# # (LCE)SNORT LIBRARY # Copyright 2011 Tenable Network Security # This library may only be used with the LCE server and may not # be used with other products or open source projects # $Date: 2013/10/16 23:52:37 n id=5100 name=The Snort IDS sensor detected a UDP portsweep. match=snort match=scan match=an match=UDP match= (portscan) match=) UDP Portsweep regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-UDP_Portsweep type:scanning proto:17 NEXT id=5101 name=The Snort IDS sensor detected a TCP portsweep. match=snort match= (portscan) match=scan match=an match=TCP match=) TCP Portsweep regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-TCP_Portsweep type:scanning proto:6 NEXT id=5102 name=The Snort IDS sensor detected a TCP portscan. match=snort match=scan match=an match=TCP match= (portscan) match=!Decoy match=!Distributed match=) TCP Portscan regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-TCP_Portscan type:scanning proto:6 NEXT id=5103 name=The Snort IDS sensor detected a UDP portscan. match=snort match= (portscan) match=scan match=an match=UDP match=!Decoy match=!Distributed match=) UDP Portscan regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-UDP_Portscan type:scanning proto:17 NEXT id=5104 name=The Snort IDS sensor detected a distributed portscan. This means that multiple remote IP addresses assisted the source IP address of this event in scanning the target. match=snort match= (portscan) match=scan match=an match=TCP match=ed match= TCP Distributed Portscan match=!TCP Portscan match=!UDP Portscan regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-Distributed_Portscan type:scanning proto:6 NEXT id=5105 name=The Snort IDS sensor detected an ICMP portsweep. match=snort match= (portscan) match=scan match=ICMP match=MP match=an match=!Decoy match=!Distributed match=) ICMP Sweep regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-ICMP_Sweep type:scanning proto:1 NEXT id=5106 name=The Snort IDS sensor detected a TCP scan that was a decoy attempt. match=snort match= (portscan) match= TCP Decoy Portscan match=scan match=an match=TCP match=!TCP Portscan match=!UDP Portscan regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-Decoy_Portscan type:scanning proto:6 NEXT id=5107 name=The Snort IDS sensor detected a portscan. match=snort match=scan match=an match=(spp_portscan2) match=pp match=Portscan detected from match=!seconds for destination regex=Portscan detected from ([0-9]+(\.[0-9]+){3}) log=srcip:$1 event:Snort-Portscan type:scanning NEXT id=5108 name=The Snort IDS sensor detected a port scan. match=snort match=scan match=an match=(spp_portscan2) match=pp match=ed match=Portscan detected from match=seconds for destination match=ion regex=Portscan detected from ([0-9]+(\.[0-9]+){3}).* for destination ([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-Portscan type:scanning NEXT id=5109 name=The Snort IDS sensor detected an issue with a web session. match=snort match=TCP match=(http_inspect) regex={TCP} ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=srcip:$1 srcport:$3 dstip:$4 dstport:$6 event:Snort-HTTP_Inspect type:intrusion NEXT id=5110 name=A Snort sensor detected an event classified as access to a potentially vulnerable web application match=ass match= [Class match=access to a potentially vulnerable web application regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Access_To_A_Potentially_Vulnerable_Web_Application type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5111 name=A Snort sensor detected an event classified as Access to a Potentially Vulnerable Web Application match=ass match= [Class match=Access to a Potentially Vulnerable Web Application regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Access_To_A_Potentially_Vulnerable_Web_Application type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5112 name=A Snort sensor detected an event classified as A client was using an unusual port match=ass match= [Class match=A client was using an unusual port regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_Client_Was_Using_An_Unusual_Port type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5113 name=A Snort sensor detected an event classified as A Client was Using an Unusual Port match=ass match= [Class match=A Client was Using an Unusual Port regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_Client_Was_Using_An-Unusual_Port type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5114 name=A Snort sensor detected an event classified as An attempted login using a suspicious username was detected match=ass match= [Class match=An attempted login using a suspicious username was detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-An_Attempted_Login_Using_A_Suspicious_Username_Was_Detected type:login-failure srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5115 name=A Snort sensor detected an event classified as An Attempted Login Using a Suspicious Username was Detected match=ass match= [Class match=An Attempted Login Using a Suspicious Username was Detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-An_Attempted_Login_Using_A_Suspicious_Username_Was_Detected type:login-failure srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5116 name=A Snort sensor detected an event classified as A Network Trojan was detected match=ass match= [Class match=A Network Trojan was detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_Network_Trojan_Was_Detected type:virus srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5117 name=A Snort sensor detected an event classified as A Network Trojan was Detected match=ass match= [Class match=A Network Trojan was Detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_Network_Trojan_Was_Detected type:virus srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5118 name=A Snort sensor detected an event classified as A Suspicious Filename was Detected match=ass match= [Class match=A Suspicious Filename was Detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_Suspicious_Filename_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5119 name=A Snort sensor detected an event classified as A suspicious filename was detected match=ass match= [Class match=A suspicious filename was detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_Suspicious_Filename_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5120 name=A Snort sensor detected an event classified as A Suspicious String was Detected match=ass match= [Class match=A Suspicious String was Detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_Suspicious_String_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5121 name=A Snort sensor detected an event classified as A suspicious string was detected match=ass match= [Class match=A suspicious string was detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_Suspicious_String_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5122 name=A Snort sensor detected an event classified as A System Call was Detected match=ass match= [Class match=A System Call was Detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_System_Call_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5123 name=A Snort sensor detected an event classified as A system call was detected match=ass match= [Class match=A system call was detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_System_Call_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5124 name=A Snort sensor detected an event classified as A TCP connection was detected match=ass match= [Class match=A TCP connection was detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_TCP_Connection_Was_Detected type:network srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=5125 name=A Snort sensor detected an event classified as A TCP Connection was Detected match=ass match= [Class match=A TCP Connection was Detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-A_TCP_Connection_Was_Detected type:network srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=5126 name=A Snort sensor detected an event classified as Attempted Administrator Privilege Gain match=ass match= [Class match=Attempted Administrator Privilege Gain regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Attempted_Administrator_Privilege_Gain type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5127 name=A Snort sensor detected an event classified as Attempted Denial of Service match=ass match= [Class match=Attempted Denial of Service regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Attempted_Denial_Of_Servica type:dos srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5128 name=A Snort sensor detected an event classified as Attempted Information Leak match=!ET SCAN match=!ICMP match=ass match= [Class match=Attempted Information Leak regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Attempted_Information_Leak type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5129 name=A Snort sensor detected an event classified as Attempted User Privilege Gain match=ass match= [Class match=Attempted User Privilege Gain regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Attempted_User_Privilege_Gain type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5130 name=A Snort sensor detected an event classified as Attempt to login by a default username and password match=ass match= [Class match=Attempt to login by a default username and password regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Attempt_To_Login_By_A_Default_Username_And_Password type:login-failure srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5131 name=A Snort sensor detected an event classified as Attempt to Login By a Default Username and Password match=ass match= [Class match=Attempt to Login By a Default Username and Password regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Attempt_To_Login_By_A_Default_Username_And_Password type:login-failure srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5132 name=A Snort sensor detected an event classified as Decode of an RPC Query match=ass match= [Class match=Decode of an RPC Query regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Decode_Of_An_RPC_Query type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5133 name=A Snort sensor detected an event classified as Denial of Service match=ass match= [Class match=Denial of Service regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Denial_Of_Service type:dos srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5134 name=A Snort sensor detected an event classified as Detection of a Denial of Service Attack match=ass match= [Class match=Detection of a Denial of Service Attack regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Detection_Of_A_Denial_Of_Service_Attack type:dos srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5135 name=A Snort sensor detected an event classified as Detection of a Network Scan match=ass match= [Class match=Detection of a Network Scan regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Detection_Of_A_Network_Scan type:scanning srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5136 name=A Snort sensor detected an event classified as Detection of a non-standard protocol or event match=ass match= [Class match=Detection of a non-standard protocol or event regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Detection_Of_A_NonStandard_Protocol_Or_Event type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5137 name=A Snort sensor detected an event classified as Detection of a Non-Standard Protocol or Event match=ass match= [Class match=Detection of a Non-Standard Protocol or Event regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Detection_Of_A_NonStandard_Protocol_Or_Event type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5138 name=A Snort sensor detected an event classified as Executable Code was Detected match=ass match= [Class match=Executable Code was Detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Executable_Code_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5139 name=A Snort sensor detected an event classified as Executable code was detected match=ass match= [Class match=Executable code was detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Executable_Code_Was_Detected type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5140 name=A Snort sensor detected an event classified as Generic ICMP event match=ass match= [Class match=Generic ICMP event regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Generic_ICMP_Event type:network srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5141 name=A Snort sensor detected an event classified as Generic Protocol Command Decode match=ass match= [Class match=Generic Protocol Command Decode regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Generic_Protocol_Command_Decode type:network srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5142 name=A Snort sensor detected an event classified as Inappropriate Content was Detected match=ass match= [Class match=Inappropriate Content was Detected regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Inappropriate_Content_Was_Detected type:compliance srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5143 name=A Snort sensor detected an event classified as Information Leak match=ass match= [Class match=Information Leak regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Information_Leak type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5144 name=A Snort sensor detected an event classified as Large Scale Information Leak match=ass match= [Class match=Large Scale Information Leak regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Large_Scale_Information_Leak type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5145 name=A Snort sensor detected an event classified as Misc activity match=!ET SCAN match=ass match= [Class match=Misc activity regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Misc_Activity type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5146 name=A Snort sensor detected an event classified as Misc Attack match=ass match= [Class match=Misc Attack regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Misc_Attack type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5147 name=A Snort sensor detected an event classified as Not Suspicious Traffic match=ass match= [Class match=Not Suspicious Traffic regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Not_Suspicious_Traffic type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5148 name=A Snort sensor detected an event classified as Potential Corporate Privacy Violation match=ass match= [Class match=Potential Corporate Privacy Violation regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Potential_Corporate_Privacy_Violation type:network srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5149 name=A Snort sensor detected an event classified as Potentially Bad Traffic match=!ICMP match=ass match= [Class match=Potentially Bad Traffic regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Potentially_Bad_Traffic type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5150 name=A Snort sensor detected an event classified as SCORE! Get the lotion match=ass match= [Class match=SCORE! Get the lotion regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Adult_Content_Detection type:compliance srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5151 name=A Snort sensor detected an event classified as Successful Administrator Privilege Gain match=ass match= [Class match=Successful Administrator Privilege Gain regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Successful_Administrator_Privilege_Gain type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5152 name=A Snort sensor detected an event classified as Successful User Privilege Gain match=ass match= [Class match=Successful User Privilege Gain regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Successful_User_Privilege_Gain type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5153 name=A Snort sensor detected an event classified as Unknown Traffic match=ass match= [Class match=Unknown Traffic regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Unknown_Traffic type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5154 name=A Snort sensor detected an event classified as Unsuccessful User Privilege Gain match=ass match= [Class match=Unsuccessful User Privilege Gain regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Unsuccessful_User_Privilege_Gain type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5155 name=A Snort sensor detected an event classified as Web Application Attack match=ass match= [Class match=Web Application Attack regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Web_Application_Attack type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5156 name=A Snort sensor detected an FTP attack. match=ftp match=TCP match=snort match=P match= - match=tp match=telnet match= -> match=(ftp_telnet) regex= ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-FTP_Attack type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5157 name=A Snort sensor detected an event classified as Misc activity match=ass match= [Class match=Misc activity regex= ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=event:Snort-Misc_Activity type:intrusion srcip:$1 dstip:$3 NEXT id=5158 name=A Snort sensor Dynamic Rule was not initialized properly. match=or match=snort match=na match=ul match=Dynamic Rule match=al match=op match=was not initialized properly. log=event:Snort-Rule_Not_Initialized_Properly type:error NEXT id=5159 name=A Snort sensor detected an event classified as Sensitive Data. match=ass match= [Class match=Sensitive Data] regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Sensitive_Data type:data-leak srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5160 name=A Snort sensor detected a phishing attempt. match=ing match=Ph match=Phishing match=tt match=Attempt match=In match=Intuit match=DM-EVM Phishing Attempt Intuit regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Phishing_Attempt type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5161 name=A Snort sensor detected an external DNS lookup. match=DNS match=Ex match=ok match=up match=DM-EVM External DNS Lookups regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-External_DNS_Lookups type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5162 name=A Snort sensor detected a possible call set-up. match=Poss match=all match=ss match=up match=ossible match=DM-EVM H.323 Possible Call Set-up regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Possible_Call_Setup type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5163 name=A Snort sensor detected executable code. match=Cl match=ass match=ca match=ti match=Ex match=ab match=de match=ed match=Executable code was detected regex=([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=event:Snort-Executable_Code_Detected type:intrusion srcip:$1 dstip:$3 NEXT id=5164 name=A Snort sensor detected an IPv6 encapsulation potential corporate privacy violation. match=IPv6 match=la match=Cl match=ass match=ca match=ti match=Potential Corporate Privacy Violation log=event:Snort-Potential_Corporate_Privacy_Violation type:network NEXT id=5165 name=The Snort IDS sensor detected a ICMP Network scan. match=snort match=scan match=an match=ICMP match=Network Scan match=GPL SCAN match=IP match=attempt match=Net match=work match=Detection regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-ICMP_Network_Scan type:scanning proto:1 NEXT id=5166 name=The Snort IDS sensor detected an attempted informaion leak. match=snort match=ICMP match=GPL SCAN match=ed match=Info match=Attempt match=Attempted Information Leak match=tion match=Leak regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-Attempted_Information_Leak type:intrusion proto:1 NEXT id=5167 name=The Snort IDS sensor detected a port scan. match=ET SCAN match=la match=as match=if match=io match=at match=Cl match=on match=tion match=ass match=ca match=ss match=fi match=ic match=cat match=SCAN match=ti match=ion regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:Snort-Port_Scan type:scanning srcip:$1 srcport:$3 dstip:$4 dstport:$6 NEXT id=5168 name=A Snort sensor detected an event classified as Potentially Bad Traffic match=ICMP match=ass match= [Class match=Potentially Bad Traffic regex= ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=event:Snort-Potentially_Bad_Traffic type:intrusion srcip:$1 dstip:$3 proto:1 NEXT id=5169 name=A Snort sensor detected an event classified as Attempted Information Leak match=!ET SCAN match=ICMP match=ass match= [Class match=Attempted Information Leak regex= ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=event:Snort-Attempted_Information_Leak type:intrusion srcip:$1 dstip:$3 proto:1 NEXT id=5170 name=The Snort IDS sensor detected a port scan. match=PSNG_TCP_PORTSCAN match=la match=as match=if match=io match=at match=Cl match=on match=tion match=ass match=ca match=ss match=fi match=ic match=cat match=SCAN match=ti match=ion regex=([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=event:Snort-Port_Scan type:scanning srcip:$1 dstip:$3 NEXT id=5171 name=The Snort IDS sensor detected a port sweep. match=PSNG_UDP_PORTSWEEP match=la match=as match=if match=io match=at match=Cl match=on match=tion match=ass match=ca match=ss match=fi match=ic match=cat match=ti match=ion regex=([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=event:Snort-Port_Sweep type:scanning srcip:$1 dstip:$3 proto:17 NEXT id=5172 name=A Snort sensor detected an event classified as SDF_COMBO_ALERT. match=SDF_COMBO_ALERT match=ass match= [Class match=Sensitive Data] regex=([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=event:Snort-SDF_Combo_Alert type:data-leak srcip:$1 dstip:$3 NEXT id=5173 name=The Snort IDS sensor detected a port sweep. match=PSNG_TCP_PORTSWEEP match=la match=as match=if match=io match=at match=Cl match=on match=tion match=ass match=ca match=ss match=fi match=ic match=cat match=ti match=ion regex=([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=event:Snort-Port_Sweep type:scanning srcip:$1 dstip:$3 proto:6 NEXT id=5174 name=A Snort sensor detected an event classified as Generic Protocol Command Decode match=ass match=la match=an match=as match=if match=io match=at match=ag match=frag match=mm match=Cl match= [Class match=Generic Protocol Command Decode regex= ([0-9]+(\.[0-9]+){3}) -> ([0-9]+(\.[0-9]+){3}) log=event:Snort-Generic_Protocol_Command_Decode type:network srcip:$1 dstip:$3 NEXT id=5175 name=This is one of the initialization logs produced when snort has been started. match=io match=th match=on match=eng match=erv match=rt match=in match=ng match=er match=Ser match=rv match=snort match=Max match=String Length log=event:Snort-Started type:restart NEXT id=5176 name=A Snort sensor detected blacklisted packets which are potentially bad traffic. match=UDP match=snort match=ort match=lass match=ll match=ly match=Bad match=ff match=ic match=Potentially Bad Traffic match=Cl match= [Class match=ed match=blacklisted regex= ([0-9]+(\.[0-9]+){3})\:([0-9]+) -> ([0-9]+(\.[0-9]+){3})\:([0-9]+) log=event:Snort-Blacklisted_Potentially_Bad_Traffic type:intrusion srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 NEXT id=5177 name=The Snort IDS sensor detected a TCP filtered portscan. match=snort match= (portscan) match=scan match=an match=TCP match=) TCP Filtered regex=} ([0-9]+(\.[0-9]+){3})[^0-9]*->[^0-9]*([0-9]+(\.[0-9]+){3}) log=srcip:$1 dstip:$3 event:Snort-TCP_Filtered_Portscan type:scanning proto:6 NEXT id=5178 name=The Snort IDS sensor detected a session has exceeded configured max bytes to queue. match=snort match=Session exceeded configured max bytes to queue match=ss match=Se match=ion match=ee match=ed match=ex match=co match=fig match=max match=by regex=([0-9]+(\.[0-9]+){3}) ([0-9]+) --> ([0-9]+(\.[0-9]+){3}) ([0-9]+) log=srcip:$1 srcport:$3 dstip:$4 dstport:$6 event:Snort-Exceeded_Max_Bytes type:application NEXT id=5179 name=The Snort IDS sensor detected sessions have been pruned from cache for memcap. match=snort match=Pruned match=session match=from cache match=sn match=Pr match=ed match=ss match=se match=ion match=fr match=om match=ca match=he log=event:Snort-Sessions_Pruned_From_Cache type:application