-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfilter.list
133 lines (115 loc) · 6.44 KB
/
filter.list
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# list of syslog filter
#
# file format:
# <message id>
# TAB<regex>
# TAB<parameter list>
# TAB<extra parameters as k=v>
# TAB<test syslog>
# TAB<test expected parsed values>
# optional: more test log and value lines...
#
106014
^Deny inbound (icmp) src (.*):(.*) dst (.*):(.*) \(type (.*), code (.*)\)
proto;srcintf;srcip;dstintf;dstip;icmptype;icmpcode
action=deny;type=traffic;subtype=forward
Deny inbound icmp src outside:2.2.2.2 dst inside:10.10.10.10 (type 8, code 0)
icmp;outside;2.2.2.2;inside;10.10.10.10;8;0
106023
^Deny (tcp|udp) src (.*):(.*)/(.*) dst (.*):(.*)/(.*) by access-group ".*" .*
proto;srcintf;srcip;srcport;dstintf;dstip;dstport
action=deny;type=traffic;subtype=forward
Deny udp src inside:10.10.10.10/12345 dst outside:2.2.2.2/80 by access-group "global" [0x0, 0x0]
udp;inside;10.10.10.10;12345;outside;2.2.2.2;80
106023
^Deny (icmp) src ([^:]*):(.*) dst ([^:]*):(.*) \(type (.*), code (.*)\) by access-group ".*" .*
proto;srcintf;srcip;dstintf;dstip;icmptype;icmpcode
action=deny;type=traffic;subtype=forward
Deny icmp src inside:10.10.10.10 dst outside:2.2.2.2 (type 8, code 0) by access-group "inside-in" [0x0, 0x0]
icmp;inside;10.10.10.10;outside;2.2.2.2;8;0
Deny icmp src inside:2a01:111:222:333::2 dst outside:2a00:111:222:333:444:555:666:777 (type 1, code 3) by access-group "outside-in" [0x0, 0x0]
icmp;inside;2a01:111:222:333::2;outside;2a00:111:222:333:444:555:666:777;1;3
106023
^Deny protocol ([^ ]+) src (.*):(.*) dst (.*):(.*) by access-group ".*" .*
proto;srcintf;srcip;dstintf;dstip
action=deny;type=traffic;subtype=forward
Deny protocol 50 src outside:2.2.2.2 dst inside:10.10.10.10 by access-group "outside-in" [0x0, 0x0]
50;outside;2.2.2.2;inside;10.10.10.10
106006
^Deny inbound (TCP|UDP) from ([^ ]*)\/([^ ]*) to ([^ ]*)\/([^ ]*) on interface ([^ ]*)
proto;srcip;srcport;dstip;dstport;srcintf
action=deny;type=traffic;subtype=forward
Deny inbound UDP from 10.10.10.10/12345 to 2.2.2.2/80 on interface inside
UDP;10.10.10.10;12345;2.2.2.2;80;inside
106021
^Deny ([^ ]*) reverse path check from ([^ ]*) to ([^ ]*) on interface ([^ ]*)
proto;srcip;dstip;srcintf
action=deny;type=traffic;subtype=forward
Deny IPv6-ICMP reverse path check from :: to ff02::16 on interface inside
IPv6-ICMP;::;ff02::16;inside
106100
^access-list [^ ]* permitted (tcp|udp|icmp) ([^ ]*)\/([^ ]*)\(([^ ]*)\) -> ([^ ]*)\/([^ ]*)\(([^ ]*)\) hit-cnt .*
proto;srcintf;srcip;srcport;dstintf;dstip;dstport
action=allow;type=traffic;subtype=forward
access-list inside-in permitted tcp inside/10.10.10.10(12345) -> outside/2.2.2.2(80) hit-cnt 1 first hit [0x12345678, 0x00000000]
tcp;inside;10.10.10.10;12345;outside;2.2.2.2;80
106102
^access-list .* permitted (udp|tcp) for user '(.*)' (.*)/(.*)\((.*)\) -> (.*)/(.*)\((.*)\) .*
proto;user;srcintf;srcip;srcport;dstintf;dstip;dstport
action=deny;type=traffic;subtype=forward
access-list user-acl permitted tcp for user 'username' outside/2.2.2.2(12345) -> inside/10.10.10.10(80) hit-cnt 1 first hit [0x12345678, 0x0]
tcp;username;outside;2.2.2.2;12345;inside;10.10.10.10;80
305005
^No translation group found for (tcp|udp) src (.*):(.*)/(.*) dst (.*):(.*)/(.*)
proto;srcintf;srcip;srcport;dstintf;dstip;dstport
action=deny;type=traffic;subtype=forward
No translation group found for tcp src inside:10.10.10.10/12345 dst outside:2.2.2.2/80
tcp;inside;10.10.10.10;12345;outside;2.2.2.2;80
305005
^No translation group found for (icmp) src (.*):(.*) dst (.*):(.*) \(type (.*), code (.*)\)
proto;srcintf;srcip;dstintf;dstip;icmptype;icmpcode
action=deny;type=traffic;subtype=forward
No translation group found for icmp src outside:2.2.2.2 dst inside:10.10.10.10 (type 8, code 0)
icmp;outside;2.2.2.2;inside;10.10.10.10;8;0
305006
^regular translation creation failed for (icmp) src ([^:]*):([^ ]*) dst ([^:]*):([^ ]*) \(type (.*), code (.*)\)
proto;srcintf;srcip;dstintf;dstip;icmptype;icmpcode
action=deny;type=traffic;subtype=forward
regular translation creation failed for icmp src inside:10.10.10.10 dst outside:2.2.2.2 (type 3, code 3)
icmp;inside;10.10.10.10;outside;2.2.2.2;3;3
313005
^No matching connection for ICMP error message: (icmp) src ([^:]*):([^ ]*) dst ([^:]*):([^ ]*) \(type (.*), code (.*)\) on [^ ]* interface. (.*)
proto;srcintf;srcip;dstintf;dstip;icmptype;icmpcode;msg
action=deny;type=traffic;subtype=forward
No matching connection for ICMP error message: icmp src inside:10.10.10.10 dst outside:2.2.2.2 (type 3, code 3) on inside interface. Original IP payload: udp src 2.2.2.2/80 dst 10.10.10.10/12345.
icmp;inside;10.10.10.10;outside;2.2.2.2;3;3;Original IP payload: udp src 2.2.2.2/80 dst 10.10.10.10/12345.
313008
^Denied ([^ ]*) type=(.*), code=(.*) from ([^ ]*) on interface ([^ ]*)
proto;icmptype;icmpcode;srpip;srcintf
action=deny;type=traffic;subtype=forward
Denied IPv6-ICMP type=135, code=0 from 2a01:111:222:333::2 on interface inside
IPv6-ICMP;135;0;2a01:111:222:333::2;inside
710003
^(TCP|UDP) access denied by ACL from (.*)/(.*) to (.*):(.*)/(.*)
proto;srcip;srcport;dstintf;dstip;dstport
action=deny;type=traffic;subtype=forward
TCP access denied by ACL from 10.10.10.10/12345 to outside:2.2.2.2/80
TCP;10.10.10.10;12345;outside;2.2.2.2;80
733100
^\[ ([^ ]*)\] ([^;]*);.*
attack;attackcontext
action=deny;type=ips;subtype=signature
[ Scanning] drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 10; Current average rate is 88 per second, max configured rate is 5; Cumulative total count is 53225
Scanning;drop rate-1 exceeded. Current burst rate is 26 per second, max configured rate is 10
733100
^\[[ ]+Port-.* (.*)\] ([^;]*);.*
dstport;attackcontext
action=deny;type=ips;subtype=signature;attack=scan port;proto=6
[ Port-5247 5247] drop rate-1 exceeded. Current burst rate is 40 per second, max configured rate is 40; Current average rate is 19 per second, max configured rate is 20; Cumulative total count is 11950
5247;drop rate-1 exceeded. Current burst rate is 40 per second, max configured rate is 40
733100
^\[[ ]+Port-.*\] ([^;]*);.*
attackcontext
action=deny;type=ips;subtype=signature;attack=scan portrange;proto=6
[ Port-8191-65535] drop rate-1 exceeded. Current burst rate is 40 per second, max configured rate is 40; Current average rate is 30 per second, max configured rate is 20; Cumulative total count is 18297
drop rate-1 exceeded. Current burst rate is 40 per second, max configured rate is 40