15" fw=129.33.119.196 pri=6 c=16 m=372 msg="IKE Initiator: Accepting IPSec proposal (Phase 2)" n=402 src=129.33.119.196 dst=141.146.183.82 29 | id=firewall sn=00401016C0BA time="2004-08-25 02:53:15" fw=129.33.119.196 pri=6 c=16 m=89 msg="IKE negotiation complete. Adding IPSec SA. (Phase 2)" n=463 src=129.33.119.196 dst=141.146.183.82 dstname=ESP:3DES, HMAC_SHA1, lifeSeconds=28800 Local SPI:0x7912374e Remote SPI:0x16c4177c 30 | id=firewall sn=00401016C0BA time="2004-08-25 02:53:19" fw=129.33.119.196 pri=6 c=16384 m=194 msg="VPN TCP SYN" n=50516 src=141.146.166.194 dst=129.33.119.142 sport=80 dport=38065 rcvd=48 31 | id=firewall sn=00401016C0BA time="2004-08-25 02:53:19" fw=129.33.119.196 pri=6 c=16384 m=196 msg="VPN TCP PSH" n=147062 src=129.33.119.142 dst=141.146.166.194 sport=38065 dport=80 sent=174 cmd=POST /xms/webservices HTTP/1.0 32 | id=firewall sn=00401016C0BA time="2004-08-25 14:23:32" fw=129.33.119.196 pri=6 c=16384 m=195 msg="VPN TCP FIN" n=96577 src=129.33.119.142 dst=141.146.166.194 sport=3500 dport=62451 sent=40 33 | id=firewall sn=00401016C0BA time="2004-08-25 14:23:32" fw=129.33.119.196 pri=6 c=16384 m=195 msg="VPN TCP FIN" n=96578 src=141.146.166.194 dst=129.33.119.142 sport=62451 dport=3500 rcvd=740 34 | id=firewall sn=0006B1040158 time="2006-08-09 23:31:26" fw=10.0.16.47 m=96 n=13 i=60 lic=0 unsynched=3934 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 35 | id=firewall sn=0006B1040158 time="2006-08-09 23:37:44" fw=10.0.16.47 m=96 n=2 i=60 lic=3 unsynched=-1 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=15 change=manGmsView.html 36 | id=firewall sn=0006B1040158 time="2006-08-09 23:37:54" fw=10.0.16.47 m=96 n=3 i=60 lic=3 unsynched=-1 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=12 change=manGmsView.html 37 | id=firewall sn=0006B1040158 time="2006-08-09 23:38:44" fw=10.0.16.47 m=96 n=4 i=60 lic=3 unsynched=49 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=5 38 | id=firewall sn=0006B1040158 time="2006-08-09 22:38:33" fw=10.0.16.47 m=96 n=5 i=60 lic=3 unsynched=-1 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=3 change=systemTimeView.html 39 | id=firewall sn=0006B1040158 time="2006-08-09 22:39:12" fw=10.0.16.47 m=96 n=6 i=60 lic=3 unsynched=39 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=0 40 | id=firewall sn=0006B1040158 time="2006-08-09 22:39:35" fw=10.0.16.47 m=96 n=7 i=60 lic=3 unsynched=-1 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=2 change=systemTimeView.html 41 | id=firewall sn=0006B1040158 time="2006-08-09 23:40:44" fw=10.0.16.47 m=96 n=8 i=60 lic=3 unsynched=3668 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=0 42 | id=firewall sn=0006B1020010 time="2006-05-17 18:27:25" fw=10.0.16.46 pri=6 c=1024 m=97 n=18 src=192.168.168.5:1949:X0 dst=216.143.70.27:80:X1 proto=tcp/http op=GET sent=800 rcvd=10017 result=200 dstname=virusscanasap.mcafeeasap.com arg=/VS2/SonicWall/Agent/Install.asp?Mode=SkipUpdate 43 | id=firewall sn=0006B1020010 time="2006-05-17 18:28:51" fw=10.0.16.46 pri=6 c=1024 m=97 n=1 src=10.0.16.46:1027:X1 dst=64.41.140.164:80:X1 proto=tcp/http op=POST sent=623 rcvd=757 result=200 dstname=software.sonicwall.com arg=/Request.asp 44 | id=firewall sn=0006B1020010 time="2006-05-17 18:35:06" fw=10.0.16.46 pri=6 c=1024 m=97 n=1 src=10.0.16.46:1027:X1 dst=64.69.184.10:80:X1 proto=tcp/http op=POST sent=783 rcvd=1391 result=200 dstname=software.sonicwall.com arg=/Request.asp 45 | id=firewall sn=0006B1020010 time="2006-05-17 19:28:03" fw=10.0.16.46 pri=6 c=1024 m=97 n=2 src=192.168.168.5:2006:X0 dst=216.143.70.27:80:X1 proto=tcp/http op=POST sent=363 rcvd=449 result=200 dstname=virusscanasap.mcafeeasap.com arg=/VS2/SonicWall/CheckConnection.asp 46 | id=firewall sn=0006B1020010 time="2006-05-17 19:28:08" fw=10.0.16.46 pri=6 c=1024 m=97 n=3 src=192.168.168.5:2006:X0 dst=216.143.70.27:80:X1 proto=tcp/http op=GET sent=841 rcvd=680 result=200 dstname=virusscanasap.mcafeeasap.com arg=/VS2/SonicWall/CheckUpdate.asp?CompanyKey=505c5c4f565643232720&MachineI 47 | id=firewall sn=0006B1020010 time="2006-05-21 11:22:57" fw=10.0.16.46 pri=6 c=262144 m=98 msg="Connection Opened" n=482 usr="admin" src=10.0.16.2:2129:X1 dst=10.0.16.46:443:X1 proto=tcp/https 48 | id=firewall sn=0006B1020010 time="2006-05-21 11:23:00" fw=10.0.16.46 pri=6 c=262144 m=98 msg="Connection Opened" n=483 usr="admin" src=10.0.16.2:2130:X1 dst=10.0.16.46:443:X1 proto=tcp/https 49 | id=firewall sn=0006B1020010 time="2006-05-21 11:23:00" fw=10.0.16.46 pri=6 c=262144 m=98 msg="Connection Opened" n=484 usr="admin" src=10.0.16.2:2131:X1 dst=10.0.16.46:443:X1 proto=tcp/https 50 | id=firewall sn=0006B1020010 time="2006-06-01 15:31:42" fw=10.0.16.46 pri=6 c=262144 m=98 msg="Connection Opened" n=683 usr="admin" src=10.0.16.2:4140:X1 dst=10.0.16.46:443:X1 proto=tcp/https 51 | id=firewall sn=0006B1020010 time="2006-05-17 11:12:33" fw=10.0.16.46 pri=6 c=1024 m=537 msg="Connection Closed" n=2392 src=192.168.168.5:1481:X0 dst=10.50.128.52:389:X1 proto=tcp/389 sent=3375 rcvd=7916 52 | id=firewall sn=0006B1020010 time="2006-05-17 11:12:33" fw=10.0.16.46 pri=6 c=1024 m=537 msg="Connection Closed" n=2392 src=192.168.168.5:1482:X0 dst=10.50.128.52:389:X1 proto=tcp/389 sent=2083 rcvd=871 53 | id=firewall sn=0006B1020010 time="2006-05-17 11:12:47" fw=10.0.16.46 pri=6 c=1024 m=537 msg="Connection Closed" n=2395 src=192.168.168.5:1472:X0 dst=10.50.128.53:389:X1 proto=udp/389 sent=245 rcvd=210 54 | id=firewall sn=0006B1020010 time="2006-05-17 11:12:47" fw=10.0.16.46 pri=6 c=1024 m=537 msg="Connection Closed" n=2395 src=192.168.168.5:1477:X0 dst=10.50.128.52:53:X1 proto=udp/dns sent=107 rcvd=299 55 | id=firewall sn=0006B1020010 time="2006-06-01 15:32:11" fw=10.0.16.46 pri=5 c=16 m=526 msg="Web management request allowed" n=390 usr="admin" src=10.0.16.2:4143:X1 dst=10.0.16.46:443:X1 proto=tcp/https 56 | id=firewall sn=0006B1020010 time="2006-06-01 15:32:17" fw=10.0.16.46 pri=7 c=512 m=46 msg="Broadcast packet dropped" n=876453 src=10.0.92.23:0:X1 dst=10.0.255.255:3296 proto=udp/netbios-ns 57 | id=firewall sn=0006B1040158 time="2006-08-18 16:21:37" fw=10.0.16.47 pri=1 c=32 m=81 msg="Smurf Amplification attack dropped" n=1 src=192.168.168.169:8:WAN dst=192.168.168.0:8 58 | id=firewall sn=0006B1040158 time="2006-08-21 13:23:11" fw=10.0.16.47 pri=5 c=16 m=526 msg="Web management request allowed" n=1 src=10.0.16.2:4390:WAN dst=10.0.16.47:443:WAN proto=tcp/https 59 | id=firewall sn=0006B1040158 time="2006-08-21 13:23:19" fw=10.0.16.47 pri=6 c=16 m=236 msg="WAN zone administrator login allowed" n=1 usr="admin" src=10.0.16.2:0:WAN dst=10.0.16.47:443:WAN 60 | id=firewall sn=0006B1040158 time="2006-08-21 13:24:30" fw=10.0.16.47 pri=5 c=16 m=526 msg="Web management request allowed" n=56 usr="admin" src=10.0.16.2:4488:WAN dst=10.0.16.47:443:WAN proto=tcp/https 61 | id=firewall sn=0006B1040158 time="2006-08-21 13:27:02" fw=10.0.16.47 pri=5 c=16 m=526 msg="Web management request allowed" n=60 usr="admin" src=10.0.16.2:4495:WAN dst=10.0.16.47:443:WAN proto=tcp/https 62 | -------------------------------------------------------------------------------- /sonicwall/sonicwall.log.orig: -------------------------------------------------------------------------------- 1 | Oct 16 18:30:11 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:30:12" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=2780 src=192.168.254.254:33114:LAN dst=192.168.254.1:443:LAN 2 | Oct 16 18:31:20 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:31:21" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=3110 src=192.168.254.254:33160:LAN dst=192.168.254.1:443:LAN 3 | Oct 16 18:31:22 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:31:22" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=40359 src=209.128.167.208:8:WAN dst=209.128.98.150:8:WAN rule=0 4 | Oct 16 18:32:38 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:32:39" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=3975 src=192.168.254.254:33270:LAN dst=192.168.254.1:443:LAN 5 | Oct 16 18:33:44 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:33:45" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=4124 src=192.168.254.254:33290:LAN dst=192.168.254.1:443:LAN 6 | Oct 16 18:35:29 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:35:29" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=4907 src=192.168.254.254:33399:LAN dst=192.168.254.1:443:LAN 7 | Oct 16 18:36:43 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:36:43" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=40360 src=209.128.163.155:8:WAN dst=209.128.98.150:8:WAN rule=0 8 | Oct 16 18:37:01 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:37:02" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=5188 src=192.168.254.254:33438:LAN dst=192.168.254.1:443:LAN 9 | Oct 16 18:37:01 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:37:02" fw=209.128.98.150 pri=6 c=16 m=261 msg="Administrator logged out" n=1 src=192.168.254.254 dst=192.168.254.1 10 | Oct 16 18:37:56 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:37:57" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=40363 src=209.131.223.149:8:WAN dst=209.128.98.150:8:WAN rule=0 11 | Oct 16 18:39:01 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:39:02" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=40367 src=209.128.131.56:8:WAN dst=209.128.98.150:8:WAN rule=0 12 | Oct 16 18:39:05 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-16 18:39:06" fw=209.128.98.150 pri=5 c=64 m=36 msg="TCP connection dropped" n=10645 src=209.213.234.153:1447:WAN dst=209.128.98.150:135:WAN rule=0 13 | Oct 17 10:22:28 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:22:29" fw=209.128.98.150 pri=5 c=64 m=36 msg="TCP connection dropped" n=10948 src=142.59.44.128:1839:WAN dst=209.128.98.150:135:WAN rule=0 14 | Oct 17 10:22:30 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:22:32" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41102 src=209.128.155.76:8:WAN dst=209.128.98.150:8:WAN rule=0 15 | Oct 17 10:23:45 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:23:46" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41103 src=12.235.89.162:8:WAN dst=209.128.98.150:8:WAN rule=0 16 | Oct 17 10:25:17 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:25:19" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41109 src=209.128.180.167:8:WAN dst=209.128.98.150:8:WAN rule=0 17 | Oct 17 10:25:47 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:25:48" fw=209.128.98.150 pri=5 c=128 m=37 msg="UDP packet dropped" n=1113 src=209.248.156.210:3054:WAN dst=209.128.98.150:137:WAN 18 | Oct 17 10:27:57 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:27:58" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41110 src=209.128.231.43:8:WAN dst=209.128.98.150:8:WAN rule=0 19 | Oct 17 10:28:08 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:28:09" fw=209.128.98.150 pri=5 c=64 m=36 msg="TCP connection dropped" n=10949 src=12.235.89.162:1557:WAN dst=209.128.98.150:80:WAN rule=0 20 | Oct 17 10:31:03 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:31:04" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41112 src=209.128.118.106:8:WAN dst=209.128.98.150:8:WAN rule=0 21 | Oct 17 10:32:38 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:32:39" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41114 src=209.130.138.166:8:WAN dst=209.128.98.150:8:WAN rule=0 22 | Oct 17 10:33:55 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:33:56" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41117 src=209.130.220.135:8:WAN dst=209.128.98.150:8:WAN rule=0 23 | Oct 17 10:35:29 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:35:31" fw=209.128.98.150 pri=5 c=2048 m=173 msg="Denied TCP connection from LAN" n=27 src=192.168.254.254:33445:LAN dst=192.168.254.1:80:LAN 24 | Oct 17 10:36:33 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:36:35" fw=209.128.98.150 pri=5 c=2048 m=173 msg="Denied TCP connection from LAN" n=33 src=192.168.254.254:33450:LAN dst=192.168.254.1:435:LAN 25 | Oct 17 10:36:34 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:36:36" fw=209.128.98.150 pri=5 c=512 m=176 msg="Firewall access from LAN" n=5245 src=192.168.254.254:34974:LAN dst=192.168.254.1:443:LAN 26 | Oct 17 10:36:50 192.168.254.1 id=firewall sn=0040100E658D time="2003-10-17 10:36:52" fw=209.128.98.150 pri=5 c=256 m=38 msg="ICMP packet dropped" n=41119 src=209.129.28.97:8:WAN dst=209.128.98.150:8:WAN rule=0 27 | Aug 25 11:18:10 10.100.19.4 id=firewall sn=00401016C0BA time="2004-08-25 02:53:15" fw=129.33.119.196 pri=6 c=16 m=346 msg="IKE Initiator: Start Quick Mode (Phase 2)." n=402 src=129.33.119.196 dst=141.146.183.82 28 | Aug 25 11:18:11 10.100.19.4 id=firewall sn=00401016C0BA time="2004-08-25 02:53:15" fw=129.33.119.196 pri=6 c=16 m=372 msg="IKE Initiator: Accepting IPSec proposal (Phase 2)" n=402 src=129.33.119.196 dst=141.146.183.82 29 | Aug 25 11:18:11 10.100.19.4 id=firewall sn=00401016C0BA time="2004-08-25 02:53:15" fw=129.33.119.196 pri=6 c=16 m=89 msg="IKE negotiation complete. Adding IPSec SA. (Phase 2)" n=463 src=129.33.119.196 dst=141.146.183.82 dstname=ESP:3DES, HMAC_SHA1, lifeSeconds=28800 Local SPI:0x7912374e Remote SPI:0x16c4177c 30 | Aug 25 11:18:14 10.100.19.4 id=firewall sn=00401016C0BA time="2004-08-25 02:53:19" fw=129.33.119.196 pri=6 c=16384 m=194 msg="VPN TCP SYN" n=50516 src=141.146.166.194 dst=129.33.119.142 sport=80 dport=38065 rcvd=48 31 | Aug 25 11:18:14 10.100.19.4 id=firewall sn=00401016C0BA time="2004-08-25 02:53:19" fw=129.33.119.196 pri=6 c=16384 m=196 msg="VPN TCP PSH" n=147062 src=129.33.119.142 dst=141.146.166.194 sport=38065 dport=80 sent=174 cmd=POST /xms/webservices HTTP/1.0 32 | Aug 25 22:48:30 10.100.19.4 id=firewall sn=00401016C0BA time="2004-08-25 14:23:32" fw=129.33.119.196 pri=6 c=16384 m=195 msg="VPN TCP FIN" n=96577 src=129.33.119.142 dst=141.146.166.194 sport=3500 dport=62451 sent=40 33 | Aug 25 22:48:31 10.100.19.4 id=firewall sn=00401016C0BA time="2004-08-25 14:23:32" fw=129.33.119.196 pri=6 c=16384 m=195 msg="VPN TCP FIN" n=96578 src=141.146.166.194 dst=129.33.119.142 sport=62451 dport=3500 rcvd=740 34 | Aug 09 16:32:59 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-09 23:31:26" fw=10.0.16.47 m=96 n=13 i=60 lic=0 unsynched=3934 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 35 | Aug 09 16:39:17 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-09 23:37:44" fw=10.0.16.47 m=96 n=2 i=60 lic=3 unsynched=-1 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=15 change=manGmsView.html 36 | Aug 09 16:39:27 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-09 23:37:54" fw=10.0.16.47 m=96 n=3 i=60 lic=3 unsynched=-1 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=12 change=manGmsView.html 37 | Aug 09 16:40:17 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-09 23:38:44" fw=10.0.16.47 m=96 n=4 i=60 lic=3 unsynched=49 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=5 38 | Aug 09 16:40:38 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-09 22:38:33" fw=10.0.16.47 m=96 n=5 i=60 lic=3 unsynched=-1 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=3 change=systemTimeView.html 39 | Aug 09 16:41:17 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-09 22:39:12" fw=10.0.16.47 m=96 n=6 i=60 lic=3 unsynched=39 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=0 40 | Aug 09 16:41:40 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-09 22:39:35" fw=10.0.16.47 m=96 n=7 i=60 lic=3 unsynched=-1 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=2 change=systemTimeView.html 41 | Aug 09 16:42:17 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-09 23:40:44" fw=10.0.16.47 m=96 n=8 i=60 lic=3 unsynched=3668 pt=80.443 usestandbysa=0 dyn=n.n fwlan=192.168.168.168 conns=0 42 | May 17 18:27:32 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-17 18:27:25" fw=10.0.16.46 pri=6 c=1024 m=97 n=18 src=192.168.168.5:1949:X0 dst=216.143.70.27:80:X1 proto=tcp/http op=GET sent=800 rcvd=10017 result=200 dstname=virusscanasap.mcafeeasap.com arg=/VS2/SonicWall/Agent/Install.asp?Mode=SkipUpdate 43 | May 17 18:28:58 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-17 18:28:51" fw=10.0.16.46 pri=6 c=1024 m=97 n=1 src=10.0.16.46:1027:X1 dst=64.41.140.164:80:X1 proto=tcp/http op=POST sent=623 rcvd=757 result=200 dstname=software.sonicwall.com arg=/Request.asp 44 | May 17 18:35:13 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-17 18:35:06" fw=10.0.16.46 pri=6 c=1024 m=97 n=1 src=10.0.16.46:1027:X1 dst=64.69.184.10:80:X1 proto=tcp/http op=POST sent=783 rcvd=1391 result=200 dstname=software.sonicwall.com arg=/Request.asp 45 | May 17 19:28:09 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-17 19:28:03" fw=10.0.16.46 pri=6 c=1024 m=97 n=2 src=192.168.168.5:2006:X0 dst=216.143.70.27:80:X1 proto=tcp/http op=POST sent=363 rcvd=449 result=200 dstname=virusscanasap.mcafeeasap.com arg=/VS2/SonicWall/CheckConnection.asp 46 | May 17 19:28:15 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-17 19:28:08" fw=10.0.16.46 pri=6 c=1024 m=97 n=3 src=192.168.168.5:2006:X0 dst=216.143.70.27:80:X1 proto=tcp/http op=GET sent=841 rcvd=680 result=200 dstname=virusscanasap.mcafeeasap.com arg=/VS2/SonicWall/CheckUpdate.asp?CompanyKey=505c5c4f565643232720&MachineI 47 | May 21 11:23:07 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-21 11:22:57" fw=10.0.16.46 pri=6 c=262144 m=98 msg="Connection Opened" n=482 usr="admin" src=10.0.16.2:2129:X1 dst=10.0.16.46:443:X1 proto=tcp/https 48 | May 21 11:23:10 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-21 11:23:00" fw=10.0.16.46 pri=6 c=262144 m=98 msg="Connection Opened" n=483 usr="admin" src=10.0.16.2:2130:X1 dst=10.0.16.46:443:X1 proto=tcp/https 49 | May 21 11:23:10 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-21 11:23:00" fw=10.0.16.46 pri=6 c=262144 m=98 msg="Connection Opened" n=484 usr="admin" src=10.0.16.2:2131:X1 dst=10.0.16.46:443:X1 proto=tcp/https 50 | Jun 01 15:32:00 10.0.16.46 id=firewall sn=0006B1020010 time="2006-06-01 15:31:42" fw=10.0.16.46 pri=6 c=262144 m=98 msg="Connection Opened" n=683 usr="admin" src=10.0.16.2:4140:X1 dst=10.0.16.46:443:X1 proto=tcp/https 51 | May 17 11:12:41 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-17 11:12:33" fw=10.0.16.46 pri=6 c=1024 m=537 msg="Connection Closed" n=2392 src=192.168.168.5:1481:X0 dst=10.50.128.52:389:X1 proto=tcp/389 sent=3375 rcvd=7916 52 | May 17 11:12:41 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-17 11:12:33" fw=10.0.16.46 pri=6 c=1024 m=537 msg="Connection Closed" n=2392 src=192.168.168.5:1482:X0 dst=10.50.128.52:389:X1 proto=tcp/389 sent=2083 rcvd=871 53 | May 17 11:12:55 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-17 11:12:47" fw=10.0.16.46 pri=6 c=1024 m=537 msg="Connection Closed" n=2395 src=192.168.168.5:1472:X0 dst=10.50.128.53:389:X1 proto=udp/389 sent=245 rcvd=210 54 | May 17 11:12:55 10.0.16.46 id=firewall sn=0006B1020010 time="2006-05-17 11:12:47" fw=10.0.16.46 pri=6 c=1024 m=537 msg="Connection Closed" n=2395 src=192.168.168.5:1477:X0 dst=10.50.128.52:53:X1 proto=udp/dns sent=107 rcvd=299 55 | Jun 01 15:32:29 10.0.16.46 id=firewall sn=0006B1020010 time="2006-06-01 15:32:11" fw=10.0.16.46 pri=5 c=16 m=526 msg="Web management request allowed" n=390 usr="admin" src=10.0.16.2:4143:X1 dst=10.0.16.46:443:X1 proto=tcp/https 56 | Jun 01 15:32:35 10.0.16.46 id=firewall sn=0006B1020010 time="2006-06-01 15:32:17" fw=10.0.16.46 pri=7 c=512 m=46 msg="Broadcast packet dropped" n=876453 src=10.0.92.23:0:X1 dst=10.0.255.255:3296 proto=udp/netbios-ns 57 | Aug 18 16:23:17 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-18 16:21:37" fw=10.0.16.47 pri=1 c=32 m=81 msg="Smurf Amplification attack dropped" n=1 src=192.168.168.169:8:WAN dst=192.168.168.0:8 58 | Aug 21 13:24:52 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-21 13:23:11" fw=10.0.16.47 pri=5 c=16 m=526 msg="Web management request allowed" n=1 src=10.0.16.2:4390:WAN dst=10.0.16.47:443:WAN proto=tcp/https 59 | Aug 21 13:25:01 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-21 13:23:19" fw=10.0.16.47 pri=6 c=16 m=236 msg="WAN zone administrator login allowed" n=1 usr="admin" src=10.0.16.2:0:WAN dst=10.0.16.47:443:WAN 60 | Aug 21 13:26:12 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-21 13:24:30" fw=10.0.16.47 pri=5 c=16 m=526 msg="Web management request allowed" n=56 usr="admin" src=10.0.16.2:4488:WAN dst=10.0.16.47:443:WAN proto=tcp/https 61 | Aug 21 13:28:43 10.0.16.47 id=firewall sn=0006B1040158 time="2006-08-21 13:27:02" fw=10.0.16.47 pri=5 c=16 m=526 msg="Web management request allowed" n=60 usr="admin" src=10.0.16.2:4495:WAN dst=10.0.16.47:443:WAN proto=tcp/https 62 | -------------------------------------------------------------------------------- /ssh/attackers.txt: -------------------------------------------------------------------------------- 1 | 220.161.148.178 2 | 211.167.103.172 3 | 210.68.173.72 4 | 202.136.60.142 5 | 195.90.127.159 6 | 176.9.25.132 7 | 124.160.194.27 8 | 123.164.148.131 9 | 121.78.159.52 10 | 116.255.160.35 11 | 113.195.5.231 12 | 106.186.21.162 13 | 94.102.3.151 14 | 61.236.64.56 15 | 61.156.238.56 16 | 61.153.98.18 17 | 61.138.37.112 18 | 58.225.75.228 19 | -------------------------------------------------------------------------------- /ssh/brutessh.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Santiago Bassett 3 | 4 | SCRIPTPATH=$( cd $(dirname $0) ; pwd -P ) 5 | 6 | while true 7 | do 8 | 9 | attacker_ip=`shuf -n 1 $SCRIPTPATH/attackers.txt` 10 | target_ip=`shuf -n 1 $SCRIPTPATH/targets.txt` 11 | 12 | grep $attacker_ip $SCRIPTPATH/sshd.log > $SCRIPTPATH/tmp.log 13 | sed -e "s/alien12/$target_ip/" -i $SCRIPTPATH/tmp.log 14 | 15 | while read line 16 | do 17 | logger "$line" 18 | let "divisor = ($RANDOM % 5) + 1" 19 | sleeptime=`echo "scale = 2; 1 / $divisor" | bc` 20 | sleep $sleeptime 21 | done < $SCRIPTPATH/tmp.log 22 | 23 | let "sleeptime = ($RANDOM * 1000) % 86400" 24 | sleep $sleeptime; 25 | 26 | done 27 | -------------------------------------------------------------------------------- /ssh/sshlogs.conf: -------------------------------------------------------------------------------- 1 | $template SSHFormat,"%TIMESTAMP%%msg%\n" 2 | 3 | if $programname == 'logger' and $rawmsg contains 'sshd[' then -/var/log/auth.log;SSHFormat 4 | & ~ 5 | -------------------------------------------------------------------------------- /ssh/targets.txt: -------------------------------------------------------------------------------- 1 | 10.0.0.1 2 | 10.0.0.40 3 | 10.0.0.80 4 | 10.0.0.81 5 | 10.0.0.82 6 | 10.0.0.200 7 | -------------------------------------------------------------------------------- /ssh/tmp.log: -------------------------------------------------------------------------------- 1 | 10.0.0.200 sshd[13588]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 2 | 10.0.0.200 sshd[13588]: Failed password for root from 113.195.5.231 port 59127 ssh2 3 | 10.0.0.200 sshd[14007]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 4 | 10.0.0.200 sshd[14007]: Failed password for root from 113.195.5.231 port 59254 ssh2 5 | 10.0.0.200 sshd[14447]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 6 | 10.0.0.200 sshd[14447]: Failed password for root from 113.195.5.231 port 59411 ssh2 7 | 10.0.0.200 sshd[14845]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 8 | 10.0.0.200 sshd[14845]: Failed password for root from 113.195.5.231 port 59562 ssh2 9 | 10.0.0.200 sshd[15254]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 10 | 10.0.0.200 sshd[15254]: Failed password for root from 113.195.5.231 port 59727 ssh2 11 | 10.0.0.200 sshd[15643]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 12 | 10.0.0.200 sshd[15643]: Failed password for root from 113.195.5.231 port 59864 ssh2 13 | 10.0.0.200 sshd[16032]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 14 | 10.0.0.200 sshd[16032]: Failed password for root from 113.195.5.231 port 60024 ssh2 15 | 10.0.0.200 sshd[16453]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 16 | 10.0.0.200 sshd[16453]: Failed password for root from 113.195.5.231 port 60226 ssh2 17 | 10.0.0.200 sshd[16822]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 18 | 10.0.0.200 sshd[16822]: Failed password for root from 113.195.5.231 port 60420 ssh2 19 | 10.0.0.200 sshd[17280]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 20 | 10.0.0.200 sshd[17280]: Failed password for root from 113.195.5.231 port 60610 ssh2 21 | 10.0.0.200 sshd[17691]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 22 | 10.0.0.200 sshd[17691]: Failed password for root from 113.195.5.231 port 60814 ssh2 23 | 10.0.0.200 sshd[18150]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 24 | 10.0.0.200 sshd[18150]: Failed password for root from 113.195.5.231 port 32784 ssh2 25 | 10.0.0.200 sshd[18639]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 26 | 10.0.0.200 sshd[18639]: Failed password for root from 113.195.5.231 port 32963 ssh2 27 | 10.0.0.200 sshd[19063]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 28 | 10.0.0.200 sshd[19063]: Failed password for root from 113.195.5.231 port 60436 ssh2 29 | 10.0.0.200 sshd[19536]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 30 | 10.0.0.200 sshd[19536]: Failed password for root from 113.195.5.231 port 60636 ssh2 31 | 10.0.0.200 sshd[20009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 32 | 10.0.0.200 sshd[20009]: Failed password for root from 113.195.5.231 port 60834 ssh2 33 | 10.0.0.200 sshd[20493]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 34 | 10.0.0.200 sshd[20493]: Failed password for root from 113.195.5.231 port 32814 ssh2 35 | 10.0.0.200 sshd[20979]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 36 | 10.0.0.200 sshd[20979]: Failed password for root from 113.195.5.231 port 33027 ssh2 37 | 10.0.0.200 sshd[21377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 38 | 10.0.0.200 sshd[21377]: Failed password for root from 113.195.5.231 port 33217 ssh2 39 | 10.0.0.200 sshd[21808]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 40 | 10.0.0.200 sshd[21808]: Failed password for root from 113.195.5.231 port 33439 ssh2 41 | 10.0.0.200 sshd[22303]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 42 | 10.0.0.200 sshd[22303]: Failed password for root from 113.195.5.231 port 33685 ssh2 43 | 10.0.0.200 sshd[22757]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 44 | 10.0.0.200 sshd[22757]: Failed password for root from 113.195.5.231 port 33925 ssh2 45 | 10.0.0.200 sshd[23138]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 46 | 10.0.0.200 sshd[23138]: Failed password for root from 113.195.5.231 port 34148 ssh2 47 | 10.0.0.200 sshd[23626]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 48 | 10.0.0.200 sshd[23626]: Failed password for root from 113.195.5.231 port 34380 ssh2 49 | 10.0.0.200 sshd[24160]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 50 | 10.0.0.200 sshd[24160]: Failed password for root from 113.195.5.231 port 34623 ssh2 51 | 10.0.0.200 sshd[24665]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 52 | 10.0.0.200 sshd[24665]: Failed password for root from 113.195.5.231 port 34849 ssh2 53 | 10.0.0.200 sshd[25132]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 54 | 10.0.0.200 sshd[25132]: Failed password for root from 113.195.5.231 port 35101 ssh2 55 | 10.0.0.200 sshd[25666]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 56 | 10.0.0.200 sshd[25666]: Failed password for root from 113.195.5.231 port 35352 ssh2 57 | 10.0.0.200 sshd[26183]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 58 | 10.0.0.200 sshd[26183]: Failed password for root from 113.195.5.231 port 35604 ssh2 59 | 10.0.0.200 sshd[26612]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 60 | 10.0.0.200 sshd[26612]: Failed password for root from 113.195.5.231 port 35821 ssh2 61 | 10.0.0.200 sshd[27139]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 62 | 10.0.0.200 sshd[27139]: Failed password for root from 113.195.5.231 port 36063 ssh2 63 | 10.0.0.200 sshd[27652]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 64 | 10.0.0.200 sshd[27652]: Failed password for root from 113.195.5.231 port 36298 ssh2 65 | 10.0.0.200 sshd[28153]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 66 | 10.0.0.200 sshd[28153]: Failed password for root from 113.195.5.231 port 36557 ssh2 67 | 10.0.0.200 sshd[28575]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 68 | 10.0.0.200 sshd[28575]: Failed password for root from 113.195.5.231 port 36792 ssh2 69 | 10.0.0.200 sshd[29076]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 70 | 10.0.0.200 sshd[29076]: Failed password for root from 113.195.5.231 port 37050 ssh2 71 | 10.0.0.200 sshd[29579]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 72 | 10.0.0.200 sshd[29579]: Failed password for root from 113.195.5.231 port 37293 ssh2 73 | 10.0.0.200 sshd[30011]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 74 | 10.0.0.200 sshd[30011]: Failed password for root from 113.195.5.231 port 37520 ssh2 75 | 10.0.0.200 sshd[30464]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 76 | 10.0.0.200 sshd[30464]: Failed password for root from 113.195.5.231 port 37728 ssh2 77 | 10.0.0.200 sshd[30968]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 78 | 10.0.0.200 sshd[30968]: Failed password for root from 113.195.5.231 port 37964 ssh2 79 | 10.0.0.200 sshd[31467]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 80 | 10.0.0.200 sshd[31467]: Failed password for root from 113.195.5.231 port 38208 ssh2 81 | 10.0.0.200 sshd[31972]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 82 | 10.0.0.200 sshd[31972]: Failed password for root from 113.195.5.231 port 38456 ssh2 83 | 10.0.0.200 sshd[32484]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 84 | 10.0.0.200 sshd[32484]: Failed password for root from 113.195.5.231 port 38711 ssh2 85 | 10.0.0.200 sshd[498]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 86 | 10.0.0.200 sshd[498]: Failed password for root from 113.195.5.231 port 38922 ssh2 87 | 10.0.0.200 sshd[940]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 88 | 10.0.0.200 sshd[940]: Failed password for root from 113.195.5.231 port 39149 ssh2 89 | 10.0.0.200 sshd[1397]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 90 | 10.0.0.200 sshd[1397]: Failed password for root from 113.195.5.231 port 39381 ssh2 91 | 10.0.0.200 sshd[1849]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 92 | 10.0.0.200 sshd[1849]: Failed password for root from 113.195.5.231 port 39584 ssh2 93 | 10.0.0.200 sshd[2293]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 94 | 10.0.0.200 sshd[2293]: Failed password for root from 113.195.5.231 port 39822 ssh2 95 | 10.0.0.200 sshd[2715]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 96 | 10.0.0.200 sshd[2715]: Failed password for root from 113.195.5.231 port 40043 ssh2 97 | 10.0.0.200 sshd[3235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 98 | 10.0.0.200 sshd[3235]: Failed password for root from 113.195.5.231 port 40295 ssh2 99 | 10.0.0.200 sshd[3681]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 100 | 10.0.0.200 sshd[3681]: Failed password for root from 113.195.5.231 port 40519 ssh2 101 | 10.0.0.200 sshd[4126]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 102 | 10.0.0.200 sshd[4126]: Failed password for root from 113.195.5.231 port 40721 ssh2 103 | 10.0.0.200 sshd[4563]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 104 | 10.0.0.200 sshd[4563]: Failed password for root from 113.195.5.231 port 40968 ssh2 105 | 10.0.0.200 sshd[5000]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 106 | 10.0.0.200 sshd[5000]: Failed password for root from 113.195.5.231 port 41180 ssh2 107 | 10.0.0.200 sshd[5518]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=113.195.5.231 user=root 108 | 10.0.0.200 sshd[5518]: Failed password for root from 113.195.5.231 port 41430 ssh2 109 | --------------------------------------------------------------------------------