-
Notifications
You must be signed in to change notification settings - Fork 0
/
cisco-ios.rules
132 lines (113 loc) · 25.4 KB
/
cisco-ios.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Sagan cisco-ios.rules
# Copyright (c) 2009-2013, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# Please submit any custom rules or ideas to [email protected] or the sagan-sigs mailing list
#
#*************************************************************
# Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
# following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
# disclaimer.
# * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
# following disclaimer in the documentation and/or other materials provided with the distribution.
# * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************
alert udp $EXTERNAL_NET any -> $HOME_NET $SNMP_PORT (msg: "[CISCO-IOS] SNMP Authentication Failure"; content: "SNMP-3-AUTHFAIL"; classtype: attempted-recon; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000051; sid: 5000051; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg: "[CISCO-IOS] Attempted RSHELL connection"; content: "RCMD-4-RSHPORTATTEMPT"; classtype: unsuccessful-user; reference: url,wiki.quadrantsec.com/bin/view/Main/5000052; sid: 5000052; rev:2;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINK-3-UPDOWN"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000053; sid: 5000053; rev:2;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Line protocol changed state up/down"; content: "LINEPROTO-5-UPDOWN"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5000054; sid: 5000054; rev:2;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Configuration from console"; content: "SYS-5-CONFIG_I"; parse_src_ip: 1; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000055; sid: 5000055; rev:4;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS configuration changed"; content: "SYS-5-CONFIG"; classtype: configuration-change; reference: url,wiki.quadrantsec.com/bin/view/Main/5000111; sid:5000111; rev:4;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Successful login"; content: "SEC_LOGIN-5-LOGIN_SUCCESS"; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5000112; sid:5000112; rev:2;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; normalize: cisco; reference: url,wiki.quadrantsec.com/bin/view/Main/5001520; sid:5001520; rev:1;)
drop syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Failed login - Brute Force"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-admin; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; normalize: cisco; reference: url,wiki.quadrantsec.com/bin/view/Main/5000113; sid:5000113; rev:5;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fan failure - Fan not rotating"; content: "ENVMON-3-FAN_FAILED"; classtype: hardware-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5000388; sid:5000388; rev:3;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Fans had a rotation error reported"; content: "%FAN-3-FAN_FAILED"; classtype: hardware-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001198; sid:5001198; rev:2;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Power Controller reports power Imax error detected"; content: "%ILPOWER-3-CONTROLLER_PORT_ERR"; classtype: hardware-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001190; sid:5001199; rev:1;)
# Rules submitted by Sniffty Dugen (July 31, 2012)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Unsupported Hardware Module"; content: "C6KPWR-SP-4-UNSUPPORTED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1ab; sid: 5001476; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IP Packet recieved to short"; content: "EARL_L3_ASIC-SP-4-INTR_THROTTLE: Throttling"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1abb; sid: 5001477; rev:2;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IP Packet with probable bad checksum Dropped"; content: "EARL_L3_ASIC-SP-3-INTR_WARN"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#EARL; sid: 5001478; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] NetFlow addressable memory almost full"; content: "EARL_NETFLOW-SP-4-TCAM_THRLD"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1a; sid: 5001479; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IOS Keepalive Loop Detected"; content: "ETHCNTR-3-LOOP_BACK_DETECTED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1b; sid: 5001480; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Possible IOS System Crash"; content: "loadprog: error"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1bc; sid: 5001481; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Error in Layer 3 Forwarding ASIC"; content: "L3_ASIC-DFC3-4-ERR_INTRPT"; threshold: type limit, track by_src, count 5, seconds 300; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#ASIC; sid: 5001482; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] MAC/IP length inconsistencies"; content: "MLS_STAT-SP-4-IP_LEN_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob1; sid: 5001483; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid IP Checksum detected"; content: "MLS_STAT-SP-4-IP_CSUM_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob2; sid: 5001484; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Excessive Multicast Traffic to IGMP reserved address"; content: "MCAST-SP-6-ADDRESS_ALIASING_FALLBACK"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob3; sid: 5001485; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] PIM Hold Time Out of range"; content: "MROUTE-3-TWHEEL_DELAY_ERR"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob5; sid: 5001486; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Maximum Number of L2 Multicast Group Entries Created"; content: "MCAST-SP-6-GC_LIMIT_EXCEEDED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob6; sid: 5001487; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Internal Table Manager Parity Error"; content: "MISTRAL-SP-3-ERROR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob7; sid: 5001488; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Short IP Packets Detected"; content: "MLS_STAT-4-IP_TOO_SHRT"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob8; sid: 5001489; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Creating Session to module/slot failed"; content: "Processor"; content: "cannot service session requests"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#Processor; sid: 5001490; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Module Firmware error detected"; content: "PM_SCP-1-LCP_FW_ERR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob9; sid: 5001491; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Module Error Condition"; content: "PM_SCP-2-LCP_FW_ERR_INFORM"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-error; sid: 5001492; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Port Error Detected"; content: "PM_SCP-SP-2-LCP_FW_ERR_INFORM"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#mod-issue; sid: 5001493; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Unsupported SFP GBIC Detected"; content: "PM_SCP-SP-3-TRANSCEIVER_BAD_EEPROM"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badkey; sid: 5001494; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] TCAM Resource Exhaustion Detected"; content: "QM-4-TCAM_ENTRY"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#TCAM; sid: 5001495; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Supervisor Engine Parity Errors"; content: "SYSTEM_CONTROLLER-SP-3-ERROR"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tmparity; sid: 5001496; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Memory Parity Error"; content: "SYSTEM_CONTROLLER-SW2_SPSTBY-3-ERROR"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-controller; sid: 5001497; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Linecard Endpoint Lost Sync"; content: "SP: Linecard endpoint of Channel 14 lost Sync"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#sp141; sid: 5001498; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Misconfigured Boot Variables"; content: "SYSTEM-1-INITFAIL: Network boot is not supported"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#nwboot; sid: 5001499; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] CPU Monitor Message Time Outs"; content: "CPU_MONITOR-3-TIMED_OUT"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor; sid: 5001500; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] CPU Monitor Message Not Heard"; content: "CPU_MONITOR-6-NOT_HEARD"; threshold: type limit, track by_src, count 3, seconds 300; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#monitor; sid: 5001501; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid IDPROM Image"; content: "Invalid IDPROM image for"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#idprom; sid: 5001502; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Module Powered Off"; content: "C6KPWR-4-DISABLED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#pwrdis; sid: 5001503; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ASIC Failed to Synchronize"; content: "ONLINE-SP-6-INITFAIL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#onlinefail; sid: 5001504; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Flow Mask Request Failed"; content: "FM_EARL7-4-FLOW_FEAT_FLOWMASK_REQ_FAIL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#flowmask; sid: 5001505; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] IGMP join packet Flood"; content: "MCAST-2-IGMP_SNOOP_DISABLE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#igmpsnoop; sid: 5001506; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] ASIC/Pinnacle Unrecoverable resources"; content: "C6KERRDETECT-2-FIFOCRITLEVEL"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#dr; sid: 5001507; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switching Bus Stalled"; content: "C6KERRDETECT-SP-4-SWBUSSTALL"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec; sid: 5001508; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switching Bus Recovered"; content: "C6KERRDETECT-SP-4-SWBUSSTALL_RECOVERED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-3sec; sid: 5001509; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] SP-RP ping test failed, High Traffic"; content: "SP-RP Ping Test[7]"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#srp; sid: 5001510; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Sub-interface Limit Reached"; content: "SW_VLAN-4-MAX_SUB_INT"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#subint; sid: 5001511; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Hash Bucket Collision"; content: "MCAST-6-L2_HASH_BUCKET_COLLISION"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#l2hash; sid: 5001512; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] QoS Hardware Resources Exceeded"; content: "QM-4-AGG_POL_EXCEEDED"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#qm_agg; sid: 5001513; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Port Channel MTU Mismatch"; content: "EC-SP-5-CANNOT_BUNDLE2"; content: "MTU"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#prob-bundle; sid: 5001514; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Port Channel Flow Control Mismatch"; content: "EC-SP-5-CANNOT_BUNDLE2"; content: "flow control"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#port; sid: 5001515; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Route entries about to reach FIB capacity"; content: "CFIB-7-CFIB_EXCEPTION"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#tcamexception; sid: 5001516; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Port Data Path Error"; content: "CONST_DIAG-SP-3-HM_PORT_ERR"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#disablingport; sid: 5001517; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Bad CRC on ASIC Line Card"; content: "CONST_DIAG-SP-4-ERROR_COUNTER_WARNING"; classtype: hardware-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#module; sid: 5001518; rev:2;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Switch Detected Unknown Protocol"; content: "SYS-3-PORT_RX_BADCODE"; classtype: network-event; reference: url,www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a00801b42bf.shtml#badcode; sid: 5001519; rev:1;)
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed"; content: "SEC_LOGIN-4-LOGIN_FAILED"; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001625; sid: 5001625; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Failed - Brute Force"; content: "SEC_LOGIN-4-LOGIN_FAILED"; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; classtype: unsuccessful-user; parse_src_ip: 1; reference: url,wiki.quadrantsec.com/bin/view/Main/5001686; sid: 5001686; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] High CPU usage detected"; content: "HIGH CPU DETECTED"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001626; sid: 5001626; rev:1;)
# %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user cisco from 10.10.10.10 - sshd[27924]
#alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-IOS] Authentication Failure SSH"; content: "%AUTHPRIV-3-SYSTEM_MSG:"; content: "sshd["; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001668; sid: 5001668; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-IOS] Authentication Failure SSH - Brute force"; content: "%AUTHPRIV-3-SYSTEM_MSG:"; content: "sshd["; classtype: unsuccessful-admin; after: track by_src, count 5, seconds 300; threshold: type limit, track by_src, count 5, seconds 300; fwsam: src, 1 day; reference: url,wiki.quadrantsec.com/bin/view/Main/5001670; sid: 5001670; rev:2;)
# %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user cisco from 10.10.10.10 - sshd[27926]
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORT (msg: "[CISCO-IOS] Illegal User SSH"; content: "%DAEMON-3-SYSTEM_MSG:"; content: "sshd["; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001669; sid: 5001669; rev:2;)
# %USER-3-SYSTEM_MSG: FATAL: bad tty - login (no program)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] FATAL: bad tty - login (no program)"; content: "%USER-3-SYSTEM_MSG:"; content: "FATAL: bad tty"; content: "no program"; classtype: system-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001671; sid: 5001671; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Auth to privilege 15 failed"; content: "%SYS-5-PRIV_AUTH_FAIL"; parse_src_ip: 1; classtype: unsuccessful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001672; sid: 5001672; rev:2;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Multicast storm detected"; content: "%STORM_CONTROL-3-FILTERED"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001673; sid: 5001673; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Invalid ARP"; content: "%SW_DAI-4-INVALID_ARP"; classtype: network-event; reference: url,wiki.quadrantsec.com/bin/view/Main/5001674; sid: 5001674; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Low FAN RPM - Service recommended"; content: "%ENVMON-4-FAN_LOW_RPM"; classtype: hardware-event; threshold: type limit, track by_src, count 2, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001688; sid: 5001688; rev:2;)
# Submitted by Robert Nunley ([email protected]) - 08/14/2013
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] EIGRP Adjacency Change - Neighbor Up"; content: "%DUAL-5-NBRCHANGE"; content: "EIGRP"; content: "is up"; classtype: system-event; parse_src_ipl 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001707; sid: 5001707; rev:4;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] EIGRP Adjacency Change - Neighbor Down"; content: "%DUAL-5-NBRCHANGE"; content: "EIGRP"; content: "is down"; classtype: system-event; parse_src_ip: 1; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001708; sid: 5001708; rev:5;)
# Submittied by Robert Nunley ([email protected]) - 11/18/2013
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Adjacency Change - Neighbor Up"; content: "%BGP-5-ADJCHANGE"; content: "neighbor"; content: "Up"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001718; sid: 5001718; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Adjacency Change - Neighbor Down"; content: "%BGP-5-ADJCHANGE"; content: "neighbor"; content: "Down"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001719; sid: 5001719; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] BGP Neighbor Removed From Topology"; content: "%BGP_SESSION-5-ADJCHANGE"; content: "neighbor"; content: "topology"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001720; sid: 5001720; rev:1;)
# Submitted by Adam Hall ([email protected]) - 11/18.2013
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP Requesting Active State"; content: "Grp"; content: "Coup"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001721; sid: 5001721; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP State Change"; content: "%STANDBY-6-STATECHANGE"; content: "state"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001722; sid: 5001722; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] HSRP State Change"; content: "%HSRP-5-STATECHANGE"; content: "state"; classtype: system-event; threshold: type limit, track by_src, count 5, seconds 300; reference: url,wiki.quadrantsec.com/bin/view/Main/5001723; sid: 5001723; rev:1;)
# %PARSER-5-CFGLOG_LOGGEDCMD: User:bob logged command:!exec: enable
#alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Command logged"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; classtype: misc-activity; reference: url,wiki.quadrantsec.com/bin/view/Main/5001871; sid: 5001871; rev:1;)
alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Enable command executed"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; content: "exec"; nocase; content: "enable"; nocase; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5001872; sid: 5001872; rev:1;)
# Jan 22 16:03:51: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: bob] [Source: 10.10.0.1] [localport: 22] at 16:03:51 UTC Wed Jan 22 2014
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "[CISCO-IOS] Login Success"; content: "%PARSER-5-CFGLOG_LOGGEDCMD"; classtype: successful-admin; parse_src_ip: 1; parse_port; reference: url,wiki.quadrantsec.com/bin/view/Main/5001952; sid: 5001952; rev:1;)