# LOG CORRELATION ENGINE PRM LIBRARY
# Copyright 2007 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# This is a log parser for the "Port Scan Attacked Detector" available
# at http://www.cipherdyne.org/psad/ Although not a network IDS, it is
# included in the list of "nids" PRMs because it discovers network scans
# by monitoring firewall logs. 
#
# DESCRIPTION:
# This library is used to parse events generated by psad.
#
# LAST UPDATE: $Date$

# id=2840 is available

id=454
name=The PSAD system detected a TCP scan.
match= udp=0 
match= icmp=0 
match=psad
match=le
match= dangerlevel:
match=an
match=scan
match=ed
match= scan detected: 
match=ect
regex=([a-zA-Z0-9.-]+) psad: scan detected: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) tcp=\[([0-9-]+)\]
log=type:scanning event:PSAD-Scan_Detected sensor:$1 srcip:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=455
name=The PSAD system detected a UDP scan.
match=cp
match= tcp=0 
match= icmp=0 
match=psad
match=scan
match=an
match=ed
match= scan detected: 
match=ect
match=le
match= dangerlevel: 
regex=([a-zA-Z0-9.-]+) psad: scan detected: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) 
log=type:scanning event:PSAD-Scan_Detected sensor:$1 srcip:$2 dstip:$3 dstport:$4 proto:17

NEXT

id=456
name=The PSAD system detected an ICMP scan.
match=cp
match= tcp=0 
match= udp=0 
match=psad
match=an
match=scan
match=ed
match= scan detected: 
match=ect
match=le
match= dangerlevel: 
regex=([a-zA-Z0-9.-]+) psad: scan detected: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=type:scanning event:PSAD-Scan_Detected sensor:$1 srcip:$2 dstip:$3 dstport:0 proto:1

NEXT

id=457
name=The PSAD system enabled an auto-block with the local firewall.
match=psad
match=ed
match=psad: added 
match=lo
match= auto-block against
regex=([a-zA-Z0-9.-]+) psad: added .* auto-block against ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=type:firewall event:PSAD-Block_Added sensor:$1 srcip:$2

NEXT

id=458
name=The PSAD system removed an auto-block with the local firewall.
match=psad
match=ed
match= removed 
match=rem
match=lo
match= auto-block against 
regex=([a-zA-Z0-9.-]+) psad: removed .* auto-block against ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=type:firewall event:PSAD-Block_Removed sensor:$1 srcip:$2


#NEXT
#
#id=459
#name=The PSAD system detected an IDS signature match.
#example=15:03:29 iptablesfw psad: src: 65.182.197.125 signature match: "MISC Windows popup spam
#match=psad
#match=src:
#match= signature match: 
#regex=([a-zA-Z0-9.-]+) psad: src: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) signature match:
#log=type:intrusion event:PSAD-Signature_Match sensor:$1 srcip:$2

NEXT

id=460
name=The PSAD system detected a TCP scan.
match=cp
match= tcp: 
match=tcp
match=psad
match=ed
match=psad scan detected: 
match=ect
match=an
regex=([a-zA-Z0-9.-]+) psad: scan detected: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) tcp: \[([0-9-]+)\]
log=type:scanning event:PSAD-Scan_Detected sensor:$1 srcip:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=461
name=The PSAD system detected a UDP scan.
match= udp: 
match=udp
match=psad
match=ed
match=psad scan detected: 
match=ect
match=an
regex=([a-zA-Z0-9.-]+) psad: scan detected: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) udp: \[([0-9-]+)\]
log=type:scanning event:PSAD-Scan_Detected sensor:$1 srcip:$2 dstip:$3 dstport:$4 proto:17

NEXT

id=462
name=The PSAD system detected an ICMP scan.
match= icmp: 
match=icmp
match=pkts:
match=pkt
match=psad
match=ed
match=psad scan detected: 
match=ect
match=an
regex=([a-zA-Z0-9.-]+) psad: scan detected: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) -> ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=type:scanning event:PSAD-Scan_Detected sensor:$1 srcip:$2 dstip:$3 dstport:0 proto:1