tum
/
soc


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109
							#!/usr/bin/env bash
set -euo pipefail

SCENARIO="${1:-all}"
COUNT="${2:-1}"
DELAY="${3:-0.3}"

WAZUH_SYSLOG_HOST="${WAZUH_SYSLOG_HOST:-127.0.0.1}"
WAZUH_SYSLOG_PORT="${WAZUH_SYSLOG_PORT:-514}"

CISCO_DEVICE_HOST="${CISCO_DEVICE_HOST:-cisco-asa-01}"
CISCO_SRC_IP="${CISCO_SRC_IP:-198.51.100.25}"
CISCO_DST_IP="${CISCO_DST_IP:-10.10.10.20}"
CISCO_VPN_USER="${CISCO_VPN_USER:-vpn.user}"
CISCO_ADMIN_USER="${CISCO_ADMIN_USER:-admin}"

if ! [[ "${COUNT}" =~ ^[0-9]+$ ]] || [[ "${COUNT}" -lt 1 ]]; then
  echo "error: count must be a positive integer"
  exit 1
fi

emit_syslog() {
  local msg="$1"
  local sent="false"

  if command -v nc >/dev/null 2>&1; then
    if printf "%s\n" "${msg}" | nc -u -w1 "${WAZUH_SYSLOG_HOST}" "${WAZUH_SYSLOG_PORT}"; then
      sent="true"
    fi
  fi

  if [[ "${sent}" != "true" ]]; then
    if printf "%s\n" "${msg}" >"/dev/udp/${WAZUH_SYSLOG_HOST}/${WAZUH_SYSLOG_PORT}" 2>/dev/null; then
      sent="true"
    fi
  fi

  if [[ "${sent}" != "true" ]]; then
    echo "error: failed to send syslog event to ${WAZUH_SYSLOG_HOST}:${WAZUH_SYSLOG_PORT}/udp"
    echo "hint: install netcat or run with bash UDP support (/dev/udp)"
    return 1
  fi

  echo "[$(date -u +'%Y-%m-%dT%H:%M:%SZ')] sent: ${msg}"
}

random_id() {
  printf "%s" "cisco-evt-$(date +%s)-$RANDOM-$RANDOM"
}

send_asa_acl_deny() {
  local eid
  eid="$(random_id)"
  emit_syslog "<166>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %ASA-4-106023: Deny tcp src outside:${CISCO_SRC_IP}/51515 dst inside:${CISCO_DST_IP}/445 by access-group \"outside_access_in\" [0x0, 0x0] soc_mvp_test=true vendor=cisco product=asa event_id=${eid} event_type=cisco_asa_acl_deny severity=high"
}

send_asa_vpn_auth_fail() {
  local eid
  eid="$(random_id)"
  emit_syslog "<166>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %ASA-4-113019: Group = RA-VPN, Username = ${CISCO_VPN_USER}, IP = ${CISCO_SRC_IP}, Session disconnected. Session Type: SSL, Duration: 0h:00m:01s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested. soc_mvp_test=true vendor=cisco product=asa event_id=${eid} event_type=cisco_vpn_auth_fail severity=medium"
}

send_ios_login_fail() {
  local eid
  eid="$(random_id)"
  emit_syslog "<165>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ${CISCO_ADMIN_USER}] [Source: ${CISCO_SRC_IP}] [localport: 22] [Reason: Login Authentication Failed] at 19:30:00 UTC Tue Feb 17 2026 soc_mvp_test=true vendor=cisco product=ios event_id=${eid} event_type=cisco_ios_login_fail severity=medium"
}

send_ios_config_change() {
  local eid
  eid="$(random_id)"
  emit_syslog "<165>$(date '+%b %d %H:%M:%S') ${CISCO_DEVICE_HOST} %SYS-5-CONFIG_I: Configured from console by ${CISCO_ADMIN_USER} on vty0 ( ${CISCO_SRC_IP} ) soc_mvp_test=true vendor=cisco product=ios event_id=${eid} event_type=cisco_config_change severity=low"
}

send_once() {
  case "${SCENARIO}" in
    asa_acl_deny)
      send_asa_acl_deny
      ;;
    asa_vpn_auth_fail)
      send_asa_vpn_auth_fail
      ;;
    ios_login_fail)
      send_ios_login_fail
      ;;
    ios_config_change)
      send_ios_config_change
      ;;
    all)
      send_asa_acl_deny
      send_asa_vpn_auth_fail
      send_ios_login_fail
      send_ios_config_change
      ;;
    *)
      echo "error: unknown scenario '${SCENARIO}'"
      echo "valid: asa_acl_deny | asa_vpn_auth_fail | ios_login_fail | ios_config_change | all"
      exit 1
      ;;
  esac
}

for ((i=1; i<=COUNT; i++)); do
  send_once
  if [[ "${i}" -lt "${COUNT}" ]]; then
    sleep "${DELAY}"
  fi
done