###
###	ipfilter ipmon messages
### $Id: ipmon.txt,v 1.3 2002/04/02 21:54:05 emf Exp $
###


# junk
# netbios name resolution attempts
'.*ipmon.*,137 PR udp.*' - - - 0 ignore

# webserver lost packets.
'.*ipmon.*,80 PR tcp.* -(A|R).*' - - - 0 ignore

# tcp 
'^.{15,} (.*) ipmon\[[0-9][0-9]*\]: ([0-9][0-9]:[0-9][0-9]:[0-9][0-9].[0-9][0-9][0-9][0-9][0-9][0-9]).* @.* b (.*),(.*) -> (.*),(.*) PR tcp .* -(.*) (.*) IN' - - - 0 
  open "$4" - 10000 600 60
  report "/usr/local/bin/surfmailer -r root -S \"security incident from $4\"" "$4"

# udp
'^.{15,} (.*) ipmon\[[0-9][0-9]*\]: ([0-9][0-9]:[0-9][0-9]:[0-9][0-9].[0-9][0-9][0-9][0-9][0-9][0-9]).* @.* b (.*),(.*) -> (.*),(.*) PR udp .* IN' - - - 0 
  open "$4" - 10000 600 60
  report "/usr/local/bin/surfmailer -r root -S \"security incident from $4\"" "$4"

# icmp
# unsolicited icmp unreachables.  Possible DDoS action. 
'^.{15,} (.*) ipmon\[[0-9]+\]: .* b (.*) -> (.*) PR icmp len .* icmp 3/1 for (.*),.* - (.*),.* PR .* IN' - - - 0
  open "$6" - 25000 10800 1800
  report "/usr/local/bin/surfmailer -r root -S \"possible spoofed DDoS of $6\"" "$6"

# other icmp
'^.{15,} (.*) ipmon\[[0-9][0-9]*\]: ([0-9][0-9]:[0-9][0-9]:[0-9][0-9].[0-9][0-9][0-9][0-9][0-9][0-9]).* @.* b (.*) -> (.*) PR icmp .* icmp (.*)/(.*) IN' - - - 0 
  open "$4" - 10000 600 60
  report "/usr/local/bin/surfmailer -r root -S \"security incident from $4\"" "$4"

