# THUNDER PRM LIBRARY # Copyright 2006-2007 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # Common PRM rules for logs generated by the TASL scripts # # DESCRIPTION: # This library contains all of the the PRM rules for the existing # Tenable TASL scripts. Without this library, the LCE will not know how # to process log messages generated by the TASL scrtips. # # LAST UPDATE: $Date$ id=20000 name=The Log Correlation Engine has detected a new host that is attempting multiple port scans. This can indicate that a host or laptop has recently become active and may have been infected with a worm on a different network. match=PVS match=New match=scan match=an match=host match=ing match=PVS-New_Host_Portscanning - host regex= - host ([0-9]+(\.[0-9]+){3}) log=event:PVS-New_Host_Portscanning srcip:$1 dstip:$1 type:scanning # id=20001 availble NEXT id=20002 name=The Log Correlation Engine has detected an SSH user name it has not encountered before. match=New match=ser match=New_SSH_User - The user log=event:New_SSH_User type:detected-change NEXT id=20003 name=The Log Correlation Engine detected an Ethernet address it has not seen before. match=New match=MAC match=ser match=ed match=New_MAC - The host log=event:New_MAC type:detected-change NEXT id=20004 name=The Log Correlation Engine has detected a login failure for an account which has been deactivated. match=host match=tem match=lo match=log match=pt match=Invalid_Account-logon_attempt host - log=event:Invalid_Account-Logon_Attempt type:login-failure NEXT id=20005 name=The Log Correlation Engine detected a new active user account on a monitored system. match=New match=ser match=User match=New_User - at regex=account ([A-Za-z0-9\$\-\_@\.]+) logged log=event:New_User user:$1 type:detected-change NEXT id=20007 name=The Log Correlation Engine encountered a log that indicated that an application had a change. match=ent match=event match=_Change match=an match=ion match=Application_Change match=pp match=Application log=event:Application_Change type:detected-change NEXT id=20008 name=The Log Correlation Engine encountered a log that indicated that a SQL database had a change. match=ent match=event match=_Change match=an match=Database_Change match=Evaluated as event log=event:Database_Change type:detected-change NEXT id=20009 name=The Log Correlation Engine has encountered a log which indicates a user account attribute has changed. match=_Change match=ent match=event match=an match=ser match=User match=User_Change - match=Evaluated as event log=event:User_Change type:detected-change NEXT id=20010 name=The Log Correlation Engine has encountered a log which indicates a server attribute has changed. match=Host: match=Se match=an match=as match=Server match=Ev match=at match=event match=Ho match=ent match=te match=ver match=ed match=ate match=_Change match=Server_Change - match=al match=erv match=en match=ated match=ng match=Evaluated as event log=event:Server_Change type:detected-change NEXT id=20011 name=The Log Correlation Engine has encountered a log which indicates a device attribute has changed. match=an match=_Change match=ce match=Device_Change - match=event match=Evaluated as event log=event:Device_Change type:detected-change NEXT id=20012 name=The Log Correlation Engine has encountered a log which indicates the network has changed. match=_Change match=an match=Network_Change - log=event:Network_Change type:detected-change # id=20013 NEXT id=20014 name=The Log Correlation Engine has detected an LCE client logout. match=host match=ent match=ser match=Lo match= (Log Daemon) DEBUG: thunder server: client host match=mon match=lo match=log match=ed match= logged out regex=client host ([0-9]+(\.[0-9]+){3}) logged out log=event:LCE-Client_Logout srcip:$1 dstip:$1 type:lce NEXT id=20015 name=The Log Correlation Engine has detected an LCE client login. match=host match=AL match=ent match=ser match=Lo match= (Log Daemon) DEBUG: thunder server: client host match=mon match=sta match=AT match=ate match=ion match=EN match=state transition STATE_AWAITING_CHALLENGE_RESP --> STATE_AUTH_SUCCEEDED match=an match=IN match=ST regex=client host ([0-9]+(\.[0-9]+){3}) fd\: .* state transition log=event:LCE-Client_Login srcip:$1 dstip:$1 type:lce NEXT id=20016 name=The Log Correlation Engine detected a dead LCE client. match=IP match=ent match=LCE-Dead_Client - match=LCE log=event:LCE-Dead_Client type:lce NEXT id=20017 name=The Log Correlation Engine has detected a host forwarding network connections to another host. match=host match=ion match=est match=ent match=client match=omplete match=in match=le match=session match=ing match=ed match=ss match=Suspicious_Proxy - host: log=event:Suspicious_Proxy type:network NEXT id=20018 name=The Log Correlation Engine has detected multiple system crash and restart events on the network. Large numbers of unexpected reboots and crashes could indicate a worm, hardware problems and other important issues. match=ystem match=ic match=rr match=ailed match=at match=error match=event match=le match=ail match=ttack match=ent match= failed match=rror match= seconds match=rash match=fail match=attack match=ac match=ing match=ed match=st match=ack match=host match=Multiple_System_Crashes - There have been log=event:Multiple_System_Crashes type:process NEXT id=20019 name=The Log Correlation Engine has detected multiple password login failures. This could indicate brute force password guessing against a single host. match=ail match=ailure match=ss match=ass match=ing match=Password_Guessing - There have been match=lo match=log match= login failures in the log=event:Password_Guessing type:intrusion NEXT id=20020 name=The Log Correlation Engine has detected multiple password login failures from a single host followed by a login. This could indicate a successful password guess. match=host match=ss match=ass match=ce match=Successful_Password_Guess - host log=event:Successful_Password_Guess type:intrusion NEXT id=20021 name=The Log Correlation Engine has observed a Windows process start on a host that has never previously run this program before. This could be a new program being installed and running for the first time, but could also indicate a hacker or system compromise. This should be investigated. match=host match=New match=indo match=ce match=ss match=New_Windows_Process - host log=event:New_Windows_Process type:detected-change NEXT id=20022 name=The Log Correlation Engine has detected multiple password login failures from one host to many different hosts. This could password guessing of one host against multiple targets. match=Lo match=Network_Login_Sweep - There have been match=lo match=log match=ail match= login failures in the match=ailure log=event:Network_Login_Sweep type:intrusion NEXT id=20023 name=The Log Correlation Engine has encountered a log which indicates that software has been installed. match=Software_Installed - match=Evaluated as event match=wa match=nstall match=In match=Software match=Ev match=event match=le match=Inst match=all match=te match=sta match=ed match=re match=ate match=al match=nt match=ated match=Software_ match=st match=ve match= event log=event:Software_Installed type:detected-change NEXT id=20024 name=The Log Correlation Engine has encountered a log which indicates that software has been un-installed. match=wa match=move match=Software match=Ev match=at match=event match=moved match=Ho match=ent match=te match=Re match=re match=Removed match=ate match=al match=ar match=ated match=mo match=Software_ match=st match=ve match=Evaluated as event log=event:Software_Removed type:detected-change NEXT id=20025 name=The Log Correlation Engine has encountered a log which indicates that a user account has been removed or disabled. match=ser match=User match=ed match=User_Removed - match=Evaluated as event match=al match=ate match=ve log=event:User_Removed type:detected-change NEXT id=20026 name=The Log Correlation Engine has encountered a server with high memory usage. The script can be configured with a variable threshold to alert for high memory usage. These events are generated when various UNIX and Windows LCE clients send in their systems current CPU, Memory and Disk usage information. match=LCE-High_ match=tem match=ystem match=LCE-High_Memory_Usage - the system at log=event:LCE-High_Memory_Usage type:error NEXT id=20027 name=The Log Correlation Engine has encountered a server with high CPU usage. The script can be configured with a variable threshold to alert for high CPU usage. These events are generated when various UNIX and Windows LCE clients send in their systems current CPU, Memory and Disk usage information. match=tem match=ystem match=LCE-High_ match=LCE-High_CPU_Usage - the system at log=event:LCE-High_CPU_Usage type:error NEXT id=20028 name=The Log Correlation Engine is running the system_monitor.tasl script and has found a server with high disk usage. The script can be configured with a variable threshold to alert for high disk usage. These events are generated when various UNIX and Windows LCE clients send in their systems current CPU, Memory and Disk usage information. match=tem match=ystem match=LCE-High_ match=LCE-High_Disk_Usage - the system at log=event:LCE-High_Disk_Usage type:error NEXT id=20029 name=The Log Correlation Engine has encountered a Unix server with high process load. The script can be configured with a variable threshold to alert for high process used usage. These events are generated when various UNIX and Windows LCE clients send in their systems current CPU, Memory and Disk usage information. match=tem match=ystem match=LCE-High_ match=Lo match=LCE-High_Load - the system at log=event:LCE-High_Load type:lce NEXT id=20030 name=The LCE has encountered a new Unix or Windows process which has not been seen used before. This could indicate a new valid program or perhaps something used by a malicious user. match=host match=New_Command - match=an match=ecu match=ed match=' has been executed on host match=ommand regex=on host ([0-9]+(\.[0-9]+){3}) [A-Za-z\.\(\)0-9 ]*?and this log=event:New_Command type:process srcip:$1 dstip:$1 NEXT id=20031 name=The LCE has generated a report of all commands run in the past hour. match=host match=ar match=Hourly_Command_Summary - host match=ed match=ss match= issued these commands in the last hour match=ommand match=an regex=- host ([0-9]+(\.[0-9]+){3}) log=event:Hourly_Command_Summary type:process srcip:$1 dstip:$1 NEXT id=20032 name=The LCE has generated a report of all commands run in the past day. match=host match=ail match=Daily_ match=ar match=Daily_Command_Summary - host match=ed match=ss match= issued these commands in the match=ommand match=an regex=- host ([0-9]+(\.[0-9]+){3}) log=event:Daily_Command_Summary type:process srcip:$1 dstip:$1 NEXT id=20033 name=The LCE has generated a report of all user accounts that have invoked at least one command in the past day. match=host match=ail match=Daily_ match=ser match=ar match=Daily_User_Summary - host match= had these active users in the last day: regex=- host ([0-9]+(\.[0-9]+){3}) log=event:Daily_User_Summary type:process srcip:$1 dstip:$1 #NEXT -- there is no active TASL that generates this log # #id=20034 #name=The Log Correlation Engine has detected a system which had a valid login and then some sort of system change. #example=Login_Then_Change - host: 192.168.20.16 (kingkong) experienced a SSH-Valid_Login login event and then a New_User change event occurring approximately 15 minutes ago. In addition to process account and configuration auditing, associating logins with change is an excellent way to track authorized changes to systems #match=host #match=_Change #match=an #match=Lo #match=Login_Then_Change - host: #match=ce #match=ed #match= experienced a #log=type:detected-change event:Login_Then_Change NEXT id=20035 name=The LCE has detected a change in a firewall. match=Evaluated as event match=ent match=event match=Host match=an match=_Change match=ire match=Firewall_Change - log=event:Firewall_Change type:detected-change NEXT id=20036 name=The Log Correlation Engine has encountered a log which indicates a router attribute has changed. match=Evaluated as event match=ent match=event match=_Change match=Router_Change - match=an log=event:Router_Change type:detected-change NEXT id=20037 name=The Log Correlation Engine has encountered a log which indicates a switch attribute has changed. match=Evaluated as event match=ent match=event match=Switch_Change - match=_Change match=an log=event:Switch_Change type:detected-change NEXT id=20042 name=A Database SELECT Query has been detected on the network by the Passive Vulnerabiltiy Scanner. match=!Suspicious SQL Query Detected match=|70 match=|7019| match=lo match=log match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*select log=event:PVS-Database_SELECT_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20043 name=A Database CREATE Query has been detected on the network by the Passive Vulnerabiltiy Scanner. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*create log=event:PVS-Database_CREATE_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20044 name=A Database INSERT Query has been detected on the network by the Passive Vulnerabiltiy Scanner. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*insert log=event:PVS-Database_INSERT_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20045 name=A Database DELETE Query has been detected on the network by the Passive Vulnerabiltiy Scanner. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*delete log=event:PVS-Database_DELETE_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20046 name=A Database UPDATE Query has been detected on the network by the Passive Vulnerabiltiy Scanner. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*update log=event:PVS-Database_UPDATE_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20047 name=A Database DROP Query has been detected on the network by the Passive Vulnerabiltiy Scanner. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*drop log=event:PVS-Database_DROP_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20048 name=A Database GRANT Query has been detected on the network by the Passive Vulnerabiltiy Scanner. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant log=event:PVS-Database_GRANT_Command srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20049 name=The LCE client has detected a Unix binary file modification. match=MD5 match=le match=File / match=ed match=checksum changed match=an regexi=File /(bin|sbin|usr/bin|usr/sbin|usr/libexec) log=event:LCE-Unix_Executable_File_Modified type:detected-change NEXT id=20050 name=The LCE client has detected a Unix configuration file modification. match=!etc/prelink.cache match=MD5 match=le match=File / match=ed match=MD5 checksum changed match=an regexi=File /(etc|System) log=event:LCE-Unix_Configuration_File_Modified type:detected-change NEXT id=20051 name=The LCE client has detected a Tenable product configuration file modification. match=MD5 match=le match=pt match=File /opt match=ed match=MD5 checksum changed match=an regexi=File /opt/(lce|nessus|pvs|sc3|sc4) log=event:LCE-Unix_Tenable_File_Modified type:detected-change NEXT id=20052 name=The LCE client has detected a Unix library file modification. match=MD5 match=le match=File / match=ed match=MD5 checksum changed match=an regexi=File /(lib|usr/lib) log=event:LCE-Unix_Library_File_Modified type:detected-change NEXT id=20053 name=The LCE client has detected a Unix file modification. match=MD5 match=le match=File / match=ed match=MD5 checksum changed match=an match=!File /bin match=!File /opt match=!File /sbin match=!File /usr/bin match=!File /usr/sbin match=!File /usr/libexec match=!File /etc match=!File /System match=!File /lib match=!File /usr/lib log=event:LCE-Unix_Misc_File_Modified type:detected-change NEXT id=20054 name=The LCE client has detected a Windows executable file modification. match=MD5 match=le match=File " match=File match=ed match=MD5 checksum changed match=an regexi=(.exe|.bat|.cmd|.com|.msi) log=event:LCE-Windows_Executable_File_Modified type:detected-change NEXT id=20055 name=The LCE client has detected a Windows library file modification. match=MD5 match=LCE match=le match=File " match=File match=ed match=MD5 checksum changed match=an match=.dll log=event:LCE-Windows_Executable_Modified type:detected-change NEXT id=20056 name=The LCE client has detected a Windows system file modification. match=MD5 match=LCE match=le match=File " match=File match=ed match=MD5 checksum changed match=an regexi=(.sys|.bak|.cpl|.lnk|.pif|.scr) log=event:LCE-Windows_System_File_Modified type:detected-change NEXT id=20057 name=The LCE client has detected a Windows configuration file modification. match=MD5 match=le match=File " match=File match=ed match=MD5 checksum changed match=an regexi=(.inf|.ini|.ins|.isp|.reg) log=event:LCE-Windows_Configuration_File_Modified type:detected-change NEXT id=20058 name=The LCE client has detected a file modification. match=MD5 match=le match=File " match=File match=ed match=MD5 checksum changed match=an match=!.exe match=!.bat match=!.cmd match=!.com match=!.msi match=!.dll match=!.sys match=!.bak match=!.cpl match=!.lnk match=!.pif match=!.scr match=!.inf match=!.ini match=!.ins match=!.isp match=!.reg log=event:LCE-Windows_Misc_File_Modified type:detected-change NEXT id=20059 name=A suspicious SQL query was detected. match=Suspicious SQL Query Detected match=etected match=ic match=ect match=ici match=ed match=usp log=event:Suspicious_SQL_Query_Detected srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion NEXT id=20060 name=A suspicious SQL query with a potential SQL injection event was detected. match=|7019| match=|70 match=pvs match=lo match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*xp_(cmdshell|regread|regwrite|servicecontrol) log=event:Suspicious_SQL-Command_Execution srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion NEXT id=20061 name=A suspicious SQL query was detected. match=|7019| match=|70 match=pvs match=lo match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*BENCHMARK\([0..9]+, log=event:Suspicious_SQL-Benchmark_Delay srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion NEXT id=20062 name=A suspicious SQL query was detected containing a number sign or double minus signs. match=|7019| match=|70 match=pvs match=lo match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(--|#) log=event:Suspicious_SQL-Meta_Characters_Seen srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion NEXT id=20063 name=A suspicious SQL query was detected which attempted to run the CONCAT command. match=|7019| match=|70 match=pvs match=lo match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*select CONCAT\( log=event:Suspicious_SQL-CONCAT_Command_Seen srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion NEXT id=20064 name=A suspicious SQL query was detected which attempted to write data to a file. match=|7019| match=|70 match=pvs match=lo match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(into outfile|BACKUP .* to disks) log=event:Suspicious_SQL-Write_Output_to_File srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion NEXT id=20065 name=A suspicious SQL query was detected which attempted to dump a list of system users. match=|7019| match=|70 match=pvs match=lo match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(select .* from sysusers|select host,user,password from mysql.user) log=event:Suspicious_SQL-User_Database_Dump srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion NEXT id=20066 name=A Database GRANT Query has granted ALL privileges to a user. match=!Suspicious SQL Query Detected match=lo match=log match=ing match=Database command logging match=ommand match=an match=|7019| match=|70 match=pvs regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant all log=event:PVS-Database_GRANT_ALL_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20067 name=A Database GRANT Query has granted INSERT privileges to a user. match=!Suspicious SQL Query Detected match=|7019| match=pvs match=lo match=log match=ing match=Database command logging match=ommand match=an regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*insert.* on log=event:PVS-Database_GRANT_INSERT_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20068 name=A Database GRANT Query has granted SELECT privileges to a user. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an match=pvs regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*select.* on log=event:PVS-Database_GRANT_SELECT_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20069 name=A Database GRANT Query has granted DELETE privileges to a user. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an match=pvs regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*delete.* on log=event:PVS-Database_GRANT_DELETE_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20070 name=A Database GRANT Query has granted DROP privileges to a user. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an match=pvs regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*drop.* on log=event:PVS-Database_GRANT_DELETE_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20071 name=A Database GRANT Query has granted CREATE privileges to a user. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an match=pvs regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*CREATE.* on log=event:PVS-Database_GRANT_CREATE_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20072 name=A Database GRANT Query has granted CREATE privileges to a user. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an match=pvs regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*grant .*CREATE.* on log=event:PVS-Database_GRANT_CREATE_Privileges srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20073 name=A Database user has been created. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an match=pvs regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*CREATE USER log=event:PVS-Database_User_Created srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20074 name=A Database user has been renamed. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an match=pvs regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*RENAME USER log=event:PVS-Database_User_RENAME srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20075 name=A Database schema has been changed. match=!Suspicious SQL Query Detected match=|7019| match=|70 match=lo match=log match=ing match=Database command logging match=ommand match=an match=pvs regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}).*(\:|\;)\s*ALTER .* TABLE log=event:PVS-Database_Schema_Changed srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:database NEXT id=20076 name=A unique windows executable has been detected being executed and it has not been previously detected on any other systems. This could be new software, such as a patch update being executed, a legitimate program being used for the first time or a potentially hostile application. match=host match=ecu match=indo match=le match=Unique_Windows_Executable - host log=event:Unique_Windows_Executable type:process NEXT id=20077 name=The Log Correlation Engine has generated a DNS summary log for a host based on observed DNS queries and web site references. match=host match=ar match=ce match=Domain_Summary since match=Do match=ed match=queried these domains: regex=.* host ([0-9]+(\.[0-9]+){3}) log=event:Domain_Summary srcip:$1 dstip:$1 type:dns NEXT id=20079 name=Multiple webservers have had errors sourcing from the same IP. This could likely mean that a single IP address is performing web application scans of your infrastructure. match=ed match=Web_Servers_Scanned match=has performed web app scans match=pp match=scan match=an log=event:Web_Servers_Scanned type:intrusion NEXT id=20080 name=Based on the large number of unique types of web errors generated by a visitor to one of your web sites, a hostile web application vulnerability scan or web application attack has likely occurred. match=Web_Server_Scan match=ed match=has performed a web app scan match=pp match=scan match=an log=event:Web_Server_Scan type:intrusion NEXT id=20081 name=A new Windows process has been seen for the first time. This event logs the name of the process of each event seen, and may provide information about processes on the system that should not be running, or are in error. match=indo match=ce match=ss match=New_Windows_Process_Seen match=New log=event:New_Windows_Process_Seen type:process # id=20082 available NEXT id=20083 name=The LCE has summarized all crashed and hung processes in the last hour. match=ar match=Hourly_Crash_Summary - host match=rash match=ed match=ss match= issued these commands in the last hour match=ommand match=an match=host regex=- host ([0-9]+(\.[0-9]+){3}) log=event:Hourly_Crashed_Summary type:process srcip:$1 dstip:$1 NEXT id=20084 name=The LCE has summarized all hung windows processes in the last hour. match=ar match=Hourly_Hung_Summary - host match=ed match=ss match= issued these commands in the last hour match=ommand match=an match=host regex=- host ([0-9]+(\.[0-9]+){3}) log=event:Hourly_Hung_Summary type:process srcip:$1 dstip:$1 NEXT id=20085 name=The LCE has summarized all crashed processes in the last 24 hours. match=ail match=ar match=Daily_Crash_Summary - host match=rash match=ed match=ss match=ommand match=an match=host regex=- host ([0-9]+(\.[0-9]+){3}) log=event:Daily_Crashed_Summary type:process srcip:$1 dstip:$1 NEXT id=20086 name=The LCE has summarized all hung processes in the last 24 hours. match=ail match=ar match=Daily_Hung_Summary - host match=ed match=ss match= issued these commands in the last day match=ommand match=an match=host regex=- host ([0-9]+(\.[0-9]+){3}) log=event:Daily_Hung_Summary type:process srcip:$1 dstip:$1 NEXT id=20087 name=The LCE has detected a sequence of intrusion detection events which indicate that a single source IP address has performed multiple different types of attacks against a target server. This could indicate a vulnerability scan of a single host as well as worm propagation. match=!Never_Before_Seen match=ion match=Intrusion_Host_Scan match=an match=ack match=ed match=attacked or probed match=ttack regex= Intrusion_Host_Scan ([0-9]+(\.[0-9]+){3}).*attacked or probed ([0-9]+(\.[0-9]+){3}) log=event:Intrusion_Host_Scan type:intrusion srcip:$1 dstip:$3 NEXT id=20088 name=The LCE has detected a sequence of intrusion detection events which indicate that a single IP address has performed a scan or sweep of multiple targets. This could indicate vulnerabiltiy scanning as well as worm propagation. match=!Never_Before_Seen match=ion match=Intrusion_Network_Scan match=scan match=an regex= Intrusion_Network_Scan ([0-9]+(\.[0-9]+){3}) log=event:Intrusion_Network_Scan type:intrusion srcip:$1 dstip:$1 NEXT id=20089 name=A unique Unix executable has been detected being executed and it has not been previously detected on any other systems. This could be new software, such as a patch update being executed, a legitimate program being used for the first time or a potentially hostile application. match=host match=ecu match=le match=Unique_Unix_Executable - host log=event:Unique_Unix_Executable type:process # id=20090 available NEXT id=20091 name=The Log Correlation Engine has encountered a log which indicates that a user account has been added. match=User_Added - match=User match=as match=Ev match=at match=event match=ent match=te match=ed match=ate match=al match=nt match=en match=ated match=ve match=Evaluated as event log=event:User_Added type:detected-change NEXT id=20092 name=The PVS has detected activity indicative of the Storm/Pecoan.AG worm. match=St match=ed match=Storm/Pecoan.AG Worm Detected match=ect match=an match=pvs log=event:PVS-Storm/Pecoan.AG_Worm_Detected type:intrusion NEXT id=20093 name=The PVS has detected Warbot Trojan activity. match=ar match=ed match=Warbot Trojan Detected match=ect match=an match=pvs log=event:PVS-Warbot_Trojan_Detected type:intrusion NEXT id=20094 name=The LCE has detected a SQL query containing patterns commonly found with large-scale automated SQL injection attacks. These queries commonly contain long strings of characters, repetitive string concatenation, and other uncommon SQL usage. Examining the query in question, especially against other queries commonly executed against the same database, should show that it stands out, and requires review to see if any malicious commands have been executed. match=lo match=log match=ing match=Database command logging match=ommand match=an match=REPLACE(cast( match=ar match=,cast(char(32)+as+varchar(8)))-- regexi=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \(([0-9]+(\.[0-9]+){3}) log=event:Suspicious_SQL-Injection_Attack_Detected srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:intrusion NEXT id=20095 name=The PVS has detected a request for a URL that has been reported to be hostile and used to propogate botnets. This may indicate that you have a local system that has attempted to access malicious URLs on the Internet such as downloading hostile PDF files. Further investigation of the network activity of this host is suggested. match=est match=PVS match=PVS-Malicious_Web_Request match= from match=from match=rom match=ed match=_Request match=detected from match=etected match=ect match=ent match=ol match=lo match=al match=st match=ing match=in match=nti match=ici match=to the following log=event:PVS-Malicious_Web_Request type:threatlist NEXT id=20096 name=The LCE client has detected a file removal. match=MD5 match=le match=File " match=Its match=File match=ed match=was removed. Its last MD5 checksum match=MD5 checksum match=moved match=rem match= remove match= [ log=event:LCE-Windows_File_Removed type:detected-change NEXT id=20097 name=The LCE client has detected a file being removed and then re-added. match=MD5 match=le match=File " match=Its match=File match=ed match= was re-added after removal match=MD5 checksum match=rem log=event:LCE-Windows_File_Readded type:detected-change NEXT id=20098 name=The LCE client has detected a potential worm outbreak. Portscans were reported from a host that was previously port scanned, indicating it may have been compromised. match=ote match=nti match=al match=ho match=st match=Potential_Worm_Outbreak - host match=sca match=ned match=then scanned host log=event:Potential_Worm_Outbreak type:intrusion NEXT id=20099 name=The LCE has detected a system receive an SSH (Secure Shell) connection and then initiate another one within 20 minutes. The system could be an SSH gateway, a bastion host or possibly being used to leapfrog and attack other systems. match=ar match=ho match=tem match=in match=ated match=an match=pf match=SSH match=ystem match=eceived match=ce match=at match= used match=le match=og match=ttack match=system match=to match=ent match=init match=session match=attack match=ac match=Suspicious_SSH_Proxy log=event:Suspicious_SSH_Proxy type:network NEXT id=20100 name=The LCE has detected a system receive a VNC remote desktop connection and then initiate another one within 20 minutes. The system could be a VNC gateway, a bastion host or possibly being used to leapfrog and attack other systems. match=ar match=ho match=tem match=in match=ated match=an match=pf match=VNC match=ystem match=eceived match=ce match=at match= used match=le match=og match=ttack match=system match=to match=ent match=init match=session match=attack match=ac match=Suspicious_VNC_Proxy log=event:Suspicious_VNC_Proxy type:network NEXT id=20101 name=The LCE has detected a system receive a Windows remote desktop (RDP) connection and then initiate another one within 20 minutes. The system could be an RDP gateway, a bastion host or possibly being used to leapfrog and attack other systems. match=ar match=ho match=tem match=in match=ated match=an match=pf match=RDP match=ystem match=eceived match=ce match=at match= used match=le match=og match=ttack match=system match=to match=ent match=init match=session match=attack match=ac match=Suspicious_RDP_Proxy log=event:Suspicious_RDP_Proxy type:network NEXT id=20102 name=The Log Correlation Engine detected an Ethernet address it has not seen before. match=New match=MAC match=ser match=ed match=New_Wireless_MAC - The host log=event:New_Wireless_MAC type:detected-change NEXT id=20104 name=The LCE has summarized all Microsoft EXE and MSI files downloaded in the last day. match=Daily_EXE_Download_Summary match=er match=or match=host match=own match=ed match=st regex=- host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Daily_EXE_Download_Summary type:file-access srcip:$1 dstip:$1 NEXT id=20105 name=The Log Correlation Engine detected an unusual VPN login source for this user. match=Login match=user match=or match=ser match=VPN match=VPN_Login_From_Unusual_Source regex=user ([^ ]+) .* different IP .*: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:VPN_Login_From_Unusual_Source type:login user:$1 srcip:$2 NEXT id=22025 name=The Log Correlation Engine detected a large number of unique local hosts visiting the same remote server. match=Crowd_Surge - destination match=ion match=ar match=host log=event:Crowd_Surge type:network NEXT id=22026 name=The Log Correlation Engine generated a list of software installed on a host. match=st match=ar match=re match=Software match=Host_Software_List regex=Host ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Host_Software_List type:system srcip:$1 NEXT id=22027 name=The Log Correlation Engine generated a list of Microsoft software installed on a host. match=st match=ar match=re match=Software match=Microsoft match=Host_Microsoft_Software_List log=event:Host_Microsoft_Software_List type:system NEXT id=22028 name=The Log Correlation Engine has generated a failed DNS summary log for a host based on observed failed DNS queries. match=host match=ar match=ce match=Domain_Failure_Summary since match=Do match=ed match=these domains: log=event:Domain_Failure_Summary type:dns NEXT id=22029 name=The Log Correlation Engine has detected the first time a host was seen active today. match=host match=ed match=work match=Daily_Host_Alert - regex=- host ([0-9]+(\.[0-9]+){3}) log=event:Daily_Host_Alert type:system srcip:$1 dstip:$1 NEXT id=22030 name=The Log Correlation Engine has summarized malware events observed on a host for the past 24 hours. match=ng match=nts match=st match=ost match=ing match=the match=re match=host match=Malware_Host_Summary - log=event:Malware_Host_Summary type:virus NEXT id=22031 name=The Log Correlation Engine detected a new active user account login source. match=New match=ser match=User match=New_User_Source - at match=ed match=co match=nt match=ew match=gg regex=account ([A-Za-z0-9\$\-\_@\.]+) logged log=event:New_User_Source user:$1 type:detected-change NEXT id=22032 name=The Log Correlation Engine has summarized user accounts from a single host logging into remote hosts. match=wi match=count match=nts match=gg match=acc match=ost match=Source match=ve match=remote match=user match=User_Source_Summary log=event:User_Source_Summary type:detected-change NEXT id=22033 name=The LCE has detected a request for a URL that has been reported to be hostile and used to propogate botnets. This may indicate that you have a local system that has attempted to access malicious URLs on the Internet such as downloading hostile PDF files. Further investigation of the network activity of this host is suggested. match=est match=!PVS match=Malicious_Web_Request match= from match=from match=rom match=ed match=_Request match=detected from match=etected match=ect match=ent match=ol match=lo match=al match=st match=ing match=in match=nti match=ici match=to the following log=event:Malicious_Web_Request type:threatlist NEXT id=22034 name=The LCE has summarized all IPs that have logged in to this host for the last 24 hours. match=ddr match= event match=Daily_ match=il match=so match=ce match=in match=login match=Daily_Host_Login_Summary regex=- host ([0-9]+(\.[0-9]+){3}) log=event:Daily_Host_Login_Summary type:login srcip:$1 dstip:$1 NEXT id=22035 name=The Log Correlation Engine detected an Ethernet address it has not seen before. match=New match=MAC match=ser match=ed match=New_Mobile_MAC - The host log=event:New_Mobile_MAC type:detected-change