# THUNDER PRM LIBRARY
# Copyright 2006 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# Arbor NBAD logs
#
# DESCRIPTION:
# This library is used to process logs from a system running Arbor 
#
# LAST UPDATE: $Date$ 

id=200
name=The Arbor detection system has found an anomaly in a TCP connection.
match=pf
match= pfDoS: 
match=Do
match=ol
match= anomaly Protocol id 
match=an
match=ty
match= severity 
match=cp
match= protocol tcp 
regex=.* src ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* dst ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) 
log=event:Arbor-TCP_Protocol_Anomaly srcip:$1 dstip:$2 proto:6 type:intrusion 

NEXT

id=201
name=The Arbor detection system has found an anomaly in a UDP connection.
match=pf
match= pfDoS: 
match=Do
match=ol
match= anomaly Protocol id
match=an
match=ty
match= severity
match= protocol udp 
regex=.* src ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* dst ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) 
log=event:Arbor-UDP_Protocol_Anomaly srcip:$1 dstip:$2 proto:17 type:intrusion 

NEXT

id=202
name=The Arbor detection system has found arbor anomaly in a non-TCP and non-UDP network connection.
match=pf
match= pfDoS: 
match=Do
match=ol
match= anomaly Protocol id 
match=an
match=ty
match= severity
match=! protocol udp 
match=! protocol tcp 
regex=.* src ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).* dst ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) 
log=event:Arbor-Protocol_Anomaly srcip:$1 dstip:$2 type:intrusion 

NEXT

id=203
name=The Arbor detection system has found anomaly going through a specific router.
match=pf
match= pfDoS: 
match=Do
match=ol
match= anomaly Protocol id 
match=an
match= router 
match=ce
match=ace
match= interface 
regex=.*router ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) interface
log=event:Arbor-Router_Anomaly srcip:$1 dstip:$1 type:intrusion 

NEXT

id=204
name=The Arbor detection system has found an anomaly in a specific network flow.
match=pf
match= pfDoS: 
match=Do
match=ate
match=le
match= rtrSampleRate 
match= dstPort 
match= firstSeen 
match= lastSeen 
regex=.* rtr ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .* proto ([0-9]+) src ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dst ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) dstPort ([0-9]+)
log=event:Arbor-Flow_Anomaly sensor:$1 proto:$2 srcip:$3 dstip:$4 dstport:$5 type:intrusion