sagan-rules 1:20160923-0.1 / etc / sagan-rules / normalization.rulebase

# Sagan arp-normalize.rulebase
# Copyright (c) 2009-2016, Quadrant Information Security <www.quadrantsec.com>
# All rights reserved.
#
# This file is used in conjunction with liblognorm.
#
# Please submit any custom rules or ideas to sagan-submit@quadrantsec.com or the sagan-sigs mailing list
#
#*************************************************************
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
#  following conditions are met:
#
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
#    from this software without specific prior written permission.
#
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#*************************************************************

prefix=

#*****************************************************************************
# arpalert 
#*****************************************************************************

# arpalert
# seq=277, mac=00:01:d7:35:55:06, ip=172.22.1.53, reference=172.22.2.69, type=ip_change, dev=eth0, vendor="F5 Networks, Inc."

rule=: seq=%-:word%, mac=%-:word%, ip=%src-ip:ipv4%, reference=%dst-ip:ipv4%, %-:rest%

#*****************************************************************************
# Bro
#*****************************************************************************

# This is a "custom" bro output Sagan uses for file hashes from Bro.

rule=: files: %-:word% %-:word% %src-ip:ipv4% %dst-ip:ipv4% %-:word% %-:word% %-:number% %-:word% %mime-type:word% %-:word% %-:word% %-:word% %-:word% %-:number% %-:number% %-:number% %-:number% %-:word% %-:word% %filehash-md5:word% %filehash-sha1:word% %filehash-sha256:word% %-:rest%

#*****************************************************************************
# Cisco 
#*****************************************************************************

#  1w3d: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 192.168.0.1

rule=: %uptime:word% %authfail:word% Authentication failure for SNMP req from host %src-ip:ipv4%

#  Dec 26 19:59:26: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.1.128.27

rule=: %month:word% %day:word% %hour:word% %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host %src-ip:ipv4%

# Access denied URL http://www.example.com/somethings.txt SRC 192.168.0.1 DEST 10.10.10.10 on interface inside

rule=: Access denied URL %url:word% SRC %src-ip:ipv4% DEST %dst-ip:ipv4% %-:rest%

# Caused by WebVPN or IPSec
# AAA user authentication Successful : server =  10.10.10.10 : user = domain\bob

rule=: AAA user authentication Successful : server =  %ip-src:ipv4% : user = %username:word%
rule=: AAA user authentication Rejected : reason = AAA failure : server = %src-ip:ipv4% : user = %username:word%

# User authentication failed: Uname: timothy

rule=: User authentication failed: Uname: %username:word% 

# Space at the end of this line! 
# %ASA-6-315011: SSH session from 192.168.0.1  on interface Outside2 for user "test" disconnected by SSH server, reason: "Internal error" (0x00)
#                SSH session from 10.20.10.200 on interface Outside2 for user "root" disconnected by SSH server, reason: "Internal error" (0x00)

rule=: SSH session from %src-ip:ipv4% on interface %-:word% for user %username:quoted-string% disconnected by SSH server, %-:rest%
rule=: SSH session from %src-ip:ipv4%  on interface %-:word% for user %username:quoted-string% disconnected by SSH server, %-:rest%

rule=: Configured from console by %-:word% (%src-ip:ipv4%)
rule=: Authentication failure for %proto:word% req from host %src-ip:ipv4%
rule=: Attempted to connect to %username:word% from %src-ip:ipv4%

# 02:19:47.007 UTC: %SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host 10.10.10.10
#
rule=: %-:word% %-:word% %-:word% %-:word% %%SNMP-3-AUTHFAIL: Authentication failure for SNMP req from host %src-ip:ipv4%

# Deny TCP (no connection) from perforce/139 to 192.168.73.1/2048 flags RST ACK  on interface INSIDE
#
rule=: Deny %proto:word% (no connection) from %src-ip:ipv4%/%src-port:number% to %dst-ip:ipv4%/%dst-port:number% flags %-:rest%

# Mar 31 02:30:42.815 UTC: %SYS-5-CONFIG_I: Configured from console by sachen on vty0 (10.32.23.63)
#
rule=: %-:word% %-:word% %-:word% %-:word% %%SYS-5-CONFIG_I: Configured from console by %username:word% on %-:word% (%src-ip:ipv4%)

# Deny inbound UDP from 46.161.166.49/63905 to 214.20.10.211/65257 on interface OUTSIDE
#
rule=: Deny inbound UDP from %src-ip:ipv4%/%src-port:number% to %dst-ip:ipv4%/%dst-port:number% %-:rest%

# Denied ICMP type=8, code=0 from 159.101.118.111 on interface INSIDE
#
rule=: Denied ICMP type=%-:number%, code=%-:number% from %src-ip:ipv4% %-:rest%

# These cover a lot of WebVPN, etc rules. 
#
# Group <GroupPolicy1> User <Bob> IP <10.10.10.10> WebVPN session terminated: User Requested.
# Group <GroupPolicy1> User <Bob> IP <10.10.10.10> WebVPN session terminated: Idle Timeout.
# Group <Mobile VPN Group Policy> User <Bob> IP <10.10.10.10> SVC closing connection: Transport closing.
# Group <Mobile VPN Group Policy> User <BobR> IP <10.10.10.10> SVC Message: 17/ERROR: Reconnecting to recover from error..
#
rule=: Group <%-:char-to:\x3e%> User <%username:char-to:\x3e%> IP <%src-ip:char-to:\x3e%> %-:rest%

# Teardown UDP connection 31929471 for inside:10.10.10.10/1111 to dmz:239.254.0.4/12224 duration 0:00:00 bytes 0
# Teardown TCP connection 1829067148 for outside:10.10.10.10/443 to inside:192.168.1.1/10830 duration 0:03:04 bytes 8699 TCP FINs"

rule=: Teardown %proto:word% connection %connection:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest%

# Teardown ICMP connection for faddr 10.10.10.10/0 gaddr 192.168.1.1/10000 laddr 192.168.1.1/100001

rule=: Teardown %proto:word% connection for %-:word% %src-ip:ipv4%/%src-port:number% %-:word% %dst-ip:ipv4%/28694 %-:rest%

# access-list inside_egress permitted tcp inside/10.10.10.1(10000) -> outside/192.186.1.1(80) hit-cnt 1 first hit [0xf83f456b, 0x0]

rule=: access-list %-:word% permitted %proto:word% %-:char-to:\x2f%/%src-ip:ipv4%(%src-port:number%) -> %-:char-to:\x2f%/%dst-ip:ipv4%(%dst-port:number%) %-:rest%

# Built inbound TCP connection 3171137 for outside:10.10.10.10/10000 (10.10.10.10/10000)(DOMAIN\Bob) to inside:192.168.1.10/80 (192.168.1.1/80) (Bob)

rule=: Built %-:word% %proto:word% connection %-:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% (%-:ipv4%/58521)(%domain:char-to:\x5c%\%username:char-to:\x29%) to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest%

# Built inbound TCP connection 1834111354 for outside:10.10.10.10/28490 (10.10.10.10/28490) to dmz:192.168.1.1/80 (192.168.1.1/80)

rule=: Built %-:word% %proto:word% connection %-:number% for %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% %-:word% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number% %-:rest%

#  Group = Employee, Username = bob, IP = 10.10.10.10, Error processing payload: Payload ID: 14

rule=: Group = %-:word%, Username = %username:word%, IP = %src-ip:ipv4%, %-:rest%
rule=: Group = %-:char-to:\x2c%, Username = %username:char-to:\x2c%, IP = %src-ip:ipv4%, %-:rest%

# FTP connection from inside:10.10.1.1/3789 to outside:12.12.12.12/21, user bob Retrieved file somefile.txt

rule=: FTP connection from %-:char-to:\x3a%:%src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number%, user %username:word% %-:rest%

# TCP access denied by ACL from 10.10.10.10/28490 to inside:192.168.1.1/80

rule =: TCP access denied by ACL from %src-ip:ipv4%/%src-port:number% to %-:char-to:\x3a%:%dst-ip:ipv4%/%dst-port:number%

# Teardown TCP connection 361112504 for outside:10.10.1.100/61160(LOCAL\Bob) to inside:12.159.2.124/443 duration 0:00:13 bytes 3216 TCP FINs (Bob)

rule=: Teardown %proto:word% connection %-:number% for outside:%src-ip:ipv4%/%src-port:number%%-:word% to inside:%dst-ip:ipv4%/%dst-port:number% %-:rest%

# Cisco ACS normalization 

rule=: %-:word% %-:number% %-:number% %-:word% %-:word% %-:word% %-:word% %-:word% NOTICE Failed-Attempt: Authentication failed, ACSVersion=%-:word% ConfigVersionId=%-:word% Device IP Address=%src-ip:char-to:\x2c%, Device Port=%src-port:char-to:\x2c%, UserName=%username:char-to:\x2c%, Protocol=%-:word% RequestLatency=%-:word% NetworkDeviceName=%-:word% Type=Authentication, Action=Login, Privilege-Level=%-:word% Authen-Type=%-:word% Service=Login, User=%-:word% Port=%-:word% Remote-Address=%dst-ip:char-to:\x2c%, %-:rest%

#*****************************************************************************
# DNS (bind, etc)
#*****************************************************************************

rule=: client %src-ip:ipv4%#%src-port:number%: update '%-:char-to:\x27%' denied
rule=: client %src-ip:ipv4%#%src-port:number%: query (cache) '%-:char-to:\x27%' denied
rule=: unexpected RCODE %-:word% resolving '%-:char-to:\x27%': %src-ip:ipv4%#%src-port:number%
rule=: error (unexpected RCODE %-:word% resolving '%-:char-to:\x27%': %src-ip:ipv4%#%src-port:number%

#*****************************************************************************
# Fortinet/Fortigate
#*****************************************************************************

rule=: time=%-:word% devname=%-:word% devid=%-:word% logid=%-:word% type=%-:word% subtype=%-:word% level=%-:word% vd=%-:word% srcip=%src-ip:ipv4% srcport=%src-port:number% srcintf=%-:word% dstip=%dst-ip:ipv4% dstport=%dst-port:number% dstintf=%-:word% %-:rest% 

#*****************************************************************************
# IMAP
#*****************************************************************************

rule=: Logout user=%username:word% host=%-:word% [%src-ip:ipv4%]
rule=: Login excessive login failures user=%username:word% auth=%-:word% host=%-t:word% [%src-ip:ipv4]]
rule=: Login failed user=%username:word% auth=%-:word% host=%-:word% [%src-ip:ipv4%]
rule=: authentication failure; logname= uid=%-:word% euid=%-:word% tty=%-:word% ruser=%-:word% rhost=%src-ip:ipv4% user=%username:word%

#*****************************************************************************
# Imperva
#*****************************************************************************

rule=: act=Block dst=%dst-ip:ipv4% dpt=%src-port:number% duser=%username:word% src=%src-ip:ipv4% spt=%src-port:number% proto=%proto:word% %all:rest%

#*****************************************************************************
# Linux kernel
#*****************************************************************************

# Rulebase notes: 
#
# iptables TCP : iptables flags "--state NEW,INVALID -j LOG"  (NOTE: no --prefix!)
#
#
# [6251572.861709] IN=fire OUT=fire PHYSIN=eth0 PHYSOUT=eth1 SRC=X.X.X.X DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9133 DF PROTO=TCP SPT=50661 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0

rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% PHYSOUT=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:number% ID=%-:number% %-:word% PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest%

# iptables UDP : iptables flags "--state NEW,INVALID -j LOG"  (NOTE: no --prefix!)
#
# [6252395.294134] IN=fire OUT=fire PHYSIN=eth1 PHYSOUT=eth0 SRC=X.X.X.X DST=X.X.X.X LEN=78 TOS=0x00 PREC=0x00 TTL=50 ID=8658 DF PROTO=UDP SPT=137 DPT=137 LEN=52
# [6255730.106539] IN=fire OUT=fire PHYSIN=eth0 SRC=X.X.X.X DST=X.X.X.X LEN=76 TOS=0x00 PREC=0xC0 TTL=63 ID=34162 PROTO=UDP SPT=123 DPT=123 LEN=56 
# [6256275.991117] IN=fire OUT=fire PHYSIN=eth0 PHYSOUT=eth1 SRC=X.X.X.X DST=X.X.X.X LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138 DPT=138 LEN=221 

rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% PHYSOUT=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:word% ID=%-:number% PROTO=%-:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest%

rule=: %-:word% IN=%-:word% OUT=%-:word% PHYSIN=%-:word% SRC=%src-ip:ipv4% DST=%dst-ip:ipv4% LEN=%-:number% TOS=%-:word% PREC=%-:word% TTL=%-:number% ID=%-:number% PROTO=%proto:word% SPT=%src-port:number% DPT=%dst-port:number% %-:rest%

#*****************************************************************************
# nfcap / nfdump 
#*****************************************************************************

# source_ip: 10.1.1.1/54630, destination_ip: 12.159.2.100/13620, protocol: TCP, duration: 0.204, flags: |.A..S.|, tos: 0, packets: 2, bytes: 92, last_time: 2015-06-04 18:29:58, reported by 10.5.1.1

rule=: source_ip: %src-ip:ipv4%/%src-port:number%, destination_ip: %dst-ip:ipv4%/%dst-port:number%, protocol: %proto:char-to:\x2c%, %-:rest%

#*****************************************************************************
# OpenSSH
#*****************************************************************************

rule=: Failed %-:word% for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2
rule=: Accepted %-:word% for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2
rule=: Accepted keyboard-interactive/pam for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2
rule=: Accepted password for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2
rule=: error: PAM: Authentication failure for %username:word% from %src-ip:ipv4%
rule=: error: PAM: Authentication failure for %username:word% from %src-host:word%
rule=: pam_unix(sshd:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4%  user=%username:word%
rule=: pam_unix(sshd:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% 
rule=: PAM %number:number% more authentication failure; logname= uid=%uid:number% euid=%-:number% tty=ssh ruser= rhost=%src-ip:ipv4% 
rule=: Accepted publickey for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 
rule=: error: PAM: Authentication failure for illegal user %username:word% from %src-ip:ipv4%
rule=: Failed password for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2
rule=: Accepted gssapi-with-mic for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2
rule=: Postponed keyboard-interactive for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 [preauth]
rule=: Failed keyboard-interactive/pam for invalid user %username:word% from %src-ip:ipv4% port %src-port:number% ssh2
rule=: input_userauth_request: invalid user %username:word% [preauth]
rule=: Invalid user %username:word% from %src-ip:ipv4%
rule=: Disconnecting: Too many authentication failures for %username:word% from %src-ip:ipv4% port %src-port:number% ssh2 [preauth]

#*****************************************************************************
# Palo-Alto
#
# These likely need to be retested! 
#
#*****************************************************************************

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern4:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:char-sep:\x2C%,(9999),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%


rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern1:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:char-sep:\x2C%,%natdstip:char-sep:\x2C%,%policy:char-sep:\x2C%,%source_user:char-sep:\x2C%,%destination_user:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session_id:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:char-sep:\x2C%,%nat-dst-port:char-sep:\x2C%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:quoted-string%,(%threatid:char-sep:\x2C%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern2:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:char-sep:\x28%,%ips-threat-id:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern3:THREAT,url,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:char-sep:\x22\x2C\x28%,(%ips-threat-id:char-sep:\x28%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%unusedfield:char-sep:\x2C%,%content-type:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%therest:rest%

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern5:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:quoted-string%,(9999),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern6:THREAT,url,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,%url:quoted-string%,%ips-threat-id:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,url-log,pattern7:THREAT,url,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,tcp,%action:char-sep:\x2C%,\"%url:char-sep:\x22\x2C\",(%ips-threat-id:char-sep:\x28%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%sequence_number:number%,%actionflags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%unusedfield:char-sep:\x2C%,%content-type:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%therest:rest%
#####VIRUS

###SAMPLE##### 23:27:06,00099999999,THREAT,virus,0,2014/03/10 23:27:00,198.63.231.38,192.168.192.49,198.63.231.38,99.98.97.206,Users Out,,,ftp,vsys1,Untrust,Trust,ethernet1/1,ethernet1/16,logzprof,2014/03/10 23:27:06,144015,1,39874,56238,39874,60251,0x400000,tcp,deny,"Files.exe",Trojan/Win32.agent.dipyh(2203092),any,medium,server-to-client,172814842,0x0,United States,192.168.0.0-192.168.255.255,0,

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,virus,pattern1:THREAT,virus,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,0x%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%virusinfo:quoted-string%,%virusname:char-sep:(%(%threat:number%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%

#####VULNERABILITY

###SAMPLE WITH NAT##### 09:35:32,00099999999,THREAT,vulnerability,0,2014/03/15 09:35:27,217.162.12.99,99.98.97.7,217.162.12.99,192.168.100.3,SOMEPOLICY,,,web-browsing,vsys1,Untrust,DMZ,ethernet1/1,ethernet1/3,logzprof,2014/03/15 09:35:31,136093,1,40549,80,40549,80,0x400000,tcp,drop-all-packets,"php4",PHP CGI Query String Parameter Handling Information Disclosure and DoS Vulnerability(34804),any,medium,client-to-server,174087202,0x0,Switzerland,United States,0,

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,vulnerability,pattern1:THREAT,vulnerability,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:quoted-string%,%vulnmsg:char-sep:(%(%threat:number%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%

###SAMPLE WITHOUT NAT#### 18:26:58,00099999999,THREAT,vulnerability,0,2014/05/15.18:26:53,192.168.1.132,192.168.100.3,,,TRUST-DMZ,,,smtp,vsys1,Trust,DMZ,ethernet1/16,ethernet1/3,logzprof,2014/05/15.18:26:58,241073,1,49977,25,0,0,0x0,tcp,drop-all-packets,"image8.emf",Adobe.Reader.Heap.Buffer.Overflow.Vulnerability(36458),any,critical,client-to-server,187015108,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,vulnerability,pattern2:THREAT,vulnerability,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:quoted-string%,%vulnmsg:char-sep:(%(%threat:number%),%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%

#####FILE

####SAMPLE### 01:13:03,00099999999,THREAT,file,1,2014/03/22 01:12:57,65.55.227.140,192.168.1.135,65.55.227.140,32.33.34.5,Users Out,,,sharepoint-base,vsys1,outside,inside,ethernet1/1,ethernet1/16,logzprof,2014/03/22 01:13:02,63889,1,80,57055,80,28843,0x404000,tcp,alert,"AF101807649.wat",Microsoft PE File(52060),any,low,server-to-client,718288,0x0,United States,192.168.0.0-192.168.255.255,0,

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,file-detection,pattern1:THREAT,file,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%filename:quoted-string%,%filetype:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%

####SPYWARE 

##SAMPLE### 01:13:03,00099999999,THREAT,spyware,1,2014/03/22 03:50:55,162.213.31.66,32.33.34.114,162.213.31.66,192.168.168.39,rule 77,,,sip,vsys1,outside,inside,ethernet1/1,ethernet1/16,logzprof,2014/03/22 03:51:00,196169,1,5061,5060,5061,5060,0x404000,udp,drop-packet,"",Sipvicious.Gen User-Agent Traffic(13272),any,low,client-to-server,718302,0x0,United States,United States,0,

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,spyware,pattern1:THREAT,spyware,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:char-sep:\x2C%,%vulnmsg:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%

##SAMPLE### 15:48:07,00099999999,THREAT,spyware,1,2014/12/22 15:48:07,192.168.0.8,199.2.252.10,28.16.19.5,199.2.252.10,DNS_SERVERS_OUT,,,dns,vsys1,inside,outside,ethernet1/16,ethernet1/1,logzprof,2014/12/22 15:48:07,103238,1,49398,53,36378,53,0x404000,udp,drop-all-packets,\"\",Suspicious DNS Query (generic:ib.spotsmagic.com)(4083979),any,medium,client-to-server,78603388,0x0,192.168.0.0-192.168.255.255,US,0,,0,, 

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,spyware-dns,pattern1:THREAT,spyware,%-:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%vulname:quoted-string%,%vulnmsg:char-sep:\x2C%,%url-catagory:char-sep:\x2C%,%severity:char-sep:\x2C%,%direction:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%therest:rest%

#####TRAFFIC
# Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP,
#Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application,
#Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile,
#FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination
#Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category,
#FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets
#Sent, Packets Received.

##SAMPLE WITH NAT## 
# 20:34:24,00099999999,TRAFFIC,start,0,2014/06/11 20:34:23,10.11.12.13,64.46.69.96,9.8.20.207,64.46.69.96,Policyname,,,ssl,vsys1,Trust,Untrust,ethernet1/16,ethernet1/1,logzprof,2014/06/11 20:34:23,99660,1,1950,443,56427,443,0x400000,tcp,allow,340,278,62,4,2014/06/11 20:34:24,0,any,0,683837684,0x0,10.0.0.0-10.255.255.255,United States,0,3,1

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,traffic,pattern1:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number%%therest:rest%

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,traffic,pattern2:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%natsrcip:ipv4%,%natdstip:ipv4%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%nat-src-port:number%,%nat-dst-port:number%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number%

###SAMPLE WITHOUT NAT 
#Dec 10 04:27:05 fwname,2014/12/10 04:27:05,00099999999,TRAFFIC,drop,1,2014/12/10 04:26:59,17.27.18.13,5.23.16.2,,,Inbound Block Evil,,,icmp,vsys1,Untrust,Trust,ethernet1/1,,logzprof,2014/12/10 04:27:04,0,1,0,0,0,0,0x0,icmp,deny,106,106,0,1,2014/12/10 04:27:00,0,any,0,315118370,0x0,Morocco,United States,0,1,0
#Dec  9 22:50:27 fwname,2014/12/09 22:50:27,00099999999,TRAFFIC,drop,1,2014/12/09 22:50:26,41.141.224.222,5.23.16.1,,,Inbound Block Evil,,,not-applicable,vsys1,Untrust,Trust,ethernet1/1,,logzprof,2014/12/09 22:50:26,0,1,51762,80,0,0,0x0,tcp,deny,62,62,0,1,2014/12/09 22:50:27,0,any,0,314787233,0x0,Morocco,United States,0,1,0

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,traffic,pattern3:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number%%therest:rest%

rule=: %time:time-24hr%,%devserial:char-sep:\x2C%,traffic,pattern4:TRAFFIC,%subtype:char-sep:\x2C%,%dtm:char-sep:\x2C%,%genyear:number%/%genmonth:number%/%genday:number% %gentime:time-24hr%,%src-ip:ipv4%,%dst-ip:ipv4%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%policy:char-sep:\x2C%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%app:char-sep:\x2C%,%vsys:char-sep:\x2C%,%srczone:char-sep:\x2C%,%dstzone:char-sep:\x2C%,%srcintf:char-sep:\x2C%,%dstintf:char-sep:\x2C%,%logprofile:char-sep:\x2C%,%year:number%/%month:number%/%day:number% %time:time-24hr%,%session:number%,%count:number%,%src-port:number%,%dst-port:number%,%-:char-sep:\x2C%,%-:char-sep:\x2C%,%flags:char-sep:\x2C%,%proto:char-sep:\x2C%,%action:char-sep:\x2C%,%bytes:number%,%bytes_sent:number%,%bytes_received:number%,%packets:number%,%start_time:char-sep:\x2C%,%elapsed_time:number%,%url_category:char-sep:\x2C%,%-:char-sep:\x2C%,%sequence_number:number%,%panorama_flags:char-sep:\x2C%,%geo_source:char-sep:\x2C%,%geo_dest:char-sep:\x2C%,%-:char-sep:\x2C%,%packets_sent:number%,%packets_received:number%

#*****************************************************************************
# HP Procurve
#*****************************************************************************

#FFI: port 14 - Security Violation
rule=:  port %-:number% - Security Violation

#*****************************************************************************
# SMTP 
#*****************************************************************************

rule=: %-:word% %-:word% [%src-ip:ipv4%]: expn %username:word%

# p0IGs29E022795: ruleset=check_rcpt, arg1=<bob@example.com>, relay=mailhost.example.com [192.168.0.1], reject=553 5.1.8 <frank@example.com>... Domain of sender address bogus@example.com does not exist

rule=: %-:word% ruleset=check_rcpt, %-:word% relay=%y:word% [%src-ip:ipv4%] (may be forged), reject=%-:number% %-:rest%

# p0I3FCpA013475: [192.168.0.1]: Possible SMTP RCPT flood, throttling.

rule=: %-:word%: [%src-ip:ipv4%]: Possible SMTP RCPT flood, throttling.

#*****************************************************************************
# Snort
#*****************************************************************************

# Jun  2 00:41:47 demo snort: [1:19559:5] INDICATOR-SCAN SSH brute force login attempt [Classification: Misc activity] [Priority: 3] {TCP} 43.255.188.148:35236 -> 10.5.1.3:22

rule=: [%generator_id:number%:%sig_id:number%:%rev:number%] %sig_name:char-to:\x5b%[Classification: %classtype:char-to:\x5d%] [Priority: %pri:number%] {%proto:char-to:\x7d%} %dst-ip:ipv4%:%dst-port:number% -> %src-ip:ipv4%:%src-port:number%

#*****************************************************************************
# Sonicwall
#*****************************************************************************

# Remember the space at the end of the rule..  Also " counts as part of a %thing:word%

rule=: id=%firewall:word% sn=%serial:word% time="%date:date-iso% %time:time-24hr%" fw=%fire-ip:ipv4% pri=%pri:number% c=%c:number% m=%m:number% msg="Possible port scan detected" n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% note=%ports-scanned:quoted-string% 

#rule=:  msg="%alert:char-to:\x22%" sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% 

rule=: id=%firewall:word% sn=%serial:word% time="%date:date-iso% %time:time-24hr%" fw=%fire-ip:ipv4% pri=%pri:number% c=%c:number% m=%m:number% msg=%alert:quoted-string% sid=%sid:number% ipscat=%proto:word% ipspri=%ipspri:number% n=%n:number% src=%src-ip:ipv4%:%src-port:number%:%interface:word% dst=%dst-ip:ipv4%:%dst-port:number%:%interface:word% 

#*****************************************************************************
# su/sudo
#*****************************************************************************
 
rule=: Successful su for %-:word% by %username:word%
rule=: pam_unix(sudo:auth): authentication failure; logname= uid=%uid:number% euid=%-:number% %-:word% ruser= rhost=  user=%username:word%

#*****************************************************************************
# VMWare (ESXi, etc)
#*****************************************************************************

rule=: Accepted password for %username:word% from %src-ip:ipv4%

#*****************************************************************************
# Microsoft Windows (via Evt2sys or NXLog
#*****************************************************************************

# Note the space at the end!
#
#rule=: 529: NT AUTHORITY\\SYSTEM: Logon Failure: Reason: Unknown user name or bad password User Name: %username:word% Domain: %-:word% Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: %-:word% Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: %src-ip:ipv4% Source Port: %src-port:number% 

#rule=: 529: S-1-5-18: Logon Failure: Reason: Unknown user name or bad password User Name: %username:word% Domain: %-:word% Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: %-:word% Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: %src-ip:ipv4% Source Port: %src-port:number% 

#*****************************************************************************
# Citrix
#*****************************************************************************

#  16:04:31 GMT server1 PPE-1 : AAA LOGIN_FAILED 71011157 :  User bob - Client_ip 12.12.12.12 - Failure_reason "External authentication server denied access"

rule=: %-:word% %-:word% %-:word% %-:word% : AAA LOGIN_FAILED %-:word% :  User %username:word% - Client_ip %src-ip:ipv4% - Failure_reason %-:rest%

#  16:23:29 GMT server1 PPE-0 : SSLVPN LOGIN 75181906 : Context bob@12.12.12.12 - SessionId: 11147- User bob - Client_ip 12.12.12.12 - Nat_ip "Mapped Ip" - Vserver 192.168.1.1:443 - Browser_type "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)" - SSLVPN_client_type Clientless - Group(s) "N/A"

rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGIN %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest%
rule=: %-:word% %-:word% %-:word% %-:word% : SSLVPN LOGOUT %-:number% : Context %-:word% - SessionId: %-:word% User %username:word% - Client_ip %src-ip:ipv4% %-:rest%