# THUNDER PRM LIBRARY
# Copyright 2006-2007 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# Common PRM rules for logs generated by the TASL scripts
#
# DESCRIPTION:
# This library contains all of the the PRM rules for the existing
# Tenable TASL scripts. Without this library, the LCE will not know how
# to process log messages generated by the TASL scrtips.
#
# LAST UPDATE: $Date$
id=20000
name=The Log Correlation Engine has detected a new host that is attempting multiple port scans. This can indicate that a host or laptop has recently become active and may have been infected with a worm on a different network.
match=PVS
match=New
match=scan
match=an
match=host
match=ing
match=PVS-New_Host_Portscanning - host
regex= - host ([0-9]+(\.[0-9]+){3})
log=event:PVS-New_Host_Portscanning srcip:$1 dstip:$1 type:scanning
# id=20001 availble
NEXT
id=20002
name=The Log Correlation Engine has detected an SSH user name it has not encountered before.
match=New
match=ser
match=New_SSH_User - The user
log=event:New_SSH_User type:detected-change
NEXT
id=20003
name=The Log Correlation Engine detected an Ethernet address it has not seen before.
match=New
match=MAC
match=ser
match=ed
match=New_MAC - The host
log=event:New_MAC type:detected-change
NEXT
id=20004
name=The Log Correlation Engine has detected a login failure for an account which has been deactivated.
match=host
match=tem
match=lo
match=log
match=pt
match=Invalid_Account-logon_attempt host -
log=event:Invalid_Account-Logon_Attempt type:login-failure
NEXT
id=20005
name=The Log Correlation Engine detected a new active user account on a monitored system.
match=New
match=ser
match=User
match=New_User - at
regex=account ([A-Za-z0-9\$\-\_@\.]+) logged
log=event:New_User user:$1 type:detected-change
NEXT
id=20007
name=The Log Correlation Engine encountered a log that indicated that an application had a change.
match=ent
match=event
match=_Change
match=an
match=ion
match=Application_Change
match=pp
match=Application
log=event:Application_Change type:detected-change
NEXT
id=20008
name=The Log Correlation Engine encountered a log that indicated that a SQL database had a change.
match=ent
match=event
match=_Change
match=an
match=Database_Change
match=Evaluated as event
log=event:Database_Change type:detected-change
NEXT
id=20009
name=The Log Correlation Engine has encountered a log which indicates a user account attribute has changed.
match=_Change
match=ent
match=event
match=an
match=ser
match=User
match=User_Change -
match=Evaluated as event
log=event:User_Change type:detected-change
NEXT
id=20010
name=The Log Correlation Engine has encountered a log which indicates a server attribute has changed.
match=Host:
match=Se
match=an
match=as
match=Server
match=Ev
match=at
match=event
match=Ho
match=ent
match=te
match=ver
match=ed
match=ate
match=_Change
match=Server_Change -
match=al
match=erv
match=en
match=ated
match=ng
match=Evaluated as event
log=event:Server_Change type:detected-change
NEXT
id=20011
name=The Log Correlation Engine has encountered a log which indicates a device attribute has changed.
match=an
match=_Change
match=ce
match=Device_Change -
match=event
match=Evaluated as event
log=event:Device_Change type:detected-change
NEXT
id=20012
name=The Log Correlation Engine has encountered a log which indicates the network has changed.
match=_Change
match=an
match=Network_Change -
log=event:Network_Change type:detected-change
# id=20013
NEXT
id=20014
name=The Log Correlation Engine has detected an LCE client logout.
match=host
match=ent
match=ser
match=Lo
match= (Log Daemon) DEBUG: thunder server: client host
match=mon
match=lo
match=log
match=ed
match= logged out
regex=client host ([0-9]+(\.[0-9]+){3}) logged out
log=event:LCE-Client_Logout srcip:$1 dstip:$1 type:lce
NEXT
id=20015
name=The Log Correlation Engine has detected an LCE client login.
match=host
match=AL
match=ent
match=ser
match=Lo
match= (Log Daemon) DEBUG: thunder server: client host
match=mon
match=sta
match=AT
match=ate
match=ion
match=EN
match=state transition STATE_AWAITING_CHALLENGE_RESP --> STATE_AUTH_SUCCEEDED
match=an
match=IN
match=ST
regex=client host ([0-9]+(\.[0-9]+){3}) fd\: .* state transition
log=event:LCE-Client_Login srcip:$1 dstip:$1 type:lce
NEXT
id=20016
name=The Log Correlation Engine detected a dead LCE client.
match=IP
match=ent
match=LCE-Dead_Client -
match=LCE
log=event:LCE-Dead_Client type:lce
NEXT
id=20017
name=The Log Correlation Engine has detected a host forwarding network connections to another host.
match=host
match=ion
match=est
match=ent
match=client
match=omplete
match=in
match=le
match=session
match=ing
match=ed
match=ss
match=Suspicious_Proxy - host:
log=event:Suspicious_Proxy type:network
NEXT
id=20018
name=The Log Correlation Engine has detected multiple system crash and restart events on the network. Large numbers of unexpected reboots and crashes could indicate a worm, hardware problems and other important issues.
match=ystem
match=ic
match=rr
match=ailed
match=at
match=error
match=event
match=le
match=ail
match=ttack
match=ent
match= failed
match=rror
match= seconds
match=rash
match=fail
match=attack
match=ac
match=ing
match=ed
match=st
match=ack
match=host
match=Multiple_System_Crashes - There have been
log=event:Multiple_System_Crashes type:process
NEXT
id=20019
name=The Log Correlation Engine has detected multiple password login failures. This could indicate brute force password guessing against a single host.
match=ail
match=ailure
match=ss
match=ass
match=ing
match=Password_Guessing - There have been
match=lo
match=log
match= login failures in the
log=event:Password_Guessing type:intrusion
NEXT
id=20020
name=The Log Correlation Engine has detected multiple password login failures from a single host followed by a login. This could indicate a successful password guess.
match=host
match=ss
match=ass
match=ce
match=Successful_Password_Guess - host
log=event:Successful_Password_Guess type:intrusion
NEXT
id=20021
name=The Log Correlation Engine has observed a Windows process start on a host that has never previously run this program before. This could be a new program being installed and running for the first time, but could also indicate a hacker or system compromise. This should be investigated.
match=host
match=New
match=indo
match=ce
match=ss
match=New_Windows_Process - host
log=event:New_Windows_Process type:detected-change
NEXT
id=20022
name=The Log Correlation Engine has detected multiple password login failures from one host to many different hosts. This could password guessing of one host against multiple targets.
match=Lo
match=Network_Login_Sweep - There have been
match=lo
match=log
match=ail
match= login failures in the
match=ailure
log=event:Network_Login_Sweep type:intrusion
NEXT
id=20023
name=The Log Correlation Engine has encountered a log which indicates that software has been installed.
match=Software_Installed -
match=Evaluated as event
match=wa
match=nstall
match=In
match=Software
match=Ev
match=event
match=le
match=Inst
match=all
match=te
match=sta
match=ed
match=re
match=ate
match=al
match=nt
match=ated
match=Software_
match=st
match=ve
match= event
log=event:Software_Installed type:detected-change
NEXT
id=20024
name=The Log Correlation Engine has encountered a log which indicates that software has been un-installed.
match=wa
match=move
match=Software
match=Ev
match=at
match=event
match=moved
match=Ho
match=ent
match=te
match=Re
match=re
match=Removed
match=ate
match=al
match=ar
match=ated
match=mo
match=Software_
match=st
match=ve
match=Evaluated as event
log=event:Software_Removed type:detected-change
NEXT
id=20025
name=The Log Correlation Engine has encountered a log which indicates that a user account has been removed or disabled.
match=ser
match=User
match=ed
match=User_Removed -
match=Evaluated as event
match=al
match=ate
match=ve
log=event:User_Removed type:detected-change
NEXT
id=20026
name=The Log Correlation Engine has encountered a server with high memory usage. The script can be configured with a variable threshold to alert for high memory usage. These events are generated when various UNIX and Windows LCE clients send in their systems current CPU, Memory and Disk usage information.
match=LCE-High_
match=tem
match=ystem
match=LCE-High_Memory_Usage - the system at
log=event:LCE-High_Memory_Usage type:error
NEXT
id=20027
name=The Log Correlation Engine has encountered a server with high CPU usage. The script can be configured with a variable threshold to alert for high CPU usage. These events are generated when various UNIX and Windows LCE clients send in their systems current CPU, Memory and Disk usage information.
match=tem
match=ystem
match=LCE-High_
match=LCE-High_CPU_Usage - the system at
log=event:LCE-High_CPU_Usage type:error
NEXT
id=20028
name=The Log Correlation Engine is running the system_monitor.tasl script and has found a server with high disk usage. The script can be configured with a variable threshold to alert for high disk usage. These events are generated when various UNIX and Windows LCE clients send in their systems current CPU, Memory and Disk usage information.
match=tem
match=ystem
match=LCE-High_
match=LCE-High_Disk_Usage - the system at
log=event:LCE-High_Disk_Usage type:error
NEXT
id=20029
name=The Log Correlation Engine has encountered a Unix server with high process load. The script can be configured with a variable threshold to alert for high process used usage. These events are generated when various UNIX and Windows LCE clients send in their systems current CPU, Memory and Disk usage information.
match=tem
match=ystem
match=LCE-High_
match=Lo
match=LCE-High_Load - the system at
log=event:LCE-High_Load type:lce
NEXT
id=20030
name=The LCE has encountered a new Unix or Windows process which has not been seen used before. This could indicate a new valid program or perhaps something used by a malicious user.
match=host
match=New_Command -
match=an
match=ecu
match=ed
match=' has been executed on host
match=ommand
regex=on host ([0-9]+(\.[0-9]+){3}) [A-Za-z\.\(\)0-9 ]*?and this
log=event:New_Command type:process srcip:$1 dstip:$1
NEXT
id=20031
name=The LCE has generated a report of all commands run in the past hour.
match=host
match=ar
match=Hourly_Command_Summary - host
match=ed
match=ss
match= issued these commands in the last hour
match=ommand
match=an
regex=- host ([0-9]+(\.[0-9]+){3})
log=event:Hourly_Command_Summary type:process srcip:$1 dstip:$1
NEXT
id=20032
name=The LCE has generated a report of all commands run in the past day.
match=host
match=ail
match=Daily_
match=ar
match=Daily_Command_Summary - host
match=ed
match=ss
match= issued these commands in the
match=ommand
match=an
regex=- host ([0-9]+(\.[0-9]+){3})
log=event:Daily_Command_Summary type:process srcip:$1 dstip:$1
NEXT
id=20033
name=The LCE has generated a report of all user accounts that have invoked at least one command in the past day.
match=host
match=ail
match=Daily_
match=ser
match=ar
match=Daily_User_Summary - host
match= had these active users in the last day:
regex=- host ([0-9]+(\.[0-9]+){3})
log=event:Daily_User_Summary type:process srcip:$1 dstip:$1
#NEXT -- there is no active TASL that generates this log
#
#id=20034
#name=The Log Correlation Engine has detected a system which had a valid login and then some sort of system change.
#example=Login_Then_Change - host: 192.168.20.16 (kingkong) experienced a SSH-Valid_Login login event and then a New_User change event occurring approximately 15 minutes ago. In addition to process account and configuration auditing, associating logins with change is an excellent way to track authorized changes to systems
#match=host
#match=_Change
#match=an
#match=Lo
#match=Login_Then_Change - host:
#match=ce
#match=ed
#match= experienced a
#log=type:detected-change event:Login_Then_Change
NEXT
id=20035
name=The LCE has detected a change in a firewall.
match=Evaluated as event
match=ent
match=event
match=Host
match=an
match=_Change
match=ire
match=Firewall_Change -
log=event:Firewall_Change type:detected-change
NEXT
id=20036
name=The Log Correlation Engine has encountered a log which indicates a router attribute has changed.
match=Evaluated as event
match=ent
match=event
match=_Change
match=Router_Change -
match=an
log=event:Router_Change type:detected-change
NEXT
id=20037
name=The Log Correlation Engine has encountered a log which indicates a switch attribute has changed.
match=Evaluated as event
match=ent
match=event
match=Switch_Change -
match=_Change
match=an
log=event:Switch_Change type:detected-change
NEXT
id=20042
name=A Database SELECT Query has been detected on the network by the Passive Vulnerabiltiy Scanner.
match=!Suspicious SQL Query Detected
match=|70
match=|7019|
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*select
log=event:PVS-Database_SELECT_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20043
name=A Database CREATE Query has been detected on the network by the Passive Vulnerabiltiy Scanner.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*create
log=event:PVS-Database_CREATE_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20044
name=A Database INSERT Query has been detected on the network by the Passive Vulnerabiltiy Scanner.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*insert
log=event:PVS-Database_INSERT_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20045
name=A Database DELETE Query has been detected on the network by the Passive Vulnerabiltiy Scanner.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*delete
log=event:PVS-Database_DELETE_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20046
name=A Database UPDATE Query has been detected on the network by the Passive Vulnerabiltiy Scanner.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*update
log=event:PVS-Database_UPDATE_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20047
name=A Database DROP Query has been detected on the network by the Passive Vulnerabiltiy Scanner.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*drop
log=event:PVS-Database_DROP_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20048
name=A Database GRANT Query has been detected on the network by the Passive Vulnerabiltiy Scanner.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant
log=event:PVS-Database_GRANT_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20049
name=The LCE client has detected a Unix binary file modification.
match=MD5
match=le
match=File /
match=ed
match=checksum changed
match=an
regexi=File /(bin|sbin|usr/bin|usr/sbin|usr/libexec)
log=event:LCE-Unix_Executable_File_Modified type:detected-change
NEXT
id=20050
name=The LCE client has detected a Unix configuration file modification.
match=!etc/prelink.cache
match=MD5
match=le
match=File /
match=ed
match=MD5 checksum changed
match=an
regexi=File /(etc|System)
log=event:LCE-Unix_Configuration_File_Modified type:detected-change
NEXT
id=20051
name=The LCE client has detected a Tenable product configuration file modification.
match=MD5
match=le
match=pt
match=File /opt
match=ed
match=MD5 checksum changed
match=an
regexi=File /opt/(lce|nessus|pvs|sc3|sc4)
log=event:LCE-Unix_Tenable_File_Modified type:detected-change
NEXT
id=20052
name=The LCE client has detected a Unix library file modification.
match=MD5
match=le
match=File /
match=ed
match=MD5 checksum changed
match=an
regexi=File /(lib|usr/lib)
log=event:LCE-Unix_Library_File_Modified type:detected-change
NEXT
id=20053
name=The LCE client has detected a Unix file modification.
match=MD5
match=le
match=File /
match=ed
match=MD5 checksum changed
match=an
match=!File /bin
match=!File /opt
match=!File /sbin
match=!File /usr/bin
match=!File /usr/sbin
match=!File /usr/libexec
match=!File /etc
match=!File /System
match=!File /lib
match=!File /usr/lib
log=event:LCE-Unix_Misc_File_Modified type:detected-change
NEXT
id=20054
name=The LCE client has detected a Windows executable file modification.
match=MD5
match=le
match=File "
match=File
match=ed
match=MD5 checksum changed
match=an
regexi=(.exe|.bat|.cmd|.com|.msi)
log=event:LCE-Windows_Executable_File_Modified type:detected-change
NEXT
id=20055
name=The LCE client has detected a Windows library file modification.
match=MD5
match=LCE
match=le
match=File "
match=File
match=ed
match=MD5 checksum changed
match=an
match=.dll
log=event:LCE-Windows_Executable_Modified type:detected-change
NEXT
id=20056
name=The LCE client has detected a Windows system file modification.
match=MD5
match=LCE
match=le
match=File "
match=File
match=ed
match=MD5 checksum changed
match=an
regexi=(.sys|.bak|.cpl|.lnk|.pif|.scr)
log=event:LCE-Windows_System_File_Modified type:detected-change
NEXT
id=20057
name=The LCE client has detected a Windows configuration file modification.
match=MD5
match=le
match=File "
match=File
match=ed
match=MD5 checksum changed
match=an
regexi=(.inf|.ini|.ins|.isp|.reg)
log=event:LCE-Windows_Configuration_File_Modified type:detected-change
NEXT
id=20058
name=The LCE client has detected a file modification.
match=MD5
match=le
match=File "
match=File
match=ed
match=MD5 checksum changed
match=an
match=!.exe
match=!.bat
match=!.cmd
match=!.com
match=!.msi
match=!.dll
match=!.sys
match=!.bak
match=!.cpl
match=!.lnk
match=!.pif
match=!.scr
match=!.inf
match=!.ini
match=!.ins
match=!.isp
match=!.reg
log=event:LCE-Windows_Misc_File_Modified type:detected-change
NEXT
id=20059
name=A suspicious SQL query was detected.
match=Suspicious SQL Query Detected
match=etected
match=ic
match=ect
match=ici
match=ed
match=usp
log=event:Suspicious_SQL_Query_Detected srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion
NEXT
id=20060
name=A suspicious SQL query with a potential SQL injection event was detected.
match=|7019|
match=|70
match=pvs
match=lo
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*xp_(cmdshell|regread|regwrite|servicecontrol)
log=event:Suspicious_SQL-Command_Execution srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion
NEXT
id=20061
name=A suspicious SQL query was detected.
match=|7019|
match=|70
match=pvs
match=lo
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*BENCHMARK\([0..9]+,
log=event:Suspicious_SQL-Benchmark_Delay srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion
NEXT
id=20062
name=A suspicious SQL query was detected containing a number sign or double minus signs.
match=|7019|
match=|70
match=pvs
match=lo
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(--|#)
log=event:Suspicious_SQL-Meta_Characters_Seen srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion
NEXT
id=20063
name=A suspicious SQL query was detected which attempted to run the CONCAT command.
match=|7019|
match=|70
match=pvs
match=lo
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*select CONCAT\(
log=event:Suspicious_SQL-CONCAT_Command_Seen srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion
NEXT
id=20064
name=A suspicious SQL query was detected which attempted to write data to a file.
match=|7019|
match=|70
match=pvs
match=lo
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(into outfile|BACKUP .* to disks)
log=event:Suspicious_SQL-Write_Output_to_File srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion
NEXT
id=20065
name=A suspicious SQL query was detected which attempted to dump a list of system users.
match=|7019|
match=|70
match=pvs
match=lo
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(select .* from sysusers|select host,user,password from mysql.user)
log=event:Suspicious_SQL-User_Database_Dump srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion
NEXT
id=20066
name=A Database GRANT Query has granted ALL privileges to a user.
match=!Suspicious SQL Query Detected
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
match=|7019|
match=|70
match=pvs
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant all
log=event:PVS-Database_GRANT_ALL_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20067
name=A Database GRANT Query has granted INSERT privileges to a user.
match=!Suspicious SQL Query Detected
match=|7019|
match=pvs
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*insert.* on
log=event:PVS-Database_GRANT_INSERT_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20068
name=A Database GRANT Query has granted SELECT privileges to a user.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
match=pvs
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*select.* on
log=event:PVS-Database_GRANT_SELECT_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20069
name=A Database GRANT Query has granted DELETE privileges to a user.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
match=pvs
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*delete.* on
log=event:PVS-Database_GRANT_DELETE_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20070
name=A Database GRANT Query has granted DROP privileges to a user.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
match=pvs
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*drop.* on
log=event:PVS-Database_GRANT_DELETE_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20071
name=A Database GRANT Query has granted CREATE privileges to a user.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
match=pvs
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*CREATE.* on
log=event:PVS-Database_GRANT_CREATE_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20072
name=A Database GRANT Query has granted CREATE privileges to a user.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
match=pvs
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*CREATE.* on
log=event:PVS-Database_GRANT_CREATE_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20073
name=A Database user has been created.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
match=pvs
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*CREATE USER
log=event:PVS-Database_User_Created srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20074
name=A Database user has been renamed.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
match=pvs
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*RENAME USER
log=event:PVS-Database_User_RENAME srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20075
name=A Database schema has been changed.
match=!Suspicious SQL Query Detected
match=|7019|
match=|70
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
match=pvs
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*ALTER .* TABLE
log=event:PVS-Database_Schema_Changed srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database
NEXT
id=20076
name=A unique windows executable has been detected being executed and it has not been previously detected on any other systems. This could be new software, such as a patch update being executed, a legitimate program being used for the first time or a potentially hostile application.
match=host
match=ecu
match=indo
match=le
match=Unique_Windows_Executable - host
log=event:Unique_Windows_Executable type:process
NEXT
id=20077
name=The Log Correlation Engine has generated a DNS summary log for a host based on observed DNS queries and web site references.
match=host
match=ar
match=ce
match=Domain_Summary since
match=Do
match=ed
match=queried these domains:
regex=.* host ([0-9]+(\.[0-9]+){3})
log=event:Domain_Summary srcip:$1 dstip:$1 type:dns
NEXT
id=20079
name=Multiple webservers have had errors sourcing from the same IP. This could likely mean that a single IP address is performing web application scans of your infrastructure.
match=ed
match=Web_Servers_Scanned
match=has performed web app scans
match=pp
match=scan
match=an
log=event:Web_Servers_Scanned type:intrusion
NEXT
id=20080
name=Based on the large number of unique types of web errors generated by a visitor to one of your web sites, a hostile web application vulnerability scan or web application attack has likely occurred.
match=Web_Server_Scan
match=ed
match=has performed a web app scan
match=pp
match=scan
match=an
log=event:Web_Server_Scan type:intrusion
NEXT
id=20081
name=A new Windows process has been seen for the first time. This event logs the name of the process of each event seen, and may provide information about processes on the system that should not be running, or are in error.
match=indo
match=ce
match=ss
match=New_Windows_Process_Seen
match=New
log=event:New_Windows_Process_Seen type:process
# id=20082 available
NEXT
id=20083
name=The LCE has summarized all crashed and hung processes in the last hour.
match=ar
match=Hourly_Crash_Summary - host
match=rash
match=ed
match=ss
match= issued these commands in the last hour
match=ommand
match=an
match=host
regex=- host ([0-9]+(\.[0-9]+){3})
log=event:Hourly_Crashed_Summary type:process srcip:$1 dstip:$1
NEXT
id=20084
name=The LCE has summarized all hung windows processes in the last hour.
match=ar
match=Hourly_Hung_Summary - host
match=ed
match=ss
match= issued these commands in the last hour
match=ommand
match=an
match=host
regex=- host ([0-9]+(\.[0-9]+){3})
log=event:Hourly_Hung_Summary type:process srcip:$1 dstip:$1
NEXT
id=20085
name=The LCE has summarized all crashed processes in the last 24 hours.
match=ail
match=ar
match=Daily_Crash_Summary - host
match=rash
match=ed
match=ss
match=ommand
match=an
match=host
regex=- host ([0-9]+(\.[0-9]+){3})
log=event:Daily_Crashed_Summary type:process srcip:$1 dstip:$1
NEXT
id=20086
name=The LCE has summarized all hung processes in the last 24 hours.
match=ail
match=ar
match=Daily_Hung_Summary - host
match=ed
match=ss
match= issued these commands in the last day
match=ommand
match=an
match=host
regex=- host ([0-9]+(\.[0-9]+){3})
log=event:Daily_Hung_Summary type:process srcip:$1 dstip:$1
NEXT
id=20087
name=The LCE has detected a sequence of intrusion detection events which indicate that a single source IP address has performed multiple different types of attacks against a target server. This could indicate a vulnerability scan of a single host as well as worm propagation.
match=!Never_Before_Seen
match=ion
match=Intrusion_Host_Scan
match=an
match=ack
match=ed
match=attacked or probed
match=ttack
regex= Intrusion_Host_Scan ([0-9]+(\.[0-9]+){3}).*attacked or probed ([0-9]+(\.[0-9]+){3})
log=event:Intrusion_Host_Scan type:intrusion srcip:$1 dstip:$3
NEXT
id=20088
name=The LCE has detected a sequence of intrusion detection events which indicate that a single IP address has performed a scan or sweep of multiple targets. This could indicate vulnerabiltiy scanning as well as worm propagation.
match=!Never_Before_Seen
match=ion
match=Intrusion_Network_Scan
match=scan
match=an
regex= Intrusion_Network_Scan ([0-9]+(\.[0-9]+){3})
log=event:Intrusion_Network_Scan type:intrusion srcip:$1 dstip:$1
NEXT
id=20089
name=A unique Unix executable has been detected being executed and it has not been previously detected on any other systems. This could be new software, such as a patch update being executed, a legitimate program being used for the first time or a potentially hostile application.
match=host
match=ecu
match=le
match=Unique_Unix_Executable - host
log=event:Unique_Unix_Executable type:process
# id=20090 available
NEXT
id=20091
name=The Log Correlation Engine has encountered a log which indicates that a user account has been added.
match=User_Added -
match=User
match=as
match=Ev
match=at
match=event
match=ent
match=te
match=ed
match=ate
match=al
match=nt
match=en
match=ated
match=ve
match=Evaluated as event
log=event:User_Added type:detected-change
NEXT
id=20092
name=The PVS has detected activity indicative of the Storm/Pecoan.AG worm.
match=St
match=ed
match=Storm/Pecoan.AG Worm Detected
match=ect
match=an
match=pvs
log=event:PVS-Storm/Pecoan.AG_Worm_Detected type:intrusion
NEXT
id=20093
name=The PVS has detected Warbot Trojan activity.
match=ar
match=ed
match=Warbot Trojan Detected
match=ect
match=an
match=pvs
log=event:PVS-Warbot_Trojan_Detected type:intrusion
NEXT
id=20094
name=The LCE has detected a SQL query containing patterns commonly found with large-scale automated SQL injection attacks. These queries commonly contain long strings of characters, repetitive string concatenation, and other uncommon SQL usage. Examining the query in question, especially against other queries commonly executed against the same database, should show that it stands out, and requires review to see if any malicious commands have been executed.
match=lo
match=log
match=ing
match=Database command logging
match=ommand
match=an
match=REPLACE(cast(
match=ar
match=,cast(char(32)+as+varchar(8)))--
regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3})
log=event:Suspicious_SQL-Injection_Attack_Detected srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion
NEXT
id=20095
name=The PVS has detected a request for a URL that has been reported to be hostile and used to propogate botnets. This may indicate that you have a local system that has attempted to access malicious URLs on the Internet such as downloading hostile PDF files. Further investigation of the network activity of this host is suggested.
match=est
match=PVS
match=PVS-Malicious_Web_Request
match= from
match=from
match=rom
match=ed
match=_Request
match=detected from
match=etected
match=ect
match=ent
match=ol
match=lo
match=al
match=st
match=ing
match=in
match=nti
match=ici
match=to the following
log=event:PVS-Malicious_Web_Request type:threatlist
NEXT
id=20096
name=The LCE client has detected a file removal.
match=MD5
match=le
match=File "
match=Its
match=File
match=ed
match=was removed. Its last MD5 checksum
match=MD5 checksum
match=moved
match=rem
match= remove
match= [
log=event:LCE-Windows_File_Removed type:detected-change
NEXT
id=20097
name=The LCE client has detected a file being removed and then re-added.
match=MD5
match=le
match=File "
match=Its
match=File
match=ed
match= was re-added after removal
match=MD5 checksum
match=rem
log=event:LCE-Windows_File_Readded type:detected-change
NEXT
id=20098
name=The LCE client has detected a potential worm outbreak. Portscans were reported from a host that was previously port scanned, indicating it may have been compromised.
match=ote
match=nti
match=al
match=ho
match=st
match=Potential_Worm_Outbreak - host
match=sca
match=ned
match=then scanned host
log=event:Potential_Worm_Outbreak type:intrusion
NEXT
id=20099
name=The LCE has detected a system receive an SSH (Secure Shell) connection and then initiate another one within 20 minutes. The system could be an SSH gateway, a bastion host or possibly being used to leapfrog and attack other systems.
match=ar
match=ho
match=tem
match=in
match=ated
match=an
match=pf
match=SSH
match=ystem
match=eceived
match=ce
match=at
match= used
match=le
match=og
match=ttack
match=system
match=to
match=ent
match=init
match=session
match=attack
match=ac
match=Suspicious_SSH_Proxy
log=event:Suspicious_SSH_Proxy type:network
NEXT
id=20100
name=The LCE has detected a system receive a VNC remote desktop connection and then initiate another one within 20 minutes. The system could be a VNC gateway, a bastion host or possibly being used to leapfrog and attack other systems.
match=ar
match=ho
match=tem
match=in
match=ated
match=an
match=pf
match=VNC
match=ystem
match=eceived
match=ce
match=at
match= used
match=le
match=og
match=ttack
match=system
match=to
match=ent
match=init
match=session
match=attack
match=ac
match=Suspicious_VNC_Proxy
log=event:Suspicious_VNC_Proxy type:network
NEXT
id=20101
name=The LCE has detected a system receive a Windows remote desktop (RDP) connection and then initiate another one within 20 minutes. The system could be an RDP gateway, a bastion host or possibly being used to leapfrog and attack other systems.
match=ar
match=ho
match=tem
match=in
match=ated
match=an
match=pf
match=RDP
match=ystem
match=eceived
match=ce
match=at
match= used
match=le
match=og
match=ttack
match=system
match=to
match=ent
match=init
match=session
match=attack
match=ac
match=Suspicious_RDP_Proxy
log=event:Suspicious_RDP_Proxy type:network
NEXT
id=20102
name=The Log Correlation Engine detected an Ethernet address it has not seen before.
match=New
match=MAC
match=ser
match=ed
match=New_Wireless_MAC - The host
log=event:New_Wireless_MAC type:detected-change
NEXT
id=20104
name=The LCE has summarized all Microsoft EXE and MSI files downloaded in the last day.
match=Daily_EXE_Download_Summary
match=er
match=or
match=host
match=own
match=ed
match=st
regex=- host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Daily_EXE_Download_Summary type:file-access srcip:$1 dstip:$1
NEXT
id=20105
name=The Log Correlation Engine detected an unusual VPN login source for this user.
match=Login
match=user
match=or
match=ser
match=VPN
match=VPN_Login_From_Unusual_Source
regex=user ([^ ]+) .* different IP .*: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:VPN_Login_From_Unusual_Source type:login user:$1 srcip:$2
NEXT
id=22025
name=The Log Correlation Engine detected a large number of unique local hosts visiting the same remote server.
match=Crowd_Surge - destination
match=ion
match=ar
match=host
log=event:Crowd_Surge type:network
NEXT
id=22026
name=The Log Correlation Engine generated a list of software installed on a host.
match=st
match=ar
match=re
match=Software
match=Host_Software_List
regex=Host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Host_Software_List type:system srcip:$1
NEXT
id=22027
name=The Log Correlation Engine generated a list of Microsoft software installed on a host.
match=st
match=ar
match=re
match=Software
match=Microsoft
match=Host_Microsoft_Software_List
log=event:Host_Microsoft_Software_List type:system
NEXT
id=22028
name=The Log Correlation Engine has generated a failed DNS summary log for a host based on observed failed DNS queries.
match=host
match=ar
match=ce
match=Domain_Failure_Summary since
match=Do
match=ed
match=these domains:
log=event:Domain_Failure_Summary type:dns
NEXT
id=22029
name=The Log Correlation Engine has detected the first time a host was seen active today.
match=host
match=ed
match=work
match=Daily_Host_Alert -
regex=- host ([0-9]+(\.[0-9]+){3})
log=event:Daily_Host_Alert type:system srcip:$1 dstip:$1
NEXT
id=22030
name=The Log Correlation Engine has summarized malware events observed on a host for the past 24 hours.
match=ng
match=nts
match=st
match=ost
match=ing
match=the
match=re
match=host
match=Malware_Host_Summary -
log=event:Malware_Host_Summary type:virus
NEXT
id=22031
name=The Log Correlation Engine detected a new active user account login source.
match=New
match=ser
match=User
match=New_User_Source - at
match=ed
match=co
match=nt
match=ew
match=gg
regex=account ([A-Za-z0-9\$\-\_@\.]+) logged
log=event:New_User_Source user:$1 type:detected-change
NEXT
id=22032
name=The Log Correlation Engine has summarized user accounts from a single host logging into remote hosts.
match=wi
match=count
match=nts
match=gg
match=acc
match=ost
match=Source
match=ve
match=remote
match=user
match=User_Source_Summary
log=event:User_Source_Summary type:detected-change
NEXT
id=22033
name=The LCE has detected a request for a URL that has been reported to be hostile and used to propogate botnets. This may indicate that you have a local system that has attempted to access malicious URLs on the Internet such as downloading hostile PDF files. Further investigation of the network activity of this host is suggested.
match=est
match=!PVS
match=Malicious_Web_Request
match= from
match=from
match=rom
match=ed
match=_Request
match=detected from
match=etected
match=ect
match=ent
match=ol
match=lo
match=al
match=st
match=ing
match=in
match=nti
match=ici
match=to the following
log=event:Malicious_Web_Request type:threatlist
NEXT
id=22034
name=The LCE has summarized all IPs that have logged in to this host for the last 24 hours.
match=ddr
match= event
match=Daily_
match=il
match=so
match=ce
match=in
match=login
match=Daily_Host_Login_Summary
regex=- host ([0-9]+(\.[0-9]+){3})
log=event:Daily_Host_Login_Summary type:login srcip:$1 dstip:$1
NEXT
id=22035
name=The Log Correlation Engine detected an Ethernet address it has not seen before.
match=New
match=MAC
match=ser
match=ed
match=New_Mobile_MAC - The host
log=event:New_Mobile_MAC type:detected-change