-
Notifications
You must be signed in to change notification settings - Fork 0
/
Ubiquiti-USG-FirewallDeny-Event-Pattern
23 lines (23 loc) · 1.59 KB
/
Ubiquiti-USG-FirewallDeny-Event-Pattern
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<ruleset name="ubiquiti">
<pattern>kernel</pattern>
<rules>
<rule provider="ELSA" class='2' id='2'>
<patterns>
<pattern>[@ESTRING:s2:-D]@IN=@ESTRING:s1: @OUT=@ESTRING:s0: @@ESTRING:: SRC=@@IPv4:i1:@ DST=@IPv4:i3:@ @ESTRING::PROTO=@@ESTRING:i0: @SPT=@ESTRING:i2: @DPT=@ESTRING:i4: @@ANYSTRING@</pattern>
</patterns>
<examples>
<example>
<test_message program="kernel">[LAN_IN-2003-D]IN=eth1 OUT=pppoe0 MAC=80:2a:a8:cd:af:e0:40:8d:5c:4c:04:58:08:00 SRC=192.168.1.5 DST=209.222.18.218 LEN=70 TOS=0x00 PREC=0x00 TTL=127 ID=13532 PROTO=UDP SPT=41743 DPT=53 LEN=50</test_message>
<test_value name="s0">pppoe0</test_value>
<test_value name="s1">eth1</test_value>
<test_value name="s2">LAN_IN-2003</test_value>
<test_value name="i0">UDP</test_value>
<test_value name="i1">192.168.1.5</test_value>
<test_value name="i2">41743</test_value>
<test_value name="i3">209.222.18.218</test_value>
<test_value name="i4">53</test_value>
</example>
</examples>
</rule>
</rules>
</ruleset>