# THUNDER PRM LIBRARY # Copyright 2005 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # Tenable Network Monitor library # # DESCRIPTION: # # This .prm library is used to search for events from the Tenable # Network Monitor agent. # # LAST UPDATED: $Date$ id=1450 name=The Tenable Network Monitor has observed a TCP session start. match=TNM match=TCP match=St match=ion match=ar match=ed match=ss match= - TNM-TCP_Session_Started: regex=TNM-TCP_Session_Started:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-TCP_Session_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1451 name=The Tenable Network Monitor has observed a TCP session complete. match=TNM match=TCP match=ion match=le match=ed match=ss match= - TNM-TCP_Session_Completed[ regex=TNM-TCP_Session_Completed\[[0-9]{1,10}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) #note: the "completed" actually logged the connection info backwards so we are switching up the IPs and PORTs here log=type:network event:TNM-TCP_Session_Completed srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1452 name=The Tenable Network Monitor has observed a TCP session timeout. This means that the session may have never sent any data, was blocked by a proxy/firewall or the TNM did not have enough resources to keep tracking the session. match=TNM match=TCP match=ion match=ed match=ss match= - TNM-TCP_Session_Timedout: regex=TNM-TCP_Session_Timedout:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-TCP_Session_Timedout srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1453 name=The Tenable Network Monitor has observed a UDP activity. match=TNM match=ty match= - TNM-UDP_Activity: match=UDP regex=TNM-UDP_Activity:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-UDP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 NEXT id=1454 name=The Tenable Network Monitor has observed a ICMP activity. match=TNM match=ICMP match=MP match=ty match= - TNM-ICMP_Activity: regex=TNM-ICMP_Activity:([0-9]+(\.[0-9]+){3}):[0-9]{1,5} -> ([0-9]+(\.[0-9]+){3}):[0-9]{1,5} log=type:network event:TNM-ICMP_Activity srcip:$1 dstip:$3 NEXT id=1455 name=The Tenable Network Monitor has observed a IGMP activity. match=TNM match=IGMP match=MP match=ty match= - TNM-IGMP_Activity: regex=TNM-IGMP_Activity:([0-9]+(\.[0-9]+){3}):[0-9]{1,5} -> ([0-9]+(\.[0-9]+){3}):[0-9]{1,5} log=type:network event:TNM-IGMP_Activity srcip:$1 dstip:$3 NEXT id=1456 name=The Tenable Network Monitor has observed a TCP session completed which transferred at least 1MB of data. match=TNM match=ol match=ion match=le match=ss match= - TNM-TCP_Session_Whole_1-10MB[ match=TCP match=Whole regex=TNM-TCP_Session_Whole_1-10MB\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-TCP_Session_Whole_1-10MB srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1457 name=The Tenable Network Monitor has observed a TCP session completed which transferred at least 10MB of data. match=TNM match=TCP match=ol match=ion match=le match=ss match= - TNM-TCP_Session_Whole_10-100MB[ regex=TNM-TCP_Session_Whole_10-100MB\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) match=Whole log=type:network event:TNM-TCP_Session_Whole_10-100MB srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1458 name=The Tenable Network Monitor has observed a TCP session completed which transferred at least 100MB of data. match=TNM match=TCP match=ol match=ion match=le match=ss match= - TNM-TCP_Session_Whole_100-1024MB[ match=Whole regex=TNM-TCP_Session_Whole_100-1024MB\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-TCP_Session_Whole_100-1024MB srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1459 name=The Tenable Network Monitor has observed a TCP session completed which transferred 1GB or more of data. match=TNM match=TCP match=ol match=le match=Whole match=ion match=ss match= - TNM-TCP_Session_Whole_1GB[ regex=TNM-TCP_Session_Whole_1GB\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-TCP_Session_Whole_1GB srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1462 name=The Tenable Network Monitor has observed a TCP session of duration 1-15 minutes. match=TNM match=TCP match=Lo match=Long match=ion match=ss match= - TNM-Long_TCP_Session_5_Minutes[ regex=TNM-Long_TCP_Session_5_Minutes\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-Long_TCP_Session_5_Minutes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1463 name=The Tenable Network Monitor has observed a TCP session of duration 15-25 minutes. match=TNM match=TCP match=Lo match=Long match=ion match=ss match= - TNM-Long_TCP_Session_15_Minutes regex=TNM-Long_TCP_Session_15_Minutes\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-Long_TCP_Session_15_Minutes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1464 name=The Tenable Network Monitor has observed a TCP session of duration 25-40 minutes. match=TNM match=TCP match=Lo match=Long match=ion match=ss match= - TNM-Long_TCP_Session_30_Minutes regex=TNM-Long_TCP_Session_30_Minutes\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-Long_TCP_Session_30_Minutes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1465 name=The Tenable Network Monitor has observed a TCP session of duration 40-55 minutes. match=TNM match=TCP match=Lo match=Long match=ion match=ss match= - TNM-Long_TCP_Session_45_Minutes regex=TNM-Long_TCP_Session_45_Minutes\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-Long_TCP_Session_45_Minutes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1466 name=The Tenable Network Monitor has observed a TCP session of duration 55-100 minutes. match=TNM match=TCP match=Lo match=Long match=ion match=ss match= - TNM-Long_TCP_Session_60_Minutes regex=TNM-Long_TCP_Session_60_Minutes\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-Long_TCP_Session_60_Minutes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1467 name=The Tenable Network Monitor has observed a TCP session of duration 100 minutes - 24 hours. match=TNM match=TCP match=Lo match=Long match=ion match=ss match= - TNM-Long_TCP_Session_Many_Hours regex=TNM-Long_TCP_Session_Many_Hours\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-Long_TCP_Session_Many_Hours srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1468 name=The Tenable Network Monitor has observed a TCP session of duration 24-47 hours. match=TNM match=TCP match=Lo match=Long match=ion match=ss match= - TNM-Long_TCP_Session_1_Day regex=TNM-Long_TCP_Session_1_Day\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-Long_TCP_Session_1_Day srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1469 name=The Tenable Network Monitor has observed a TCP session of duration longer than 47 hours. match=TNM match=TCP match=Lo match=Long match=ion match=ss match= - TNM-Long_TCP_Session_Many_Days regex=TNM-Long_TCP_Session_Many_Days\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-Long_TCP_Session_Many_Days srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1470 name=The Tenable Network Monitor has observed a TCP session shorter than 1 minute in duration. match=TNM match=TCP match=Short match=ion match=ss match= - TNM-TCP_Session_Short[ match=! - TNM-TCP_Session_Short[0] regex=TNM-TCP_Session_Short\[[0-9]{1,15}\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-TCP_Session_Short srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 NEXT id=1471 name=The Tenable Network Monitor has observed a TCP session which transfered zero bytes of data. match=TNM match=TCP match=Short match=ion match=ss match= - TNM-TCP_Session_Short[0] regex=TNM-TCP_Session_Short\[0\]:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) -> ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=type:network event:TNM-TCP_Session_NoData srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6