#
# (LCE)SNORT LIBRARY
# Copyright 2011 Tenable Network Security
# This library may only be used with the LCE server and may not
# be used with other products or open source projects

# $Date: 2013/10/16 23:52:37 n


id=5100
name=The Snort IDS sensor detected a UDP portsweep.
match=snort
match=scan
match=an
match=UDP
match= (portscan)
match=) UDP Portsweep
regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-UDP_Portsweep type:scanning proto:17

NEXT

id=5101
name=The Snort IDS sensor detected a TCP portsweep.
match=snort
match= (portscan)
match=scan
match=an
match=TCP
match=) TCP Portsweep
regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-TCP_Portsweep type:scanning proto:6

NEXT

id=5102
name=The Snort IDS sensor detected a TCP portscan.
match=snort
match=scan
match=an
match=TCP
match= (portscan)
match=!Decoy
match=!Distributed
match=) TCP Portscan
regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-TCP_Portscan type:scanning proto:6

NEXT

id=5103
name=The Snort IDS sensor detected a UDP portscan.
match=snort
match= (portscan)
match=scan
match=an
match=UDP
match=!Decoy
match=!Distributed
match=) UDP Portscan
regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-UDP_Portscan type:scanning proto:17

NEXT

id=5104
name=The Snort IDS sensor detected a distributed portscan. This means that multiple remote IP addresses assisted the source IP address of this event in scanning the target.
match=snort
match= (portscan)
match=scan
match=an
match=TCP
match=ed
match= TCP Distributed Portscan
match=!TCP Portscan
match=!UDP Portscan
regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-Distributed_Portscan type:scanning proto:6

NEXT

id=5105
name=The Snort IDS sensor detected an ICMP portsweep.
match=snort
match= (portscan)
match=scan
match=ICMP
match=MP
match=an
match=!Decoy
match=!Distributed
match=) ICMP Sweep
regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-ICMP_Sweep type:scanning proto:1

NEXT

id=5106
name=The Snort IDS sensor detected a TCP scan that was a decoy attempt.
match=snort
match= (portscan)
match= TCP Decoy Portscan
match=scan
match=an
match=TCP
match=!TCP Portscan
match=!UDP Portscan
regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-Decoy_Portscan type:scanning proto:6

NEXT

id=5107
name=The Snort IDS sensor detected a portscan.
match=snort
match=scan
match=an
match=(spp_portscan2)
match=pp
match=Portscan detected from
match=!seconds for destination
regex=Portscan detected from ([0-9]+(\.[0-9]+){3})
log=srcip:$1 event:Snort-Portscan type:scanning

NEXT

id=5108
name=The Snort IDS sensor detected a port scan.
match=snort
match=scan
match=an
match=(spp_portscan2)
match=pp
match=ed
match=Portscan detected from
match=seconds for destination
match=ion
regex=Portscan detected from ([0-9]+(\.[0-9]+){3}).* for destination ([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-Portscan type:scanning

NEXT

id=5109
name=The Snort IDS sensor detected an issue with a web session.
match=snort
match=TCP
match=(http_inspect)
regex={TCP} ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=srcip:$1 srcport:$3 dstip:$4 dstport:$6 event:Snort-HTTP_Inspect type:intrusion

NEXT

id=5110
name=A Snort sensor detected an event classified as access to a potentially vulnerable web application
match=ass
match= [Class
match=access to a potentially vulnerable web application
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Access_To_A_Potentially_Vulnerable_Web_Application type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5111
name=A Snort sensor detected an event classified as Access to a Potentially Vulnerable Web Application
match=ass
match= [Class
match=Access to a Potentially Vulnerable Web Application
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Access_To_A_Potentially_Vulnerable_Web_Application type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5112
name=A Snort sensor detected an event classified as A client was using an unusual port
match=ass
match= [Class
match=A client was using an unusual port
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_Client_Was_Using_An_Unusual_Port type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5113
name=A Snort sensor detected an event classified as A Client was Using an Unusual Port
match=ass
match= [Class
match=A Client was Using an Unusual Port
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_Client_Was_Using_An-Unusual_Port type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5114
name=A Snort sensor detected an event classified as An attempted login using a suspicious username was detected
match=ass
match= [Class
match=An attempted login using a suspicious username was detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-An_Attempted_Login_Using_A_Suspicious_Username_Was_Detected type:login-failure srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5115
name=A Snort sensor detected an event classified as An Attempted Login Using a Suspicious Username was Detected
match=ass
match= [Class
match=An Attempted Login Using a Suspicious Username was Detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-An_Attempted_Login_Using_A_Suspicious_Username_Was_Detected type:login-failure srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5116
name=A Snort sensor detected an event classified as A Network Trojan was detected
match=ass
match= [Class
match=A Network Trojan was detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_Network_Trojan_Was_Detected type:virus srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5117
name=A Snort sensor detected an event classified as A Network Trojan was Detected
match=ass
match= [Class
match=A Network Trojan was Detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_Network_Trojan_Was_Detected type:virus srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5118
name=A Snort sensor detected an event classified as A Suspicious Filename was Detected
match=ass
match= [Class
match=A Suspicious Filename was Detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_Suspicious_Filename_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5119
name=A Snort sensor detected an event classified as A suspicious filename was detected
match=ass
match= [Class
match=A suspicious filename was detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_Suspicious_Filename_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5120
name=A Snort sensor detected an event classified as A Suspicious String was Detected
match=ass
match= [Class
match=A Suspicious String was Detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_Suspicious_String_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5121
name=A Snort sensor detected an event classified as A suspicious string was detected
match=ass
match= [Class
match=A suspicious string was detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_Suspicious_String_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5122
name=A Snort sensor detected an event classified as A System Call was Detected
match=ass
match= [Class
match=A System Call was Detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_System_Call_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5123
name=A Snort sensor detected an event classified as A system call was detected
match=ass
match= [Class
match=A system call was detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_System_Call_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5124
name=A Snort sensor detected an event classified as A TCP connection was detected
match=ass
match= [Class
match=A TCP connection was detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_TCP_Connection_Was_Detected type:network srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=5125
name=A Snort sensor detected an event classified as A TCP Connection was Detected
match=ass
match= [Class
match=A TCP Connection was Detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-A_TCP_Connection_Was_Detected type:network srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=5126
name=A Snort sensor detected an event classified as Attempted Administrator Privilege Gain
match=ass
match= [Class
match=Attempted Administrator Privilege Gain
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Attempted_Administrator_Privilege_Gain type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5127
name=A Snort sensor detected an event classified as Attempted Denial of Service
match=ass
match= [Class
match=Attempted Denial of Service
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Attempted_Denial_Of_Servica type:dos srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5128
name=A Snort sensor detected an event classified as Attempted Information Leak
match=!ET SCAN
match=!ICMP
match=ass
match= [Class
match=Attempted Information Leak
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Attempted_Information_Leak type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5129
name=A Snort sensor detected an event classified as Attempted User Privilege Gain
match=ass
match= [Class
match=Attempted User Privilege Gain
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Attempted_User_Privilege_Gain type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5130
name=A Snort sensor detected an event classified as Attempt to login by a default username and password
match=ass
match= [Class
match=Attempt to login by a default username and password
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Attempt_To_Login_By_A_Default_Username_And_Password type:login-failure srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5131
name=A Snort sensor detected an event classified as Attempt to Login By a Default Username and Password
match=ass
match= [Class
match=Attempt to Login By a Default Username and Password
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Attempt_To_Login_By_A_Default_Username_And_Password type:login-failure srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5132
name=A Snort sensor detected an event classified as Decode of an RPC Query
match=ass
match= [Class
match=Decode of an RPC Query
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Decode_Of_An_RPC_Query type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5133
name=A Snort sensor detected an event classified as Denial of Service
match=ass
match= [Class
match=Denial of Service
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Denial_Of_Service type:dos srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5134
name=A Snort sensor detected an event classified as Detection of a Denial of Service Attack
match=ass
match= [Class
match=Detection of a Denial of Service Attack
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Detection_Of_A_Denial_Of_Service_Attack type:dos srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5135
name=A Snort sensor detected an event classified as Detection of a Network Scan
match=ass
match= [Class
match=Detection of a Network Scan
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Detection_Of_A_Network_Scan type:scanning srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5136
name=A Snort sensor detected an event classified as Detection of a non-standard protocol or event
match=ass
match= [Class
match=Detection of a non-standard protocol or event
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Detection_Of_A_NonStandard_Protocol_Or_Event type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5137
name=A Snort sensor detected an event classified as Detection of a Non-Standard Protocol or Event
match=ass
match= [Class
match=Detection of a Non-Standard Protocol or Event
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Detection_Of_A_NonStandard_Protocol_Or_Event type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5138
name=A Snort sensor detected an event classified as Executable Code was Detected
match=ass
match= [Class
match=Executable Code was Detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Executable_Code_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5139
name=A Snort sensor detected an event classified as Executable code was detected
match=ass
match= [Class
match=Executable code was detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Executable_Code_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5140
name=A Snort sensor detected an event classified as Generic ICMP event
match=ass
match= [Class
match=Generic ICMP event
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Generic_ICMP_Event type:network srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5141
name=A Snort sensor detected an event classified as Generic Protocol Command Decode
match=ass
match= [Class
match=Generic Protocol Command Decode
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Generic_Protocol_Command_Decode type:network srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5142
name=A Snort sensor detected an event classified as Inappropriate Content was Detected
match=ass
match= [Class
match=Inappropriate Content was Detected
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Inappropriate_Content_Was_Detected type:compliance srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5143
name=A Snort sensor detected an event classified as Information Leak
match=ass
match= [Class
match=Information Leak
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Information_Leak type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5144
name=A Snort sensor detected an event classified as Large Scale Information Leak
match=ass
match= [Class
match=Large Scale Information Leak
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Large_Scale_Information_Leak type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5145
name=A Snort sensor detected an event classified as Misc activity
match=!ET SCAN
match=ass
match= [Class
match=Misc activity
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Misc_Activity type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5146
name=A Snort sensor detected an event classified as Misc Attack
match=ass
match= [Class
match=Misc Attack
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Misc_Attack type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5147
name=A Snort sensor detected an event classified as Not Suspicious Traffic
match=ass
match= [Class
match=Not Suspicious Traffic
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Not_Suspicious_Traffic type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5148
name=A Snort sensor detected an event classified as Potential Corporate Privacy Violation
match=ass
match= [Class
match=Potential Corporate Privacy Violation
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Potential_Corporate_Privacy_Violation type:network srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5149
name=A Snort sensor detected an event classified as Potentially Bad Traffic
match=!ICMP
match=ass
match= [Class
match=Potentially Bad Traffic
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Potentially_Bad_Traffic type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5150
name=A Snort sensor detected an event classified as SCORE! Get the lotion
match=ass
match= [Class
match=SCORE! Get the lotion
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Adult_Content_Detection type:compliance srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5151
name=A Snort sensor detected an event classified as Successful Administrator Privilege Gain
match=ass
match= [Class
match=Successful Administrator Privilege Gain
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Successful_Administrator_Privilege_Gain type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5152
name=A Snort sensor detected an event classified as Successful User Privilege Gain
match=ass
match= [Class
match=Successful User Privilege Gain
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Successful_User_Privilege_Gain type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5153
name=A Snort sensor detected an event classified as Unknown Traffic
match=ass
match= [Class
match=Unknown Traffic
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Unknown_Traffic type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5154
name=A Snort sensor detected an event classified as Unsuccessful User Privilege Gain
match=ass
match= [Class
match=Unsuccessful User Privilege Gain
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Unsuccessful_User_Privilege_Gain type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5155
name=A Snort sensor detected an event classified as Web Application Attack
match=ass
match= [Class
match=Web Application Attack
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Web_Application_Attack type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5156
name=A Snort sensor detected an FTP attack. 
match=ftp
match=TCP
match=snort
match=P
match= -
match=tp
match=telnet
match= ->
match=(ftp_telnet)
regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-FTP_Attack type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5157
name=A Snort sensor detected an event classified as Misc activity
match=ass
match= [Class
match=Misc activity
regex= ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=event:Snort-Misc_Activity type:intrusion srcip:$1 dstip:$3

NEXT

id=5158
name=A Snort sensor Dynamic Rule was not initialized properly.
match=or
match=snort
match=na
match=ul
match=Dynamic Rule
match=al
match=op
match=was not initialized properly.
log=event:Snort-Rule_Not_Initialized_Properly type:error

NEXT

id=5159
name=A Snort sensor detected an event classified as Sensitive Data.
match=ass
match= [Class
match=Sensitive Data]
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Sensitive_Data type:data-leak srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5160
name=A Snort sensor detected a phishing attempt.
match=ing
match=Ph
match=Phishing
match=tt
match=Attempt
match=In
match=Intuit
match=DM-EVM Phishing Attempt Intuit
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Phishing_Attempt type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5161
name=A Snort sensor detected an external DNS lookup.
match=DNS
match=Ex
match=ok
match=up
match=DM-EVM External DNS Lookups
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-External_DNS_Lookups type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5162
name=A Snort sensor detected a possible call set-up.
match=Poss
match=all
match=ss
match=up
match=ossible
match=DM-EVM H.323 Possible Call Set-up
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Possible_Call_Setup type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5163
name=A Snort sensor detected executable code.
match=Cl
match=ass
match=ca
match=ti
match=Ex
match=ab
match=de
match=ed
match=Executable code was detected
regex=([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=event:Snort-Executable_Code_Detected type:intrusion srcip:$1 dstip:$3

NEXT

id=5164
name=A Snort sensor detected an IPv6 encapsulation potential corporate privacy violation.
match=IPv6
match=la
match=Cl
match=ass
match=ca
match=ti
match=Potential Corporate Privacy Violation
log=event:Snort-Potential_Corporate_Privacy_Violation type:network

NEXT

id=5165
name=The Snort IDS sensor detected a ICMP Network scan.
match=snort
match=scan
match=an
match=ICMP
match=Network Scan
match=GPL SCAN
match=IP
match=attempt
match=Net
match=work
match=Detection
regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-ICMP_Network_Scan type:scanning proto:1

NEXT

id=5166
name=The Snort IDS sensor detected an attempted informaion leak.
match=snort
match=ICMP
match=GPL SCAN
match=ed
match=Info
match=Attempt
match=Attempted Information Leak
match=tion
match=Leak
regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-Attempted_Information_Leak type:intrusion proto:1

NEXT

id=5167
name=The Snort IDS sensor detected a port scan.
match=ET SCAN
match=la
match=as
match=if
match=io
match=at
match=Cl
match=on
match=tion
match=ass
match=ca
match=ss
match=fi
match=ic
match=cat
match=SCAN
match=ti
match=ion
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:Snort-Port_Scan type:scanning srcip:$1 srcport:$3 dstip:$4 dstport:$6

NEXT

id=5168
name=A Snort sensor detected an event classified as Potentially Bad Traffic
match=ICMP
match=ass
match= [Class
match=Potentially Bad Traffic
regex= ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=event:Snort-Potentially_Bad_Traffic type:intrusion srcip:$1 dstip:$3 proto:1

NEXT

id=5169
name=A Snort sensor detected an event classified as Attempted Information Leak
match=!ET SCAN
match=ICMP
match=ass
match= [Class
match=Attempted Information Leak
regex= ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=event:Snort-Attempted_Information_Leak type:intrusion srcip:$1 dstip:$3 proto:1

NEXT

id=5170
name=The Snort IDS sensor detected a port scan.
match=PSNG_TCP_PORTSCAN
match=la
match=as
match=if
match=io
match=at
match=Cl
match=on
match=tion
match=ass
match=ca
match=ss
match=fi
match=ic
match=cat
match=SCAN
match=ti
match=ion
regex=([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=event:Snort-Port_Scan type:scanning srcip:$1 dstip:$3

NEXT

id=5171
name=The Snort IDS sensor detected a port sweep.
match=PSNG_UDP_PORTSWEEP
match=la
match=as
match=if
match=io
match=at
match=Cl
match=on
match=tion
match=ass
match=ca
match=ss
match=fi
match=ic
match=cat
match=ti
match=ion
regex=([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=event:Snort-Port_Sweep type:scanning srcip:$1 dstip:$3 proto:17

NEXT

id=5172
name=A Snort sensor detected an event classified as SDF_COMBO_ALERT.
match=SDF_COMBO_ALERT
match=ass
match= [Class
match=Sensitive Data]
regex=([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=event:Snort-SDF_Combo_Alert type:data-leak srcip:$1 dstip:$3 

NEXT

id=5173
name=The Snort IDS sensor detected a port sweep.
match=PSNG_TCP_PORTSWEEP
match=la
match=as
match=if
match=io
match=at
match=Cl
match=on
match=tion
match=ass
match=ca
match=ss
match=fi
match=ic
match=cat
match=ti
match=ion
regex=([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=event:Snort-Port_Sweep type:scanning srcip:$1 dstip:$3 proto:6

NEXT

id=5174
name=A Snort sensor detected an event classified as Generic Protocol Command Decode
match=ass
match=la
match=an
match=as
match=if
match=io
match=at
match=ag
match=frag
match=mm
match=Cl
match= [Class
match=Generic Protocol Command Decode
regex= ([0-9]+(\.[0-9]+){3}) -> ([0-9]+(\.[0-9]+){3})
log=event:Snort-Generic_Protocol_Command_Decode type:network srcip:$1 dstip:$3

NEXT

id=5175
name=This is one of the initialization logs produced when snort has been started.
match=io
match=th
match=on
match=eng
match=erv
match=rt
match=in
match=ng
match=er
match=Ser
match=rv
match=snort
match=Max
match=String Length
log=event:Snort-Started type:restart

NEXT

id=5176
name=A Snort sensor detected blacklisted packets which are potentially bad traffic.
match=UDP
match=snort
match=ort
match=lass
match=ll
match=ly
match=Bad
match=ff
match=ic
match=Potentially Bad Traffic
match=Cl
match= [Class
match=ed
match=blacklisted
regex= ([0-9]+(\.[0-9]+){3})\:([0-9]+) -> ([0-9]+(\.[0-9]+){3})\:([0-9]+)
log=event:Snort-Blacklisted_Potentially_Bad_Traffic type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17

NEXT

id=5177
name=The Snort IDS sensor detected a TCP filtered portscan.
match=snort
match= (portscan)
match=scan
match=an
match=TCP
match=) TCP Filtered
regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3})
log=srcip:$1 dstip:$3 event:Snort-TCP_Filtered_Portscan type:scanning proto:6

NEXT

id=5178
name=The Snort IDS sensor detected a session has exceeded configured max bytes to queue.
match=snort
match=Session exceeded configured max bytes to queue
match=ss
match=Se
match=ion
match=ee
match=ed
match=ex
match=co
match=fig
match=max
match=by
regex=([0-9]+(\.[0-9]+){3}) ([0-9]+) --> ([0-9]+(\.[0-9]+){3}) ([0-9]+)
log=srcip:$1 srcport:$3 dstip:$4 dstport:$6 event:Snort-Exceeded_Max_Bytes type:application 

NEXT

id=5179
name=The Snort IDS sensor detected sessions have been pruned from cache for memcap.
match=snort
match=Pruned
match=session 
match=from cache
match=sn
match=Pr
match=ed
match=ss
match=se
match=ion
match=fr
match=om
match=ca
match=he
log=event:Snort-Sessions_Pruned_From_Cache type:application