Hi,
I am trying to create an EEM "Port-knocking" script which should act upon an ordered sequence of SYSLOG messages. The SYSLOG messages are generated by some "deny tcp any any XXX log STRING" ACLs, applied to the outside interface.
Here is what I have already tried:
! <------- BEGIN ------->
!
ip access-list extended INTERNET
deny tcp any any eq 1234 log OPEN_SEQUENCE_A
deny tcp any any eq 1235 log OPEN_SEQUENCE_B
deny tcp any any eq 1236 log OPEN_SEQUENCE_C
!
!
!
event manager environment 1ST_MATCH 0
event manager environment 2ND_MATCH 0
!
event manager applet ONE
event syslog pattern "OPEN_SEQUENCE_A"
action 1 set 1ST_MATCH "1"
action 2 syslog msg "DETECTED SEQUENCE A!"
!
event manager applet TWO
event syslog pattern "OPEN_SEQUENCE_B"
action 1 if $1ST_MATCH eq 1
action 2 set 2ND_MATCH "1"
action 3 syslog msg "DETECTED SEQUENCE B!"
action 4 end
!
event manager applet THREE
event syslog pattern "OPEN_SEQUENCE_C"
action 1 if $1ST_MATCH eq 1
action 2 if $2ND_MATCH eq 1
action 3 syslog msg "DETECTED SEQUENCE C!"
action 4 syslog msg "PORT KNOCK SUCCESSFUL! UNLOCKING!..."
action 5 end
action 6 end
!
!
!
! <------- END ------->
In the above I am somehow trying to "chain" the syslog events, yet I do not seem to be able to pass any information between the applets.
Any comments are highly appreciated.
Cheers,
David