# THUNDER PRM LIBRARY # Copyright 2004 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # netscreen Firewall # # DESCRIPTION: # This library is used to process logs from a variety of NetScreen firewalls # which are sent via SYSLOG. The SYSLOG messages must be sent either # directly to the Thunder server, or to a UNIX server running a Thunder # client which is 'tailing' a SYSLOG file on that system. # # LAST UPDATE: $Date$ ############## # DENY RULES # ############## id=9500 name=This Netscreen firewall blocked a TCP connection. match=ion match= action=Deny match=ce match=NetScreen device_id= match=tem match=system-notification- match=ystem match=ol match=policy_id= match=proto=6 regex=device_id=([a-zA-Z0-9_\.-]+).*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) src_port=([0-9]+) dst_port=([0-9]+) log=event:Netscreen_Blocked_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 srcport:$4 dstport:$5 type:firewall NEXT id=9501 name=This Netscreen firewall blocked a UDP connection. match=ion match= action=Deny match=ce match=NetScreen device_id= match=tem match=system-notification- match=ystem match=ol match=policy_id= match=proto=17 regex=device_id=([a-zA-Z0-9_\.-]+).*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) src_port=([0-9]+) dst_port=([0-9]+) log=event:Netscreen_Blocked_UDP sensor:$1 proto:17 srcip:$2 dstip:$3 srcport:$4 dstport:$5 type:firewall NEXT id=9502 name=This Netscreen firewall blocked an ICMP query. match=ion match= action=Deny match=ce match=NetScreen device_id= match=tem match=system-notification- match=ystem match=ol match=policy_id= match=proto=1 match=!src_port match=!dst_port regex=device_id=([a-zA-Z0-9_\.-]+).*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen_Blocked_ICMP sensor:$1 proto:1 srcip:$2 dstip:$3 type:firewall ################ # ADMIN EVENTS # ################ NEXT id=9503 name=This Netscreen firewall is experiencing high utilization levels. match=ce match=NetScreen device_id= match=tem match=system-critical- match=cal match=ystem match=ion match=ed match=ss match=Session utilization has reached regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Critical_Event sensor:$1 type:error NEXT id=9504 name=This Netscreen firewall had an administrator login. match=ce match=NetScreen device_id= match=tem match=ar match=arn match=ing match=system-warning- match=ystem match=ser match=netscreen: Admin User match=lo match=log match=ed match=logged in for regex=device_id=([a-zA-Z0-9_\.-]+).*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\. log=event:Netscreen-Admin_User_Login sensor:$1 srcip:$2 srcport:$3 proto:6 type:login ################### # SECURITY EVENTS # ################### NEXT id=9505 name=This Netscreen firewall logged several TCP based network attacks. match=ce match=NetScreen device_id= match=tem match=le match=system-alert- match=ystem match=ol match=protocol TCP regex=device_id=([a-zA-Z0-9_\.-]+).*From ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=event:Netscreen-System_Alert_TCP sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 type:dos NEXT id=9506 name=This Netscreen firewall logged several UDP based network attacks. match=ce match=NetScreen device_id= match=tem match=le match=system-alert- match=ystem match=ol match=protocol UDP regex=device_id=([a-zA-Z0-9_\.-]+).*From ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+) log=event:Netscreen-System_Alert_UDP sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17 type:dos ################ # ACCEPT RULES # ################ NEXT id=9507 name=This Netscreen firewall has allowed a TCP connection. match=ion match=action=Permit match=ce match=NetScreen device_id= match=tem match=system-notification- match=ystem match=ol match=policy_id= match=proto=6 match=!reason=Close - AGE OUT regex=device_id=([a-zA-Z0-9_\.-]+).*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) src_port=([0-9]+) dst_port=([0-9]+) log=event:Netscreen_Accept_TCP sensor:$1 proto:6 srcip:$2 dstip:$3 srcport:$4 dstport:$5 type:connection NEXT id=9508 name=This Netscreen firewall has allowed a UDP connection. match=ion match=action=Permit match=ce match=NetScreen device_id= match=tem match=system-notification- match=ystem match=ol match=policy_id= match=proto=17 match=!reason=Close - AGE OUT regex=device_id=([a-zA-Z0-9_\.-]+).*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) src_port=([0-9]+) dst_port=([0-9]+) log=event:Netscreen_Accept_UDP sensor:$1 proto:17 srcip:$2 dstip:$3 srcport:$4 dstport:$5 type:connection NEXT id=9509 name=This Netscreen firewall has allowed an ICMP query. match=ion match=action=Permit match=ce match=NetScreen device_id= match=tem match=system-notification- match=ystem match=ol match=policy_id= match=proto=1 match=!src_port match=!dst_port match=!reason=Close - AGE OUT regex=device_id=([a-zA-Z0-9_\.-]+).*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen_Accept_ICMP sensor:$1 proto:1 srcip:$2 dstip:$3 type:connection ############## # MISC RULES # ############## NEXT id=9510 name=This Netscreen firewall has responded to an SNMP query. match=ce match=NetScreen device_id= match=tem match=ystem match=ed match=ss match=SNMP: NetScreen device has responded successfully match=MP regex=device_id=([a-zA-Z0-9_\.-]+).*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\. log=event:Netscreen-SNMP_Poll sensor:$1 proto:17 srcip:$2 srcport:$3 dstport:161 type:connection NEXT id=9511 name=This Netscreen firewall has had a successful modification of the firewall rules. match=ce match=NetScreen device_id= match=tem match=ystem match=ol match= Policy match=ed match= was added match=rom match= from host regex=device_id=([a-zA-Z0-9_\.-]+).*from host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Rule_Added sensor:$1 srcip:$2 type:system NEXT id=9512 name=This Netscreen firewall has had a successful modification of the firewall rules. match=tem match=ystem match=ce match=NetScreen device_id= match=ol match= Policy match=ed match= was modified match=rom match= from host regex=device_id=([a-zA-Z0-9_\.-]+).*from host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Rule_Change sensor:$1 srcip:$2 type:system NEXT id=9513 name=This Netscreen firewall has blocked OSPF routing traffic. match=ion match= action=Deny match=ce match=NetScreen device_id= match=tem match=system-notification- match=ystem match=ol match=policy_id= match=proto=89 regex=device_id=([a-zA-Z0-9_\.-]+).*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Blocked_OSPF_Traffic sensor:$1 proto:89 srcip:$2 dstip:$3 type:firewall NEXT id=9514 name=This Netscreen firewall has received an IKE packet which is part of establishing remote VPNs. match=ack match=ce match=ed match=Received an IKE packet match=tem match=ystem match=NetScreen device_id= match=ookies regex=device_id=([a-zA-Z0-9_\.-]+).*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Netscreen-IKE_Packet_Received sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:connection NEXT id=9515 name=This Netscreen firewall has rejected an IKE packet which is part of establishing remote VPNs. This could indicate an attack on your VPN or a mis-configured remote VPN node. match=ack match=ed match=Rejected an IKE packet match=ect match=tem match=ystem match=ce match=NetScreen device_id= match=ookies regex=device_id=([a-zA-Z0-9_\.-]+).*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Netscreen-IKE_Packet_Rejected sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:firewall NEXT id=9516 name=This Netscreen firewall has reached its retransmission limit which could indicate some sort of network issues with the VPN. match=tem match=ystem match=ion match=ed match=ss match=Retransmission limit has been reached. match=ce match=NetScreen device_id= regex=device_id=([a-zA-Z0-9_\.-]+).*IKE.([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Retransmission_Limit_Reached sensor:$1 dstip:$2 type:error NEXT id=9517 name=This Netscreen firewall is establishing a VPN session. match=sta match=ion match=ar match=Responder starts AGGRESSIVE mode negotiations. match=start match=tem match=ystem match=ce match=NetScreen device_id= regex=device_id=([a-zA-Z0-9_\.-]+).*IKE.([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Agressive_Mode_Negotiations sensor:$1 dstip:$2 type:connection NEXT id=9518 name=This Netscreen firewall is establishing a VPN session. match=tem match=ystem match=ate match=ion match=ed match=ce match=go match=io match=In match=at match=on match=tion match=te match=ated match=got match=ti match=it match=NetScreen device_id= regex=device_id=([a-zA-Z0-9_\.-]+).*IKE.([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Initiated_Negotiations sensor:$1 dstip:$2 type:connection NEXT id=9519 name=This Netscreen firewall is communicating with VPN peers. match=tem match=ystem match=ed match=ss match=Responded to the peer's first message. match=peer match=ce match=NetScreen device_id= regex=device_id=([a-zA-Z0-9_\.-]+).*IKE.([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Responded_To_Peer sensor:$1 dstip:$2 type:system NEXT id=19520 name=This Netscreen firewall is communicating with VPN peers. match=tem match=ystem match=ion match=ce match=ed match=ss match=Received a notification message match=NetScreen device_id= regex=device_id=([a-zA-Z0-9_\.-]+).*IKE.([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Received_Notification sensor:$1 dstip:$2 type:system NEXT id=19521 name=This Netscreen firewall has established a VPN with one or more peers. match=ion match=le match=ed match=Completed negotiations with match=tem match=ystem match=ce match=NetScreen device_id= regex=device_id=([a-zA-Z0-9_\.-]+).*IKE.([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Completed_Negotiations sensor:$1 dstip:$2 type:system NEXT id=19522 name=This NetScreen firewall has detected a critical ICMP event. match=tem match=system-critical- match=cal match=ystem match=ICMP match=MP match= proto 1 match=ce match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).* From ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:intrusion event:Netscreen-System_Critical_ICMP_Event sensor:$1 srcip:$2 dstip:$3 proto:1 NEXT id=19523 name=This NetScreen firewall had an Admin user log in. match=tem match=ystem match=ar match=arn match=ing match=system-warning- match=ser match= Admin user match=lo match=log match=ed match=logged in for match=ce match=NetScreen device_id= match=ent match= management regex=device_id=([0-9a-zA-Z_\.-]+) .* from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:login event:Netscreen-Admin_Login sensor:$1 srcip:$2 srcport:$3 NEXT id=19524 name=This NetScreen firewall could not adjust time. match=tem match=ystem match=ion match=system-notification match=TP match=NTP match=ser match=rom match=ce match=le match=ed match=pt match= No acceptable time could be obtained from any NTP server. match=acc match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) log=type:error event:Netscreen-Could_Not_Obtain_Time sensor:$1 NEXT id=19525 name=This NetScreen address in zone Untrust has been deleted by the admin. match=tem match=ystem match=ion match=system-notification match=le match=ed match=via NSRP match= zone Untrust has been deleted by admin match=ce match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) .* Address ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) for IP address ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:system event:Netscreen-NSRP_Peer_Address_Deleted sensor:$1 srcip:$2 dstip:$3 NEXT id=19526 name=This NetScreen syslog has been enabled. match=tem match=ystem match=ion match=system-notification match=lo match=log match=le match=ed match= Syslog has been enabled. match=ce match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) log=type:system event:Netscreen-Syslog_Enabled sensor:$1 NEXT id=19527 name=This NetScreen has saved a PKI certificate configuration match=tem match=ystem match=ion match=system-notification match=ed match= PKI: Saved CA configuration match=onfiguration match=ce match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) log=type:system event:Netscreen-PKI_CA_Configuration_Saved sensor:$1 NEXT id=19528 name=This NetScreen has changed an environmental variable. match=tem match=ystem match=ion match=system-information match=ent match=ar match=le match= Environment variable match=ed match= changed match=ce match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) log=type:system event:Netscreen-Enviroment_Varaible_Changed sensor:$1 NEXT id=19529 name=This NetScreen cannot connect to the NSM server. match=tem match=ion match=system-information match=ystem match=ser match=Cannot connect to NSM server match=onnect match=ect match=ce match=NetScreen device_id= match=ed match=disconnected by peer match=peer regex=device_id=([0-9a-zA-Z_\.-]+) .* Cannot connect to NSM server at ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+). log=type:error event:Netscreen-Cannot_Connect_NSM_Server sensor:$1 srcip:$2 NEXT id=19530 name=This NetScreen has reported traffic via protocol UDP. match=tem match=ion match=system-notification match=ystem match=(traffic): match=ce match=NetScreen device_id= match=action=Tunnel match=proto=17 src regex=device_id=([0-9a-zA-Z_\.-]+) .* src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) src_port=([0-9]+) dst_port=([0-9]+) log=type:connection event:Netscreen-Tunnel_Traffic_UDP sensor:$1 srcip:$2 dstip:$3 srcport:$4 dstport:$5 proto:17 NEXT id=19531 name=This NetScreen has reported traffic via protocol ICMP. match=tem match=ystem match=ion match=system-notification match=(traffic): match=ce match=NetScreen device_id= match=action=Tunnel match=proto=1 src regex=device_id=([0-9a-zA-Z_\.-]+) .* src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:connection event:Netscreen-Tunnel_Traffic_ICMP sensor:$1 srcip:$2 dstip:$3 proto:1 NEXT id=19532 name=This NetScreen has reported traffic via protocol TCP. match=tem match=ion match=system-notification match=ystem match=(traffic): match=ce match=NetScreen device_id= match=action=Tunnel match=proto=6 regex=device_id=([0-9a-zA-Z_\.-]+) .* src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) src_port=([0-9]+) dst_port=([0-9]+) log=type:connection event:Netscreen-Tunnel_Traffic_TCP sensor:$1 srcip:$2 dstip:$3 srcport:$4 dstport:$5 proto:6 NEXT id=19533 name=This Netscreen firewall has failed IKE Phase 2 negotiations. match=tem match=ystem match=ail match=ion match=le match=ed match=Negotiations have failed. match=ce match=NetScreen device_id= regex=device_id=([a-zA-Z0-9_\.-]+).*IKE.([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-IKE_Negotiations_Failed sensor:$1 dstip:$2 type:error NEXT id=19534 name=This Netscreen firewall blocked a proto 41 connection. match=ion match= action=Deny match=ce match=NetScreen device_id= match=tem match=system-notification- match=ystem match=ol match=policy_id= match=proto=41 regex=device_id=([a-zA-Z0-9_\.-]+).*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen_Blocked_Proto_41 sensor:$1 srcip:$2 dstip:$3 type:firewall NEXT id=19535 name=This NetScreen firewall has detected a UDP flood. match=tem match=system-alert- match=ystem match=ce match=UDP flood! match=UDP match=From match=to match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).*From ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:intrusion event:Netscreen-System_Alert_UDP_Flood sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17 NEXT id=19536 name=This NetScreen firewall has detected IP spoofing. match=tem match=system-alert- match=ystem match=ce match=IP spoofing! match=From match=to match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).*From ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:intrusion event:Netscreen-System_Alert_IP_Spoofing sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=19537 name=This Netscreen firewall has allowed a protocol of 50 connection. match=proto=50 match=ion match=action=Permit match=ce match=NetScreen device_id= match=tem match=system-notification- match=ystem match=ol match=policy_id= regex=device_id=([a-zA-Z0-9_\.-]+).*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen_Accept_Proto50 sensor:$1 proto:6 srcip:$2 dstip:$3 type:connection NEXT id=19538 name=This NetScreen firewall has detected a critical UDP event. match=tem match=system-critical- match=cal match=ystem match=MP match= proto 17 match=ce match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).* From ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:intrusion event:Netscreen-System_Critical_UDP_Event sensor:$1 srcip:$2 dstip:$3 proto:17 NEXT id=19539 name=This NetScreen firewall has detected a critical TCP event. match=tem match=system-critical- match=cal match=ystem match= proto TCP match=ce match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).* From ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:intrusion event:Netscreen-System_Critical_TCP_Event sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=19540 name=This NetScreen firewall has detected that the system clock was updated. match=tem match=system-notification match=tion match=ystem match=clock match=was match=ed match=update match=The system clock was updated match=from match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).* server type ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:system event:Netscreen-System_Clock_Updated sensor:$1 srcip:$2 NEXT id=19541 name=This NetScreen firewall has detected a valid route. match=tem match=system-notification match=tion match=ystem match=ss match=Session match=route match=is match=valid match= route is valid match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).* src-ip ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst-ip ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst port ([0-9]+) log=type:system event:Netscreen-Valid_Route sensor:$1 srcip:$2 dstip:$3 dstport:$4 NEXT id=19542 name=This Netscreen firewall has reached a source IP session limit. match=tem match=ystem match=critical match=al match=Src IP session limit match=IP match=ss match=ion match=NetScreen device_id regex=device_id=([a-zA-Z0-9_\.-]+).*From ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+), proto UDP log=event:Netscreen-Source_Session_Limit_Reached sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:error proto:17 NEXT id=19543 name=This NetScreen firewall has detected IP spoofing. match=tem match=system-alert- match=ystem match=ce match=IP spoofing! match=From match=to match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).*From ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:intrusion event:Netscreen-System_Alert_IP_Spoofing sensor:$1 srcip:$2 dstip:$3 proto:1 NEXT id=19544 name=This NetScreen firewall has detected a user login. match=tem match=system-information- match=ystem match=admin match=cc match=ss match=successful match=admin authentication successful for login name match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).*login name ([A-Za-z0-9\$\-\_\.]+) \( log=type:login event:Netscreen-Login sensor:$1 user:$2 NEXT id=19545 name=This NetScreen firewall has detected a user loging out. match=tem match=system-warning- match=ystem match=Admin match=gg match=ed match=logged match=has logged out match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).*user ([A-Za-z0-9\$\-\_\.]+) .*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:logout event:Netscreen-Logout sensor:$1 user:$2 srcip:$3 NEXT id=19546 name=This NetScreen firewall has detected a invalid login attempt.. match=tem match=system-warning- match=ystem match=admin match=login match=name match=ed match=failed match=admin authentication failed for login name match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).*login name ([A-Za-z0-9\$\-\_\.]+)\: log=type:login-failure event:Netscreen-Login_Failed sensor:$1 NEXT id=19547 name=This NetScreen firewall has detected a user login. match=tem match=system-warning- match=ystem match=Admin match=user match=er match=logged match=gg match=ed match=has logged on via SSH from match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).*Admin user ([A-Za-z0-9\$\-\_\.]+) .*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:login event:Netscreen-Login sensor:$1 user:$2 srcip:$3 NEXT id=19548 name=This NetScreen firewall has detected a user login. match=tem match=system-warning- match=ystem match=dmin match=user match=er match=ss match=Password match=successfu match=cc match=ss match=Password authentication successful for admin user match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).*admin user \'([A-Za-z0-9\$\-\_\.]+)\' .*host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\. log=type:login event:Netscreen-Login sensor:$1 user:$2 srcip:$3 NEXT id=19549 name=This NetScreen firewall has detected a user login. match=tem match=system-warning- match=ystem match=dmin match=user match=er match=cc match=ed match=accepted match=server match=er match=has been accepted via the Radius server match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).*Admin user ([A-Za-z0-9\$\-\_\.]+) .*server at ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\. log=type:login event:Netscreen-Login sensor:$1 user:$2 srcip:$3 NEXT id=29550 name=This NetScreen firewall has detected a user loging out. match=tem match=system-warning- match=ystem match=Admin match=gg match=ed match=logged match=logged out match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).*user \"([A-Za-z0-9\$\-\_\.]+)\" .*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:logout event:Netscreen-Logout sensor:$1 user:$2 srcip:$3 NEXT id=29551 name=This NetScreen firewall has reported a lock cofiguration has ended. match=tem match=system-information- match=ystem match=Lock match=tion match=ed match=ended match=by match=Lock configuration ended by task match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) log=type:system event:Netscreen-Lock_Ended sensor:$1 NEXT id=29552 name=This NetScreen firewall has reported protocol 50 traffic denied. match=tem match=system-notification- match=ystem match=action=Deny match=src match=dst match=ff match=traffic match=proto=50 match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:firewall event:Netscreen-Blocked_Proto50_Traffic sensor:$1 srcip:$2 dstip:$3 NEXT id=29553 name=This NetScreen firewall has reported protocol 47 traffic denied. match=tem match=system-notification- match=ystem match=action=Permit match=src match=dst match=ff match=traffic match=service=gre match=proto=47 match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) .*src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:firewall event:Netscreen-Allowed_Proto47_Traffic sensor:$1 srcip:$2 dstip:$3 NEXT id=29554 name=This NetScreen firewall has had a user logoff. match=tem match=system-warning- match=ystem match=Admin match=user match=logged match=ed match=gg match=out match=logged out for match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) .*user \"([A-Za-z0-9\$\-\_\.]+)\" .*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:logout event:Netscreen-User_Logged_Out sensor:$1 user:$2 srcip:$3 srcport:$4 NEXT id=29555 name=This NetScreen firewall has issued a port scan alert. match=tem match=system-alert- match=ystem match=Port scan! match=ort match=scan match=From match=to match=TCP match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) .*From ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+), proto log=type:firewall event:Netscreen-Port_Scan sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=29556 name=This NetScreen firewall has had a log viewed by admin. match=tem match=system-notification- match=ystem match=log was reviewed by admin match=log match=ed match=reviewed match=by match=admin match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) .*log was reviewed by admin log=type:application event:Netscreen-Log_Viewed_Admin sensor:$1 NEXT id=29557 name=This NetScreen firewall has had a file transferred by admin user. match=tem match=system-notification- match=ystem match=transferred file match=rr match=ed match=transferred match=file match=Admin match=user match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) .*user \'([A-Za-z0-9\$\-\_\.]+)\' .*to host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:file-access event:Netscreen-File_Transferred sensor:$1 user:$2 srcip:$3 NEXT id=29558 name=This NetScreen firewall has had a session time out. match=tem match=system-warning- match=ystem match=session match=ss match=ion match=has timed out match=ed match=Management match=admin match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) .*from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:connection event:Netscreen-Session_Timed_Out sensor:$1 srcip:$2 srcport:$3 NEXT id=29559 name=This Netscreen firewall has reported an SFP transceiver is unplugged or plugged into slot. match=ce match=NetScreen device_id= match=SFP match=er match=trans match=transceiver match=is match=gg match=ed match=transceiver is match=plugged in slot regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Transceiver_Unplugged_plugged sensor:$1 type:application NEXT id=29560 name=This Netscreen firewall has reported to turn off or on debug switch. match=ce match=NetScreen device_id= match=turn match=debug match=switch match=tion match=notification match=debug switch for regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Turn_Off_On_Debug_Switch sensor:$1 type:application NEXT id=29561 name=This Netscreen firewall has reported a login failure. match=ce match=NetScreen device_id= match=SSH match=Password match=user match=failed match=ed match=tion match=Password authentication failed for admin user regex=device_id=([a-zA-Z0-9_\.-]+) .*user \'([a-zA-Z0-9_\.-]+)\' at host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Login_Failed sensor:$1 srcip:$3 type:login-failure NEXT id=29562 name=This Netscreen firewall has reported the system clock was changed manually. match=NetScreen device_id= match=System match=clock match=was match=ed match=ll match=from match=System clock was changed manually regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Clock_Changed_Manually sensor:$1 type:detected-change NEXT id=29563 name=This Netscreen firewall has reported the system clock configurations were changed. match=NetScreen device_id= match=System match=clock match=tion match=configurations match=ed match=by match=System clock configurations have been changed by admin regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Clock_Configurations_Changed sensor:$1 type:detected-change NEXT id=29564 name=This Netscreen firewall has reported a user has been rejected by the Radius server. match=NetScreen device_id= match=user match=ed match=rejected match=Radius match=er match=server match=has been rejected via the Radius server regex=device_id=([a-zA-Z0-9_\.-]+) .*user ([a-zA-Z0-9_\.-\\]+) .*Radius server at ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Radius_Rejected_User sensor:$1 srcip:$3 type:login-failure NEXT id=29565 name=This Netscreen firewall has reported a user has failed login. match=NetScreen device_id= match=console match=via match=ed match=failed match=tt match=attempt match=via the console has failed regex=device_id=([a-zA-Z0-9_\.-]+) .*admin ([a-zA-Z0-9_\.-\\]+) via the log=event:Netscreen-Login_Failed sensor:$1 type:login-failure NEXT id=29566 name=This Netscreen firewall has reported multiple login failures occurred for user. match=NetScreen device_id= match=Multiple match=login match=failures match=rr match=ed match=user match=Multiple login failures occurred for user regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Multiple_Login_Failures sensor:$1 type:login-failure NEXT id=29567 name=This Netscreen firewall has reported a user attempted web access but failed. match=NetScreen device_id= match=user match=Admin match=login match=attempt match=Web match=management match=failed match=ed regex=device_id=([a-zA-Z0-9_\.-]+) .*user \"([a-zA-Z0-9_\.-\\]+)\".* from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Netscreen-Web_Login_Failed sensor:$1 user:$2 srcip:$3 srcport:$4 type:web-access NEXT id=29568 name=This Netscreen firewall has reported a user will be unlocked. match=NetScreen device_id= match=ed match=Admin match=locked match=will match=be match=after match=is locked and will be unlocked after regex=device_id=([a-zA-Z0-9_\.-]+) .*Admin ([a-zA-Z0-9_\.-\\]+) log=event:Netscreen-User_To_Be_Unlocked sensor:$1 user:$2 type:application NEXT id=29569 name=This Netscreen firewall has re-enabled a user who had been locked. match=NetScreen device_id= match=ed match=Admin match=re-enabled match=ed match=locked match=after match=after being locked due to excessive failed regex=device_id=([a-zA-Z0-9_\.-]+) .*Admin ([a-zA-Z0-9_\.-\\]+) log=event:Netscreen-User_Re-Enabled sensor:$1 user:$2 type:application NEXT id=29570 name=This Netscreen firewall has had a server modified. match=NetScreen device_id= match=Auth match=er match=server match=is match=mod match=ed match=is modified. regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Server_Modified sensor:$1 type:detected-change NEXT id=29571 name=This Netscreen firewall has had a server name set. match=NetScreen device_id= match=Auth match=er match=server match=name match=is match=set match= server name is set to regex=device_id=([a-zA-Z0-9_\.-]+).* server name is set to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Server_Name_Set sensor:$1 srcip:$2 type:application NEXT id=29572 name=This Netscreen firewall has had a server name unset. match=NetScreen device_id= match=Auth match=er match=server match=name match=is match=unset match=un match= name is unset regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Server_Name_Unset sensor:$1 type:application NEXT id=29573 name=This Netscreen firewall has had its configuration saved via the web. match=NetScreen device_id= match=System match=config match=tion match=ed match=saved match=web match=from match=host match=System configuration saved regex=device_id=([a-zA-Z0-9_\.-]+).* from host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=event:Netscreen-Configuration_Saved sensor:$1 srcip:$2 dstip:$3 dstport:$4 type:web-access NEXT id=29574 name=This Netscreen firewall has had its configuration saved via ssh command. match=!web match=NetScreen device_id= match=System match=config match=tion match=ed match=saved match=from match=host match=System configuration saved regex=device_id=([a-zA-Z0-9_\.-]+).* from host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Configuration_Saved sensor:$1 srcip:$2 type:application NEXT id=29575 name=This Netscreen firewall has had its remote authentication server set to primary. match=Remote match=NetScreen device_id= match=tion match=auth match=er match=server match=set match=to match=primary match=Remote authentication server set to primary regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Remote_Server_Now_Primary sensor:$1 type:application NEXT id=29576 name=This Netscreen firewall has had its policy moved. match=Policy match=NetScreen device_id= match=ed match=moved match=has match=been match= has been moved regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Policy_Moved sensor:$1 type:application NEXT id=29577 name=This Netscreen firewall has had its active server switched. match=tive match=NetScreen device_id= match=Active match=er match=Server match=Switchover match=Active Server Switchover regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Active_Server_Switchover sensor:$1 type:application NEXT id=29578 name=This Netscreen firewall has had a user forced to log out. match=user match=NetScreen device_id= match=has match=er match=been match=ed match=forced match=to match=log match=out match=has been forced to log out regex=device_id=([a-zA-Z0-9_\.-]+).* user \"([a-zA-Z0-9_\.-\\]+)\".* on host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Forced_Logout sensor:$1 user:$2 srcip:$3 type:logout NEXT id=29579 name=This Netscreen firewall has had a service added. match=NetScreen device_id= match=has match=been match=ed match=add match=added match=by match=via match=Service match=has been added by regex=device_id=([a-zA-Z0-9_\.-]+).* from host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Service_Added sensor:$1 srcip:$2 type:application NEXT id=29580 name=This Netscreen firewall has had remotely authenticated ROOT privileged admins 'permited'. match=NetScreen device_id= match=ly match=Remotely match=ed match=authenticated match=permited match=privileged match=privileged admins regex=device_id=([a-zA-Z0-9_\.-]+) log=event:Netscreen-Privileged_Admins_Permited sensor:$1 type:application NEXT id=29581 name=This NetScreen address has modified a policy by admin via NSRP Peer. match=tem match=ystem match=ion match=system-notification match=le match=ed match=via NSRP match=Policy match=was modified by admin match=as match=mo match=ad match=by match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) log=type:system event:Netscreen-NSRP_Peer_Modified_Policy sensor:$1 NEXT id=29582 name=This NetScreen address has added a Trust zone by admin via NSRP Peer. match=tem match=ystem match=ion match=system-notification match=le match=ed match=via NSRP match=zone Trust has been added by admin match=Tr match=ee match=dd match=by match=ad match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+).* address ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:system event:Netscreen-NSRP_Peer_Added_Trust_Zone sensor:$1 srcip:$2 dstip:$3 NEXT id=29583 name=This NetScreen address has added a service by admin via NSRP Peer. match=tem match=ystem match=ion match=system-notification match=Service match=ed match=via NSRP match=has been added by admin match=as match=ee match=dd match=ad match=ad match=in match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) log=type:system event:Netscreen-NSRP_Peer_Added_Service sensor:$1 NEXT id=29584 name=This NetScreen address has added a service to policy by admin via NSRP Peer. match=tem match=ystem match=ion match=system-notification match=Service match=ed match=via NSRP match=was added to policy match=as match=dd match=to match=po match=li match=cy match=NetScreen device_id= regex=device_id=([0-9a-zA-Z_\.-]+) log=type:system event:Netscreen-NSRP_Peer_Added_Service_To_Policy sensor:$1 NEXT id=29585 name=This Netscreen firewall has closed a possible connection due to timeout. match=ion match=action=Permit match=ce match=NetScreen device_id= match=tem match=system-notification-00257 match=ystem match=ol match=policy_id= match=proto= match=reason=Close - AGE OUT regex=device_id=([a-zA-Z0-9_\.-]+).* src=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Netscreen-Connection_Closed_TimedOut sensor:$1 srcip:$2 dstip:$3 type:connection