# THUNDER PRM LIBRARY
# Copyright 2005 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME:
# Tenable Network Monitor library
#
# DESCRIPTION:
#
# This .prm library is used to search for events from the Tenable
# Network Monitor agent.
#
# LAST UPDATED: $Date$


id=1450
name=The Tenable Network Monitor has observed a TCP session start.
match=TNM
match=TCP
match=St
match=ion
match=ar
match=ed
match=ss
match= - TNM-TCP_Session_Started:
regex=TNM-TCP_Session_Started:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-TCP_Session_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1451
name=The Tenable Network Monitor has observed a TCP session complete.
match=TNM
match=TCP
match=ion
match=le
match=ed
match=ss
match= - TNM-TCP_Session_Completed[
regex=TNM-TCP_Session_Completed\[[0-9]{1,10}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
#note: the "completed" actually logged the connection info backwards so we are switching up the IPs and PORTs here
log=type:network event:TNM-TCP_Session_Completed srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1452
name=The Tenable Network Monitor has observed a TCP session timeout. This means that the session may have never sent any data, was blocked by a proxy/firewall or the TNM did not have enough resources to keep tracking the session.
match=TNM
match=TCP
match=ion
match=ed
match=ss
match= - TNM-TCP_Session_Timedout:
regex=TNM-TCP_Session_Timedout:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-TCP_Session_Timedout srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1453
name=The Tenable Network Monitor has observed a UDP activity.
match=TNM
match=ty
match= - TNM-UDP_Activity:
match=UDP
regex=TNM-UDP_Activity:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-UDP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17

NEXT

id=1454
name=The Tenable Network Monitor has observed a ICMP activity.
match=TNM
match=ICMP
match=MP
match=ty
match= - TNM-ICMP_Activity:
regex=TNM-ICMP_Activity:([0-9]+(\.[0-9]+){3}):[0-9]{1,5} -> ([0-9]+(\.[0-9]+){3}):[0-9]{1,5}
log=type:network event:TNM-ICMP_Activity srcip:$1 dstip:$3

NEXT

id=1455
name=The Tenable Network Monitor has observed a IGMP activity.
match=TNM
match=IGMP
match=MP
match=ty
match= - TNM-IGMP_Activity:
regex=TNM-IGMP_Activity:([0-9]+(\.[0-9]+){3}):[0-9]{1,5} -> ([0-9]+(\.[0-9]+){3}):[0-9]{1,5}
log=type:network event:TNM-IGMP_Activity srcip:$1 dstip:$3

NEXT 

id=1456
name=The Tenable Network Monitor has observed a TCP session completed which transferred at least 1MB of data.
match=TNM
match=ol
match=ion
match=le
match=ss
match= - TNM-TCP_Session_Whole_1-10MB[
match=TCP
match=Whole
regex=TNM-TCP_Session_Whole_1-10MB\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-TCP_Session_Whole_1-10MB srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1457
name=The Tenable Network Monitor has observed a TCP session completed which transferred at least 10MB of data.
match=TNM
match=TCP
match=ol
match=ion
match=le
match=ss
match= - TNM-TCP_Session_Whole_10-100MB[
regex=TNM-TCP_Session_Whole_10-100MB\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
match=Whole
log=type:network event:TNM-TCP_Session_Whole_10-100MB srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1458
name=The Tenable Network Monitor has observed a TCP session completed which transferred at least 100MB of data.
match=TNM
match=TCP
match=ol
match=ion
match=le
match=ss
match= - TNM-TCP_Session_Whole_100-1024MB[
match=Whole
regex=TNM-TCP_Session_Whole_100-1024MB\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-TCP_Session_Whole_100-1024MB srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1459
name=The Tenable Network Monitor has observed a TCP session completed which transferred 1GB or more of data.
match=TNM
match=TCP
match=ol
match=le
match=Whole
match=ion
match=ss
match= - TNM-TCP_Session_Whole_1GB[
regex=TNM-TCP_Session_Whole_1GB\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-TCP_Session_Whole_1GB srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1462
name=The Tenable Network Monitor has observed a TCP session of duration 1-15 minutes. 
match=TNM
match=TCP
match=Lo
match=Long
match=ion
match=ss
match= - TNM-Long_TCP_Session_5_Minutes[
regex=TNM-Long_TCP_Session_5_Minutes\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-Long_TCP_Session_5_Minutes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1463
name=The Tenable Network Monitor has observed a TCP session of duration 15-25 minutes.
match=TNM
match=TCP
match=Lo
match=Long
match=ion
match=ss
match= - TNM-Long_TCP_Session_15_Minutes
regex=TNM-Long_TCP_Session_15_Minutes\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-Long_TCP_Session_15_Minutes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1464
name=The Tenable Network Monitor has observed a TCP session of duration 25-40 minutes.
match=TNM
match=TCP
match=Lo
match=Long
match=ion
match=ss
match= - TNM-Long_TCP_Session_30_Minutes
regex=TNM-Long_TCP_Session_30_Minutes\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-Long_TCP_Session_30_Minutes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1465
name=The Tenable Network Monitor has observed a TCP session of duration 40-55 minutes.
match=TNM
match=TCP
match=Lo
match=Long
match=ion
match=ss
match= - TNM-Long_TCP_Session_45_Minutes
regex=TNM-Long_TCP_Session_45_Minutes\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-Long_TCP_Session_45_Minutes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1466
name=The Tenable Network Monitor has observed a TCP session of duration 55-100 minutes.
match=TNM
match=TCP
match=Lo
match=Long
match=ion
match=ss
match= - TNM-Long_TCP_Session_60_Minutes
regex=TNM-Long_TCP_Session_60_Minutes\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-Long_TCP_Session_60_Minutes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1467
name=The Tenable Network Monitor has observed a TCP session of duration 100 minutes - 24 hours.
match=TNM
match=TCP
match=Lo
match=Long
match=ion
match=ss
match= - TNM-Long_TCP_Session_Many_Hours
regex=TNM-Long_TCP_Session_Many_Hours\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-Long_TCP_Session_Many_Hours srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1468
name=The Tenable Network Monitor has observed a TCP session of duration 24-47 hours.
match=TNM
match=TCP
match=Lo
match=Long
match=ion
match=ss
match= - TNM-Long_TCP_Session_1_Day
regex=TNM-Long_TCP_Session_1_Day\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-Long_TCP_Session_1_Day srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1469
name=The Tenable Network Monitor has observed a TCP session of duration longer than 47 hours.
match=TNM
match=TCP
match=Lo
match=Long
match=ion
match=ss
match= - TNM-Long_TCP_Session_Many_Days
regex=TNM-Long_TCP_Session_Many_Days\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-Long_TCP_Session_Many_Days srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1470
name=The Tenable Network Monitor has observed a TCP session shorter than 1 minute in duration.
match=TNM
match=TCP
match=Short
match=ion
match=ss
match= - TNM-TCP_Session_Short[
match=! - TNM-TCP_Session_Short[0]
regex=TNM-TCP_Session_Short\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-TCP_Session_Short srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6

NEXT

id=1471
name=The Tenable Network Monitor has observed a TCP session which transfered zero bytes of data.
match=TNM
match=TCP
match=Short
match=ion
match=ss
match= - TNM-TCP_Session_Short[0]
regex=TNM-TCP_Session_Short\[0\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=type:network event:TNM-TCP_Session_NoData srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6