# THUNDER PRM LIBRARY
# Copyright 2006 Tenable Network Security
# This library may only be used with the Log Correlation Engine and may not
# be used with other products or open source projects
#
# NAME:
# Passive Vulnerability Scanner realtime syslog parser
#
# DESCRIPTION:
# The Passive Vulnerability Scanner will detect a majority of
# the systems, applications and vulnerabilities through passive
# protocol analysis. PVS also has the ability to look for events
# indicative of a succsesful attack only on the discovered applications
# it has identified. This library allows the LCE to process those
# events. 
#
# To use this with PVS, the PVS sensor must be configured to send
# SYSLOG messages to the Thunder daemon.

# LAST UPDATED: $Date: 2012/05/09 11:35:34 $

id=4700
name=The Passive Vulnerabiltiy Scanner detected a website hosting malicious content.
match=pvs
match=Malicious Website
match=Ma
match=te
match=al
match=ou
match=ic
match=Web
match=li
match=Mal
match=ici
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Malicious_Website srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4701
name=The Passive Vulnerabiltiy Scanner detected DNS tunneling.
match=pvs
match=unnel
match=Detection
match=|DNS Tunneling
match=un
match=on
match=tion
match=te
match=etection
match=ing
match=in
match=ng
match=nn
match=DNS
match=ti
match=ect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-DNS_Tunnel_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4702
name=The Passive Vulnerabiltiy Scanner detected XMPP protocol usage. 
match=pvs
match=5687|XMPP client detection
match=on
match=ent
match=te
match=de
match=etection
match=client
match=ien
match=en
match=ti
match=li
match=detection
match=ect
match=MP
match=ion
match=client
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-XMPP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4703
name=The Passive Vulnerabiltiy Scanner detected a SCADA Distributed Network Protocol alert.
match=pvs
match=SCADA
match=etw
match=le
match=te
match=ed
match=ork
match=Dis
match=co
match=or
match=ol
match=Net
match=to
match=er
match=work
match=lert
match=ut
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_DNP3_Alert srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4704
name=The Passive Vulnerabiltiy Scanner detected suspicious SCADA ICCP activity. 
match=pvs
match=In
match=al
match=li
match=SCADA
match=ICCP Invalid
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_Invalid_ICCP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4705
name=The Passive Vulnerabiltiy Scanner detected a login to the RealWin Management Server HMI interface. 
match=pvs
match=6305
match=SCADA
match=RealWin Management Server HMI
match=Server
match=Wi
match=ag
match=ea
match=ent
match=nag
match=ver
match=Re
match=al
match=erv
match=en
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_RealWin_Login srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:login

NEXT

id=4706
name=The Passive Vulnerabiltiy Scanner detected a Voice Over IP (VoIP) session start.
match=pvs
match=6474
match=VoIP Client Detection
match=Detection
match=Cl
match=on
match=ent
match=tion
match=te
match=etection
match=ien
match=en
match=Client
match=IP
match=ti
match=li
match=ect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-VoIP_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4707
name=The Passive Vulnerabiltiy Scanner detected BitTorrent file downlaod activity. 
match=pvs
match=lo
match=Detection
match=Fi
match=le
match=File Download Detection
match=To
match=on
match=.torrent
match=own
match=ent
match=te
match=re
match=Download
match=ile
match=File
match=ect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-BitTorrent_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4708
name=The Passive Vulnerabiltiy Scanner detected Facebook application activity. 
match=pvs
match=|6|
match=6397|Facebook Application Access
match=oo
match=at
match=cc
match=tion
match=App
match=Access
match=ess
match=ss
match=pp
match=ic
match=Acc
match=ce
match=ti
match=li
match=ok
match=ccess
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|5272\|
log=event:PVS-Facebook_Application_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks

NEXT

id=4709
name=The Passive Vulnerabiltiy Scanner detected a potential cleartext command-line Unix or Windows shell. 
match=pvs
match=ss
match=|Successful Shell Attack Detected - 
match=ect
match=ack
match=ed
match=ttack
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Potential_Shell_Compromise srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4710
name=The Passive Vulnerabiltiy Scanner detected Rockwell Automation Service protocol activity.
match=pvs
match=Rockwell Automation Service Detection
match=at
match=Detection
match=ice
match=on
match=tion
match=te
match=etection
match=Auto
match=erv
match=ll
match=ti
match=Service
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_Rockwell_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4711
name=The Passive Vulnerabiltiy Scanner detected MODBUS protocol activity commonly assotiated with SCADA control systems.
match=pvs
match=MOD
match=MODBUS Client '
match=Cl
match=ent
match=ien
match=en
match=Client
match=li
match=SCADA
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_MODBUS_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4712
name=The Passive Vulnerabiltiy Scanner tracked network activity from a post-attack source IP.
match=pvs
match=ion
match=ss
match=session
match=ack
match=ed
match=|10|tracked-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Tracked_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4713
name=The Passive Vulnerabiltiy Scanner detected a YouTube video being played.
match=pvs
match=|6|
match=ion
match=:80|6|5273|youtube usage detection|
match=detection
match=ect
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|5273\|
log=event:PVS-YouTube_Usage_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks


NEXT

id=4714
name=The Passive Vulnerabiltiy Scanner detected Twitter usage.
match=pvs
match=|6|
match=etection
match=ion
match=ect
match=:80
match=4814|Twitter Usage Detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4814\|
log=event:PVS-Twitter_Usage_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks

NEXT

id=4715
name=The Passive Vulnerabiltiy Scanner detected evidence of a backdoored host.
match=pvs
match=ack
match=|Trojan/Backdoor 
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Backdoor_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4716
name=The Passive Vulnerabiltiy Scanner detected client or server botnet activity.
match=pvs
match=|6|
match=|Generic Botnet
match=ion
match=ect
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Botnet_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4717
name=The Passive Vulnerability Scanner detected a DVD or CD .iso image being transmitted over SMB.
match=pvs
match=ent
match=lo
match=le
match=|SMB Client File Download
match=Do
match=rom
match=.iso' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_ISO_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=4718
name=The Passive Vulnerabiltiy Scanner detected a generic "Attack" event which look for post-compromise network activity.
match=pvs
match=TP
match=FTP
match=ack
match= Attack -
match=ttack
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Successful_Attack srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4719
name=The Passive Vulnerabiltiy Scanner detected a suspicious file (tftp or ftp) transfer from a known server.
match=pvs
match=|17|
match=ent
match=TP
match=rom
match=ate
match=ed
match=|TFTP Client initiated from
match=FTP
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Suspicious_File_Transfer srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4720
name=The Passive Vulnerabiltiy Scanner detected a web server which has proxied an email message.
match=pvs
match=|6|
match=TP
match=SMTP
match=ect
match=|6|6231|SMTP Proxy Traffic Detected
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SMTP_Proxy srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4721
name=The Passive Vulnerabiltiy Scanner detected an email being sent by a tool known as 'The Bat'. This is likely a source of SPAM email. 
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=ail
match=ss
match=ass
match=le
match=|6|3643|'The Bat' Mass mailer detection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SPAM_Mass_Mailing srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:spam

NEXT

id=4722
name=The Passive Vulnerabiltiy Scanner detected a Windows Error message being sent to Microsoft. 
match=pvs
match=|6|
match=rr
match=ing
match=le
match=ss
match=|6|2284|WinErr message leaving the network
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Windows_Error_Message srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:error

NEXT

id=4723
name=The Passive Vulnerabiltiy Scanner detected a potential SPAM server on your network.
match=|Potential SPAM Server Detection|
match=nti
match=ote
match=SPAM
match=pvs
match=ent
match=|6|
match=etection
match=:25|6|4
match=ect
match=ial
match=ion
match=al
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Potential_SPAM_Server srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:spam

NEXT

id=4724
name=The Passive Vulnerability Scanner has observed a local system request an ISO file via FTP.
match=pvs
match=|6|
match=ect
match=ion
match=detection
match=ent
match=TP
match=lo
match=le
match=|6|5056|FTP Client file download detection|
match=.iso{0d}{0a}|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_ISO_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:file-access

NEXT

id=4725
name=The Passive Vulnerability Scanner has observed a local system request a ZIP file via FTP.
match=pvs
match=|6|
match=TP
match=FTP
match=ion
match=detection
match=ect
match=ent
match=lo
match=le
match=|6|5056|FTP Client file download detection|
match=.zip{0d}{0a}|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_ZIP_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:file-access

NEXT

id=4726
name=The Passive Vulnerability Scanner has observed a local system request an EXE file via FTP.
match=pvs
match=|6|
match=TP
match=FTP
match=ect
match=ent
match=lo
match=ion
match=le
match=|6|5056|FTP Client file download detection|
match=detection
match=.exe{0d}{0a}|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_EXE_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:file-access

NEXT

id=4727
name=The Passive Vulnerability Scanner has observed a local system request an RPM file via FTP.
match=pvs
match=|6|
match=TP
match=FTP
match=ect
match=ion
match=detection
match=ent
match=lo
match=le
match=|6|5056|FTP Client file download detection|
match=.rpm{0d}{0a}|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_RPM_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:file-access

NEXT

id=4728
name=The Passive Vulnerabiltiy Scanner detected Facebook or Twitter "Pinterest" Activity 
match=pvs
match=ter
match=Facebook/Twitter Pinterest Activity
match=ace
match=est
match=ty
match=te
match=Act
match=Fa
match=re
match=tt
match=in
match=ti
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Pinterest_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:social-networks

################################################################################
### 4730 - 4739
### Specific Policy normalizations
###
################################################################################

NEXT

id=4730
name=The Passive Vulnerabiltiy Scanner detected a Credit Card number in plain text.
match=pvs
match=|6|
match=ect
match=ion
match=detection
match=ar
match=ed
match= Credit Card plaintext detection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Credit_Card_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:data-leak

NEXT

id=4731
name=The Passive Vulnerabiltiy Scanner detected a webserver serving pornographic materials.
match=pvs
match=|6|
match=ser
match=ate
match=ing
match=|Webserver serving pornographic materials
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Webserver_With_Pornography srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:web-access

NEXT

id=4732
name=The Passive Vulnerabiltiy Scanner detected a Social Security Number in plain text.
match=pvs
match=|6|
match=ect
match=ion
match=detection
match=ecu
match=ty
match= Social Security Number plaintext detection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SSN_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:data-leak

NEXT

id=4733
name=The Passive Vulnerability Scanner has detected a local client connecting to a network socket and immediately receiving a Microsoft executable. This may indicate malicious types of file sharing, but can also indicate some forms of P2P and Torrent sharing of executable programs. 
match=pvs
match=|6|
match=ect
match=ion
match=detection
match=ent
match=ecu
match=le
match=|5706|MS executable detection (client)|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Potential_Client_Download_of_Malicious_EXE srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion 

NEXT

id=4734
name=The Passive Vulnerability Scanner has detected a local server hosting a network socket and immediately sending a Microsoft executable. This may indicate malicious types of file sharing, but can also indicate some forms of P2P and Torrent sharing of executable programs. 
match=pvs
match=|6|
match=ect
match=ion
match=detection
match=ecu
match=le
match=|5701|MS executable detection|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Potential_Serving_of_Malicious_EXE srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion 

NEXT

id=4735
name=The Passive Vulnerability Scanner has detected a new website being hosted on an existing web server. If this website is unauthorized on your network, you should investigate it. If you have a web application assessment program, this website should be targeted for analysis if it holds sensitive data or is Internet facing. 
match=pvs
match=ect
match=ion
match=detection
match=ser
match=TP
match=|7033|HTTP server vhost detection|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-New_WebSite_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:detected-change 

NEXT

id=4736
name=The Passive Vulnerability Scanner has observed an email being sent from your network which was blocked by the recipient email server because of an RBL lookup. This means that a remote email server believes that an email system on your network is sending SPAM and has possibly been reported to one or more RBL services. if you encounter large numbers of these errors, you may in fact have an email server that is inadvertently carrying SPAM email, or perhaps have a botnet or malicious piece of software sending large numbers of SPAM emails.  
match=pvs
match=|6|
match=ack
match=ing
match=le
match=ss
match=|5509|Possible RBL/CBL blacklisting message|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-RBL_Blocked_Spam_Email srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:spam 

#id=4737 reserved
#id=4738 reserved
#id=4739 reserved

################################################################################
### 4740 - 4749
### Specific SCADA normalizations
###
################################################################################

NEXT

id=4740
name=The Passive Vulnerabiltiy Scanner detected SCADA DNPv3 activity.
match=pvs
match=|6|
match=ol
match=ed
match=|Distributed Network Protocol v3 '
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_DNPv3_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4741
name=The Passive Vulnerabiltiy Scanner detected SCADA MODBUS activity.
match=pvs
match=|6|
match=ent
match=|MODBUS Client '
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_MODBUS_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4742
name=The Passive Vulnerabiltiy Scanner detected SCADA ICCP activity.
match=pvs
match=|6|
match=|SCADA - ICCP 
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_ICCP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4743
name=The PVS has detected SCADA GE D20 TFTP activity
match=|62
match=|17|
match=GE
match=D20
match=TFTP
match=Client
match=FT
match=Access
match=ect
match=Detection
match=|6271|
match=Client Access Detection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-SCADA_GED20_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:intrusion

#id=4744 reserved
#id=4745 reserved
#id=4746 reserved
#id=4747 reserved
#id=4748 reserved
#id=4749 reserved

################################################################################
### 4750 - 4759
### New Hosts, new ports, new browses, .etc
###
################################################################################

NEXT

id=4750
name=The Passive Vulnerabiltiy Scanner detected a new host.
match=pvs
match=host
match=le
match=|13|new-host-alert|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|
log=event:PVS-New_Host_Alert srcip:$1 srcport:0 dstip:$1 dstport:0 proto:0 type:detected-change

NEXT

id=4751
name=The Passive Vulnerabiltiy Scanner detected a new internet connection.
match=pvs
match=ect
match=ion
match=|3|connection|INFO
match=INFO
match=IN
match=FO
match=onnection
match=onnect
match=0.0.0.0
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-New_Internet_Activity srcip:$1 srcport:$6 dstip:$1 dstport:$6 proto:$7 type:detected-change

NEXT

id=4752
name=The Passive Vulnerabiltiy Scanner detected a new port browsing. This means that a host was observed connecting to the Internet on a previously undetected port. 
match=pvs
match=ect
match=ser
match=ion
match=ce
match=|2|connection-to-service|INFO
match=INFO
match=IN
match=FO
match=onnection
match=onnect
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_Port_Browsing srcip:$1 srcport:$6 dstip:$1 dstport:$6 proto:$7 type:detected-change

NEXT

id=4753
name=The Passive Vulnerabiltiy Scanner has detected a new open port. 
match=pvs
match=IN
match=INFO
match=FO
match=|0|new-open-port|INFO
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_Open_Port srcip:$1 dstip:$1 srcport:$3 dstport:$3 type:detected-change

NEXT

id=4754
name=The Passive Vulnerabiltiy Scanner has detected a new trust relationship.
match=pvs
match=ion
match=|3|connection|INFO
match=ect
match=INFO
match=IN
match=FO
match=!0.0.0.0
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_Trust_Relationship srcip:$1 srcport:$6 dstip:$4 dstport:$6 proto:$7 type:detected-change

#id=4755 reserved
#id=4756 reserved
#id=4747 reserved
#id=4758 reserved
#id=4759 reserved

################################################################################
### 4770 - 4779
### New Vulnerabilities 
###
################################################################################

NEXT

id=4770
name=The Passive Vulnerability Scanner has observed a local FTP server serve a file via FTP. 
match=pvs
match=|6|
match=TP
match=FTP
match=ion
match=detection
match=ect
match=le
match=|6|5055|FTP Server file detection|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_Served srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:file-access

NEXT

id=4771
name=The Passive Vulnerabiltiy Scanner detected a LOW severity vulnerability.
match=pvs
match=!:0|0|11|portscan-detection|
match=!|13|new-host-alert|
match=!|3|connection|INFO
match=!|2|connection-to-service|INFO
match=!|0|new-open-port|INFO
match=|LOW
match=LO
match=!|6|1329|Local Email Account
match=!110|6|2341|Local POP Account|USER 
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_Network_Data srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4772
name=The Passive Vulnerabiltiy Scanner detected a MEDIUM severity vulnerability.
match=pvs
match=!:0|0|11|portscan-detection|
match=!|13|new-host-alert|
match=!|3|connection|INFO
match=!|2|connection-to-service|INFO
match=!|0|new-open-port|INFO
match=|MEDIUM
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Medium_Vulnerability srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:vulnerability

NEXT

id=4773
name=The Passive Vulnerabiltiy Scanner detected a HIGH severity vulnerability.
match=pvs
match=!:0|0|11|portscan-detection|
match=!|13|new-host-alert|
match=!|3|connection|INFO
match=!|2|connection-to-service|INFO
match=!|0|new-open-port|INFO
match=|HIGH
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-High_Vulnerability srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:vulnerability

#NEXT
#
#id=4774
#name=The Passive Vulnerabiltiy Scanner detected an informational vulnerability. 
#example=<36>Dec 29 07:34:05 pvs: 161.253.140.121:1440|207.242.93.22:80|6|2287|Mozilla-based web browser multiple vulnerabilities|||NONE
#match=pvs
#match=!:0|0|11|portscan-detection|
#match=!|13|new-host-alert|
#match=!|3|connection|INFO
#match=!|2|connection-to-service|INFO
#match=!|0|new-open-port|INFO
#match=!|6|4082|AOL Instant Messenger user enumeration|
#match=!|6|4081|Yahoo Messenger user enumeration|
#match=!|6|2600|MSN Messenger UserID detection|
#match=!|6|9005|Gmail usage detection|
#match=!|6|9000|myspace usage detection|
#match=!:25|6|1329|Local Email Account|
#match=!:110|6|2341|Local POP Account|USER
#match=!:80|6|5272|Facebook usage detection|
#match=!:80|6|4814|Twitter usage detection|
#match=!:80|6|5273|youtube usage detection|
#match=!:25|6|2609|PGP Email client detection|
#match=!|6|5266|Web clients|GET
#match=!|6|5266|Web clients|POST
#match=!|6|5253|Client .exe download detection|
#match=!|6|5254|Client .exe download detection|
#match=!|6|5056|FTP Client file download detection|
#match=!|6|5055|FTP Server file detection|
#match=!|Potential SPAM server detection|
#match=!|5934|VNC Detected|
#match=|NONE
#regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
#log=event:PVS-New_Network_Data srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:vulnerability

# 4775 and 4776 available

NEXT

id=4777
name=The Passive Vulnerability Scanner detected a Windows .dll file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.msi' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_MSI_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=4778
name=The Passive Vulnerability Scanner detected a Windows .dll file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.dll' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_DLL_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=4779
name=The Passive Vulnerability Scanner has observed a local system request a file via FTP. 
match=pvs
match=TP
match=FTP
match=|6|
match=lo
match=download
match=ent
match=ion
match=le
match=|6|5056|FTP Client file download detection|
match=ect
match=!.exe{0d}{0a}|
match=!.iso{0d}{0a}|
match=!.rpm{0d}{0a}|
match=!.zip{0d}{0a}|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:file-access

NEXT

id=4780
name=The Passive Vulnerabiltiy Scanner detected a PGP email identity.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=!{20}
match=!{0d}
match=!{0a}
match=ent
match=ail
match=:25|6|2609|PGP Email client detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2609\|
log=event:PVS-PGP_Detection srcip:$1 srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4781
name=The Passive Vulnerabiltiy Scanner detected Facebook activity.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=ce
match=ace
match=:80|6|5272|Facebook usage detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|5272\|
log=event:PVS-Facebook_Usage_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks

NEXT

id=4782
name=The Passive Vulnerabiltiy Scanner detected a POP login.
match=ER
match=pvs
match=|6|
match=!{20}
match=!{0d}
match=!{0a}
match=Lo
match=:110|6|2341|Local POP Account|USER
match=cal
match=SE
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2341\|
log=event:PVS-POP_Session_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4783
name=The Passive Vulnerabiltiy Scanner detected a user return SMTP email address.
match=pvs
match=|6|
match=!{20}
match=!{0d}
match=!{0a}
match=ail
match=Lo
match=:25|6|1329|Local Email Account|
match=cal
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|1329\|
log=event:PVS-SMTP_Return_Address srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4784
name=The Passive Vulnerabiltiy Scanner detected a myspace account login.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=!{20}
match=!{0d}
match=!{0a}
match=ce
match=ace
match=|6|9000|myspace usage detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|9000\|
log=event:PVS-Myspace_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks

NEXT

id=4785
name=The Passive Vulnerabiltiy Scanner detected a gmail account login.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=ion
match=ail
match=|6|5275|Gmail usage detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6
log=event:PVS-Gmail_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:web-access

NEXT

id=4786
name=The Passive Vulnerabiltiy Scanner detected an MSN Messenger login.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=!{20}
match=!{0d}
match=!{0a}
match=ser
match=ss
match=|6|2600|MSN Messenger UserID detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2600\|
log=event:PVS-MSN_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4787
name=The Passive Vulnerabiltiy Scanner detected a Yahoo Messenger login.
match=pvs
match=|6|
match=ion
match=enumeration
match=!{20}
match=!{0d}
match=!{0a}
match=ser
match=ss
match=|6|4081|Yahoo Messenger user enumeration|
match=ont
match=Contact: <sip:
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4081\|
log=event:PVS-Yahoo_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4788
name=The Passive Vulnerabiltiy Scanner detected an AOL Instant Messenger login.
match=pvs
match=|6|
match=ion
match=enumeration
match=!{20}
match=!{0d}
match=!{0a}
match=sta
match=ser
match=ss
match=|6|4082|AOL Instant Messenger user enumeration|
match=an
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4082\|
log=event:PVS-AOL_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT 

id=4789
name=The Passive Vulnerabiltiy Scanner could not be shutdown.
match=pvs
match=ail
match=le
match=ed
match=failed
match=pvs shutdown failed
log=event:PVS-Shutdown_Failed type:restart

NEXT 

id=4790
name=The Passive Vulnerabiltiy Scanner proxy was shutdown.
match=pvs
match=ce
match=ed
match=pvs-proxy shutdown succeeded
log=event:PVS-Proxy_Shutdown_Succeeded type:restart

NEXT

id=4791
name=The Passive Vulnerabiltiy Scanner has found found a system which accepts connections.
match=pvs
match=|6|
match=ion
match=onnection
match=onnect
match=ect
match=ce
match=pt
match=0|6|14|accepts-external-connections|
match=acc
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|14\|
log=event:PVS-Accepts_External_Connections srcip:$1 srcport:$2 dstip:$1 dstport:$2 proto:6 type:detected-change

NEXT 

id=4792
name=The Passive Vulnerabiltiy Scanner could not be shutdown.
match=pvs
match=ce
match=ed
match=pvs shutdown succeeded
log=event:PVS-Shutdown_Succeeded type:restart

NEXT

id=4793
name=The Passive Vulnerabiltiy Scanner has observed a POP login event. 
match=pvs
match=|6|
match=Lo
match=Local
match=cal
match={20}
match={0d}
match={0a}
match=:110|6|2341|Local POP Account|USER
match=ER
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2341\|
log=event:PVS-POP_Session_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4794
name=The Passive Vulnerabiltiy Scanner has observed a Yahoo Messenger login event. 
match=pvs
match=|6|
match=ion
match=enumeration
match={20}
match={0d}
match={0a}
#match=Contact:{20}<sip:
match=ser
match=ss
match=|6|4081|Yahoo Messenger user enumeration|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4081\|
log=event:PVS-Yahoo_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4795
name=The Passive Vulnerabiltiy Scanner detected a user return SMTP email address.
match=pvs
match=|6|
match=Lo
match=Local
match=cal
match={20}
match={0d}
match={0a}
match=ail
match=:25|6|1329|Local Email Account|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|1329\|
log=event:PVS-SMTP_User_Return_Address srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4796
name=The Passive Vulnerabiltiy Scanner detected an AOL Instant Messenger login.
match=pvs
match=|6|
match=ion
match=enumeration
match={20}
match={0d}
match={0a}
match=sta
match=ser
match=ss
match=|6|4082|AOL Instant Messenger user enumeration|
match=an
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4082\|
log=event:PVS-AOL_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4797
name=The Passive Vulnerabiltiy Scanner detected an MSN Messenger login.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match={20}
match={0d}
match={0a}
match=ser
match=ss
match=|6|2600|MSN Messenger UserID detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2600\|
log=event:PVS-MSN_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

#############################
#                           #
# Housekeeping Key messages #
#                           #
#############################

id=4798
name=The Passive Vulnerabiltiy Scanner has an invlid key.
match=PVS
match=ERROR
match=ER
match=AL
match= (PVS) [ERROR] !! INVALID KEY !!
match=IN
log=event:PVS-Invalid_Key type:error
 
NEXT

id=4799
name=The Passive Vulnerabiltiy Scanner has a bad time in key file.
match=PVS
match=ERROR
match=ER
match=le
match= (PVS) [ERROR] Bad time in key file
log=event:PVS-Invalid_Time_In_Key type:error

NEXT

id=4800
name=The Passive Vulnerabiltiy Scanner has a keyfile that has expired.
match=PVS
match=ERROR
match=ER
match=ire
match=ing
match=le
match=ed
match= (PVS) [ERROR] main - The keyfile has expired. Exiting.
log=event:PVS-Key_Expired type:error

#
# Back to regular PRMs

NEXT

id=4801
name=The Passive Vulnerability Scanner has detected a system connecting the to the whatismyip.com web site. This web site is commonly used by botnets and malware to determine the IP address of the external gateway router. It is a legitamet service and does not necceasirly mean your system is compromised, however, if you observe port scanning, network anomalies or other suspicious activity, this event could corroborate as evidence of a potential infected system.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=ent
match=|6|5280|whatismyip.com client detection|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-WhatIsMyIP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:intrusion

NEXT

id=4802
name=The Passive Vulnerability Scanner detected a file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=!.csv' from the
match=!.dll' from the
match=!.doc' from the
match=!.docx' from the
match=!.exe' from the
match=!.ini' from the
match=!.iso' from the
match=!.msi' from the
match=!.pdf' from the
match=!.pps' from the
match=!.pst' from the
match=!.ppt' from the
match=!.pptx' from the
match=!.rtf' from the
match=!.sql' from the
match=!.txt' from the
match=!.xls' from the
match=!.xlsx' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=4803
name=The Passive Vulnerability Scanner detected an executable file being transmitted over SMB.
match=pvs
match=SMB
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.exe' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_EXE_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=4804
name=The Passive Vulnerability Scanner detected a Windows .ini file being transmitted over SMB.
match=pvs
match=SMB
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.ini' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_INI_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=4805
name=The Passive Vulnerability Scanner has detected a DNS query from a remote client.
match=pvs
match=|70
match=DNS
match=ent
match=|7024|DNS Client Queries|
match=ser
match=ed
match= PVS has observed
match=!This client has requested name resolution for the following
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-DNS_Client_Query srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:dns

NEXT

id=4806
name=The Passive Vulnerability Scanner has detected an internal interactive session.
match=pvs
match=ion
match=ss
match=session
match=|4|internal-interactive-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Internal_Interactive_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4807
name=The Passive Vulnerability Scanner has detected an outbound-interactive-session.
match=pvs
match=ion
match=ss
match=session
match=|5|outbound-interactive-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Outbound_Interactive_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4808
name=The Passive Vulnerability Scanner has detected an inbound-interactive-session.
match=pvs
match=ion
match=ss
match=session
match=|6|inbound-interactive-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Inbound_Interactive_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4809
name=The Passive Vulnerability Scanner has detected an internal-encrypted-session.
match=pvs
match=ion
match=ss
match=session
match=ed
match=pt
match=|7|internal-encrypted-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Internal_Encrypted_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4810
name=The Passive Vulnerability Scanner has detected an outbound-encrypted-session.
match=pvs
match=ion
match=ss
match=session
match=ed
match=pt
match=|8|outbound-encrypted-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Outbound_Encrypted_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4811
name=The Passive Vulnerability Scanner has detected an inbound-encrypted-session.
match=pvs
match=ion
match=ss
match=session
match=ed
match=pt
match=|9|inbound-encrypted-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Inbound_Encrypted_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4812
name=The Passive Vulnerability Scanner has detected hidden ViewState form field.
match=pvs
match=|70
match=St
match=ate
match=ion
match=|7005|ViewState detection and decode|
match=ect
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*to web server ([0-9]+(\.[0-9]+){3})
log=event:PVS-ViewState_Detection_and_Decode srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:vulnerability

NEXT

id=4813
name=The Passive Vulnerability Scanner has detected a FTP file download.
match=pvs
match=|70
match=TP
match=ion
match=le
match=|7006|FTP file detection|
match=FTP
match=ser
match= remote FTP server
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*remote FTP server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-FTP_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=4814
name=The Passive Vulnerability Scanner has enumerated an FTP username.
match=pvs
match=|70
match=ser
match=TP
match=ion
match=|7008|FTP UserID enumeration|
match=FTP
match=ent
match=The remote FTP client
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*these credentials to log into ([0-9]+(\.[0-9]+){3})
log=event:PVS-FTP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:network

NEXT

id=4815
name=The Passive Vulnerability Scanner has enumerated a POP username.
match=pvs
match=|70
match=ser
match=ion
match=|7010|POP UserID enumeration|
match=The remote POP UserID
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*these credentials to log into ([0-9]+(\.[0-9]+){3})
log=event:PVS-POP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:network

NEXT

id=4816
name=The Passive Vulnerability Scanner has enumerated an IMAP username.
match=pvs
match=|70
match=ser
match=ion
match=|7012|IMAP UserID Enumeration|
match=ss
match=ass
match=ate
match=ed
match=associated with the IMAP account
match=acc
match=AP
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*account is: ([A-za-z0-9._-]+) and the user was observed using these credentials to log into ([0-9]+(\.[0-9]+){3})
log=event:PVS-IMAP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$9 dstport:$6 proto:$7 type:network user:$8

NEXT

id=4817
name=The Passive Vulnerability Scanner has enumerated a list of SMTP usernames.
match=pvs
match=|70
match=ser
match=TP
match=ion
match=|7015|SMTP UserID Enumeration|
match=ent
match=ss
match=ass
match=ate
match=ed
match=SMTP UserIDs associated with this client
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*
log=event:PVS-SMTP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4818
name=The Passive Vulnerability Scanner has identified default credentials being used.
match=pvs
match=|70
match=ent
match=ed
match=|7022|Default Credentials check|
match=ser
match=remote server is configured with default credentials.
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*these credentials were used to log into ([0-9]+(\.[0-9]+){3})
log=event:PVS-Default_Credentials_Detected srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:vulnerability

NEXT

id=4819
name=The Passive Vulnerability Scanner has detected a DNS Client Query.
match=pvs
match=|70
match=DNS
match=ent
match=|7024|DNS Client queries|
match=ser
match=lo
match=ed
match=observed this host perform a DNS lookup.
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*to the server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-DNS_Client_Queries srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:dns

NEXT

id=4820
name=The Passive Vulnerability Scanner has reported on a DNS resolution.
match=pvs
match=|70
match=DNS
match=ol
match=ion
match=ing
match=|7026|DNS resolution reporting|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*DNS server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-DNS_Resolution_Reporting srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:dns

NEXT

id=4821
name=The Passive Vulnerability Scanner has detected a DNS Client Failed Query.
match=pvs
match=|70
match=DNS
match=ent
match=ail
match=le
match=ed
match=|7027|DNS Client Failed Query|
match=lo
match=perform a failed DNS lookup
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*DNS server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-DNS_Client_Failed_Query srcip:$1 srcport:$3 dstip:$8 dstport:53 proto:$7 type:dns

NEXT

id=4822
name=The PVS has detected a Microsoft Group Policy server.
match=|70
match=ser
match=ol
match=ion
match=|7031|Microsoft Group Policy server detection
match=ect
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Microsoft_Group_Policy_Server_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network

NEXT

id=4823
name=The PVS has observed a Microsoft Group Policy client download.
match=|70
match=ent
match=ol
match=lo
match=ion
match=|7032|Microsoft Group Policy client download detection
match=ect
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*from server\(([0-9]+(\.[0-9]+){3})
log=event:PVS-Microsoft_Group_Policy_Client_Download_Detection srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

# id=4824 available

NEXT

id=4825
name=The PVS has detected a failed MySQL database login.
match=pvs
match=ail
match=le
match=ed
match=ailed
match=lo
match=log
match=ser
match=|5633|MySQL server failed login|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*.*Access denied for user \'[a-zA-Z]{1,}'@'([0-9]+(\.[0-9]+){3})\'
log=event:PVS-MySQL_Server_Failed_Login srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:login-failure

NEXT

id=1950
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP.
match=pvs
match=|70
match=TP
match=HTTP
match=est
match=ion
match=|7041|HTTP request detection|The
match=ect
match=GET
# note - all of these have spaces at the end of them
match=!.asp;Referer:
match=!.avi;Referer:
match=!.bmp;Referer:
match=!.cgi;Referer:
match=!.dmg;Referer:
match=!.doc;Referer:
match=!.docx;Referer:
match=!.gif;Referer:
match=!.exe;Referer:
match=!.flv;Referer:
match=!gz;Referer:
match=!.htm;Referer:
match=!.html;Referer:
match=!.iso;Referer:
match=!.java;Referer:
match=!.jpeg;Referer:
match=!.jpg;Referer:
match=!.js;Referer:
match=!.mpg;Referer:
match=!.mpeg;Referer:
match=!.mpa;Referer:
match=!.m4a;Referer:
match=!.mp3;Referer:
match=!.mp4;Referer:
match=!.mov;Referer:
match=!.msi;Referer:
match=!.pdf;Referer:
match=!.php;Referer:
match=!.pkg;Referer:
match=!.png;Referer:
match=!.pps;Referer:
match=!.ppt;Referer:
match=!.pptx;Referer:
match=!.ra;Referer:
match=!.ram;Referer:
match=!.rar;Referer:
match=!.rpm;Referer:
match=!.rtf;Referer:
match=!.rm;Referer:
match=!.rss;Referer:
match=!.scr;Referer:
match=!.swf;Referer:
match=!.torrent;Referer:
match=!.txt;Referer:
match=!.vcd;Referer:
match=!.wav;Referer:
match=!.wma;Referer:
match=!.wmv;Referer:
match=!.xap;Referer:
match=!.xls;Referer:
match=!.xml;Referer:
match=!.xlsx;Referer:
match=!.zip;Referer:
match=!;Query: YES;
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1951
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an XML file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.xml;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_File_XML_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1952
name=The PVS Proxy has received a connection.
match=onnect
match=onnection
match=rom
match= [
match=from
match= from
match=PVS
match=(PVS Proxy)
match=Connection
match=from
match=ect
match=ion
match=Connection from
regex=Connection from ([0-9]+(\.[0-9]+){3})
log= event:PVS-Proxy_Connection type:connection srcip:$1

NEXT 

id=1953
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a web page rendered by a Microsoft Active Server Pages application.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.asp;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_ASP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1954
name=The PVS Proxy had a connection resulting in a login failure. 
match=failed
match=:
match= client
match=in
match=lo
match= [
match=:
match=(PVS Proxy)
match=ailed
match=le
match=ail
match=PVS
match=, client
match=log
match=ent
match=login
match= failed
match=client
match=ed
match=ogin
match=host
match=client
match=svr_login() failed, client host
regex=client host \: ([0-9]+(\.[0-9]+){3})
log= event:PVS-Proxy_Login_Failure srcip:$1 type:login-failure 

NEXT 

id=1955
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an AVI video file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.avi;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_AVI_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1956
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an BMP image file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.bmp;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Image_BMP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1957
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a web site rendered by a CGI form. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.cgi;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_CGI_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1959
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a DMG file which is likely a Mac OS X application file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.dmg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Disk_DMG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1960
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft Word .doc file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.doc;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_DOC_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1961
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft Word .docx file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.docx;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_DOCX_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1962
name=The Passive Vulnerability Scanner has detected a system's NetBIOS domain name.
match=:
match=|70
match=|7030|
match=ar
match=omain
match=|17|
match= client
match=in
match=running
match=lo
match=an
match=OS
match=IN
match=17
match=ol
match=rem
match=pvs
match=FO
match=run
match=detection
match=ersion
match=ent
match=INFO
match=etection
match=client
match=ect
match=ac
match=ing
match=ion
match=|7030|NetBios domain detection|
regex=pvs: ([0-9]+(\.[0-9]+){3})
log=event:PVS-NetBIOS_Domain_Detected srcip:$1 dstip:$1 proto:17 type:network 

NEXT

id=1963
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a GIF image. 
match=GET
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=.gif;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Image_GIF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1964
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Windows executable file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.exe;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_EXE_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1965
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a flash video file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.flv;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_FLV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1966
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for file compressed by the Gnu Zip program. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=gz;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_File_GZ_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1967
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an HTML file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.htm;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_HTM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1968
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an HTML file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.html;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_HTML_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1969
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a CD or DVD .iso image. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.iso;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Disk_ISO_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1970
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Java source code. This code may have been executed by the browser. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.java;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_JAVA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1971
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a .jpeg image file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.jpeg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Image_JPEG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1972
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a .jpg image file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.jpg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Image_JPG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1973
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for javascript code. This code was likely executed on the downloading web browser. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.js;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_JS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1974
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpg extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.mpg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_MPG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1975
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpeg extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.mpeg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_MPEG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1976
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-2 audio file with a .mpa extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.mpa;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_MPA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1977
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-4 audio file with a .m4a extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.m4a;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_M4A_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1978
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-3 audio file with a .mp3 extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.mp3;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_MP3_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1979
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-4 media file with a .mp4 extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.mp4;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Media_MP4_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1980
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an Apple Quicktime video file.
match=GET
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=.mov;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_MOV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1981
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft installer package file. 
match=GET
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=.msi;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_MSI_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1982
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an Adobe PDF or compatible file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ion
match=detection
match=ect
match=est
match=|7041|HTTP request detection|The
match=GET
match=.pdf;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_PDF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1983
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for dynamic content generates by a PHP program. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.php;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_PHP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1984
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Unix software package file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.pkg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_PKG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1985
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a PNG image file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.png;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Image_PNG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1986
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft .pps PowerPoint presentation file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ion
match=detection
match=ect
match=est
match=|7041|HTTP request detection|The
match=GET
match=.pps;Referer:
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_PPS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1987
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft .ppt PowerPoint presentation file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=pt
match=.ppt;Referer:
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_PPT_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1988
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Real Audio .ram sound file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.ram;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_RAM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1989
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Real Audio .ra sound file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.ra;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_RA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1990
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Roshal Archive .rar file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=ar
match=.rar;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_File_RAR_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1991
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Redhat Package Manager .rpm file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.rpm;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_RPM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1992
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Real Media audio or video file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.rm;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Media_RM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1993
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Rich Site Summary .rss file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=ss
match=.rss;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_RSS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1994
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a FLASH video file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.swf;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Media_SWF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1996
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a .torrent file. Torrent files contain information for downloading files via common Torrent applications such as uTorrent and BitTorrent. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=ent
match=rr
match=.torrent;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_File_TORRENT_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1999
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a virtual CD image file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.vcd
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Disk_VCD_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

# id=1750 available

NEXT

id=1751
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wav audio file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.wav;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_WAV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1752
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wma audio file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.wma;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_WMA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1753
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wmv video file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.wmv;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_WMV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1754
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls spreadsheet file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.xlsx;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_XLSX_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1756
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a ZIP compressed file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.zip;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_File_ZIP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1757
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft .pptx PowerPoint presentation file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=pt
match=.pptx;Referer:
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_PPTX_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1758
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an ASCII text file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.txt;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_TXT_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

# id=1759 available

NEXT

id=1760
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Rich Text Format .rtf file. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.rtf;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_RTF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1761
name=The Passive Vulnerability Scanner detected a Word Document file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.doc' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_DOC_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1762
name=The Passive Vulnerability Scanner detected a Word Document file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.docx' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_DOCX_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1763
name=The Passive Vulnerability Scanner detected an Excel spreadsheet being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.xls' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_XLS_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1764
name=The Passive Vulnerability Scanner detected an Excel spreadsheet being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.xlsx' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_XLSX_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1765
name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=pt
match=.ppt' from the
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_PPT_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1766
name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=pt
match=.pptx' from the
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_PPTX_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1767
name=The Passive Vulnerability Scanner detected a PowerPoint presentation file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.pps' from the
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_PPS_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1768
name=The Passive Vulnerability Scanner detected an ASCII text file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.txt' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_TXT_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1769
name=The Passive Vulnerability Scanner detected a Rich Text Format document file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.rtf' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_RTF_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1770
name=The Passive Vulnerability Scanner detected an Adobe PDF file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.pdf' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_PDF_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1771
name=The Passive Vulnerability Scanner detected an Outlook mailbox file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.pst' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_PST_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

# id=1772 available
# id=1773 available
# id=1774 available
# id=1775 available
# id=1776 available
# id=1777 available
# id=1778

NEXT

id=1779
name=The Passive Vulnerability Scanner detected a comma seperated variable file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.csv' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_CSV_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

NEXT

id=1780
name=The Passive Vulnerability Scanner detected a SQL database file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.sql' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_SQL_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:file-access

# id=1781 available
# id=1782 available

NEXT

id=1783
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft screensaver or silverlight file with a .scr extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.scr;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Media_SCR_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

# id=1784 available

NEXT

id=1785
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Silverlight .xap file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.xap;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Media_XAP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1786
name=The Passive Vulnerability Scanner has detected a system performing a web querry. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=!;Host: www.google.com;
match=!search.yahoo.com;User-Agent:
match=!Host: www.bing.com;
match=!.wikipedia.org;User-Agent:
match=!Host: www.ask.com
match=!.baidu.com;
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1787
name=The Passive Vulnerability Scanner has detected a system performing a Baiduweb search. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=.baidu.com;
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Baidu_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access


NEXT 

id=1788
name=The Passive Vulnerability Scanner has detected a system performing a web querry to Google.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=le
match=;Host: www.google.com;
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Google_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1789
name=The Passive Vulnerability Scanner has detected a system performing a web search to Yahoo. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=ent
match=ser
match=ar
match=search.yahoo.com;User-Agent:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Yahoo_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1790
name=The Passive Vulnerability Scanner has detected a system performing a web search to Microsoft Bing. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=ing
match=Host: www.bing.com;
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Bing_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1791
name=The Passive Vulnerability Scanner has detected a system performing a Wikipedia web search. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=ent
match=ser
match=ed
match=.wikipedia.org;User-Agent:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Wikipedia_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT 

id=1792
name=The Passive Vulnerability Scanner has detected a system performing an Ask.com web search. 
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=Host: www.ask.com
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Ask.Com_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:$4 type:web-access

NEXT

id=1793
name=The Passive Vulnerability Scanner has detected an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=!.doc' from the
match=!.docx' from the
match=!.exe' from the
match=!.msi' from the
match=!.pdf' from the
match=!.pps' from the
match=!.pst' from the
match=!.ppt' from the
match=!.pptx' from the
match=!.rtf' from the
match=!.xls' from the
match=!.xlsx' from the
match=!.vcf' from the
match=!.zip' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_Detection type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=1794
name=The Passive Vulnerability Scanner has detected Dropbox installed on the remote host.
match=pvs
match=sta
match=|4936|
match=le
match=ed
match=|Dropbox is installed
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|4936|Dropbox is installed
log=event:PVS-Dropbox_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 proto:$4

# Beginning IDs at 4827 due to duplicate issues at 1800

NEXT

id=4827
name=The Passive Vulnerability Scanner detected an executable file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.exe" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_EXE_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4


NEXT

id=4829
name=The Passive Vulnerability Scanner detected a Word Document file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.doc" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_DOC_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4


NEXT

id=4830
name=The Passive Vulnerability Scanner detected a Word Document file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.docx" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_DOCX_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4834
name=The Passive Vulnerability Scanner has detected an FTP server session start.
match=|5972|FTP Server session inititated
match=in
match=TP
match=Server
match=FTP
match=pvs
match=session
match=|6|
match=ed
match=ss
match=ate
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_Server_Session_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network

NEXT

id=4835
name=The Passive Vulnerability Scanner detected an installable executable file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.msi" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_MSI_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

# id=4836 available

NEXT

id=4837
name=The PVS has observed a node perform an mDNS querry.
match=|7051|
match=|70
match=|17|
match=lo
match=Client
match= PVS has observed
match=17
match=DNS
match=ser
match=ce
match=pvs
match=PVS
match=for
match=ersion
match=ent
match=ed
match=host
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3})\:.* server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-mDNS_Lookup type:dns srcip:$1 dstip:$3 proto:17

NEXT

id=4838
name=The Passive Vulnerability Scanner detected an PDF file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.pdf" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_PDF_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4839
name=The Passive Vulnerability Scanner detected a PPS file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.pps" as an
match=pp
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_PPS_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4840
name=The Passive Vulnerability Scanner detected a PST file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.pst" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_PST_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4841
name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=pt
match=.ppt" as an
match=pp
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_PPT_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4842
name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=pt
match=.pptx" as an
match=pp
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_PPTX_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4843
name=The Passive Vulnerability Scanner detected a Rich Text file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.rtf" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_RTF_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4844
name=The Passive Vulnerability Scanner detected a Microsoft Excel file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.xls" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_XLS_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4845
name=The Passive Vulnerability Scanner detected a Microsoft Excel file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.xlsx" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_XLSX_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4846
name=The Passive Vulnerability Scanner detected a VCF file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.vcf" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_VCF_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4847
name=The Passive Vulnerability Scanner detected a ZIP file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.zip" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_ZIP_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:$4

NEXT

id=4848
name=The Passive Vulnerability Scanner detected a Credit Card number being leaked.
match=pvs
match=|70
match=|6|
match=|7044
match=ect
match=ion
match=detection
match=Data
match=ent
match=|7044|Client Data Leakage detection|
match=ar
match=ed
match=pp
match=ss
match=Credit Card Number
#regex=Session data\: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Credit_Card_Client_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:data-leak

NEXT

id=4849
name=The Passive Vulnerability Scanner detected a Social Security number being leaked.
match=pvs
match=|70
match=|6|
match=|7044
match=ect
match=ion
match=Client
match=client
match=detection
match=Data
match=ent
match=|7044|Client Data Leakage detection|
match=ecu
match=ty
match=pp
match=ss
match=Social Security Number
#regex=Session data\: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Social_Security_Number_Client_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:data-leak

### 4850 to 4879 taken by Cisco switch PRMs

NEXT

id=4880
name=The Passive Vulnerability Scanner detected a Facebook user ID being transmitted.
match=pvs
match=ser
match=ce
match=ace
match=ion
match=|7045|FaceBook UserID User Enumeration|
match=|70
match=ss
match=ass
match=ate
match=ed
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Facebook_ID_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks

NEXT

id=4881
name=The Passive Vulnerability Scanner detected a Credit Card number being leaked.
match=pvs
match=|6|
match=|70
match=|7044
match=Data
match=ect
match=ion
match=|7044|Server Data Leakage detection|
match=ar
match=ed
match=pp
match=ss
match=Credit Card Number
#regex=Session data\: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Credit_Card_Server_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:data-leak

NEXT

id=4882
name=The Passive Vulnerability Scanner detected a Social Security number being leaked.
match=pvs
match=|6|
match=|70
match=|7044
match=Data
match=ect
match=ent
match=ion
match=|7044|Server Data Leakage detection|
match=ecu
match=ty
match=ed
match=pp
match=Social Security Number
#regex=Session data\: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Social_Security_Number_Server_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:data-leak

NEXT

id=4883
name=The Passive Vulnerability Scanner has detected a Facebook status update.
match=pvs
match=|6|
match=ce
match=ace
match=St
match=ate
match=Facebook Status Update
match=date
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Facebook_Status_Update_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks

NEXT

id=4884
name=The Passive Vulnerability Scanner has detected CPE Data
match=pvs
match=|70
match=|7025|CPE Data|
match=tem
match=ate
match=le
match=ed
match=ss
match= It is possible to enumerate the CPE names that matched on the remote system
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-CPE_Data_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4885
name=The Passive Vulnerability Scanner has detected the start of a SSH server session.
match=pvs
match=SSH
match=St
match=ion
match=ar
match=ss
match=|5936|PVS-SSH-Server-Session_Start|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-SSH_Server_Session_Start srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 type:network

NEXT

id=4886
name=The Passive Vulnerability Scanner has detected the start of a SSH session.
match=pvs
match=SSH
match=St
match=ion
match=ar
match=ss
match=|5937|PVS-SSH-Session_Start|
match=SSH-2.0-OpenSSH
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-SSH_Session_Start srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network

NEXT

id=4887
name=The Passive Vulnerability Scanner has detected a VNC server session.
match=pvs
match=VNC
match=ect
match=ion
match=|5934|VNC Detection|
regex=pvs:[ ]*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-VNC_Session_Started srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 type:network

NEXT

id=4888
name=The Passive Vulnerability Scanner has detected a Windows RDP server session.
match=pvs
match=RDP
match=ion
match=indo
match=ce
match=|Windows RDP / Terminal Services Detection
match=ect
match={00}
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Windows_RDP_Session_Started srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 type:network

NEXT

id=4889
name=The Passive Vulnerability Scanner has detected the start of an SSL session.
match=pvs
match=|70
match=SSL
match=ion
match=ss
match=session
match=sta
match=ar
match=start
match=ing
match=|7046|SSL session starting|
match=ssl session starting
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|.*DIP:([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-SSL_Session_Starting srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network

NEXT

id=4890
name=The PVS has observed a local network user read their LinkedIn mail.
match=pvs
match=|6|
match=ail
match=ed
match=|5958|LinkedIn read Email|
match=GET{20}/mbox
match=GET
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_Read_Email type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6

NEXT

id=4891
name=The PVS has observed a local network user create a LinkedIn message.
match=pvs
match=|6|
match=Link
match=ate
match=ed
match=ss
match=|5959|LinkedIn create message|
match=TP
match=|HTTP/1.1{20}200{20}OK{0d}
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_Create_Message type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6

NEXT

id=4892
name=The PVS has observed a local network user access the LinkedIn service. 
match=pvs
match=|6|
match=Link
match=ser
match=ed
match=|5960|LinkedIn User Name|
match=rom
match=&fromName
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_User_Name type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6

NEXT

id=4893
name=The PVS has observed a local network user update their LinkedIn status.
match=pvs
match=|6|
match=Link
match=sta
match=ate
match=ed
match=|5955|LinkedIn status update|
match=date
match=ent
match=The remote client updated their LinkedIn status with:
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_Status_Update type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6

NEXT

id=4894
name=The PVS has observed a local network user update their LinkedIn profile.
match=pvs
match=|6|
match=Link
match=ate
match=le
match=ed
match=|5957|LinkedIn profile update|
match=date
match=ent
match=The remote client edited their LinkedIn profile
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_Profile_Update type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6

NEXT

id=4895
name=The PVS has observed a local Xbox log into the Microsoft Xbox Live network, most likley to play online games. 
match=pvs
match=|17|
match=Lo
match=|5961|Xbox Live Login
match=ion
match=Xbox{20}Version=
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Xbox_Live_Login type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17

NEXT

id=4896
name=The PVS has detected non HTTP traffic over port 80. Many potentially legitimate services, such as some forms of video streaming and desktop sharing, communicate over port 80 but do not use the HTTP protocol. Many forms of back doors and botnet command and control systems also run non-HTTP services over port 80. Any alerts from this rule should be treated with caution and suspicion until the connection can be properly identified. 
match=pvs
match=|70
match=TP
match=|7048|Non-HTTP traffic over port 80|
match=rom
match=ss
match=ass
match=ed
match=Non-HTTP traffic passed over port 80 from
match=rr
match=has occurred
regex=from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:PVS-Non_HTTP_Traffic_Over_Port_80 type:network srcip:$1 dstip:$2 dstport:80 proto:6

NEXT

id=4897
name=One of your local systems has been compromised through a MetaSploit payload and has downloaded a staging executable from the MetaSploit server. 
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=lo
match=ed
match=|5974|MetaSploit exploited machine detection|
match=ser
match=rom
match=The remote host has been compromised by a MetaSploit server
match=sta
match=ecu
match=ing
match=le
match=staging executable from the server at
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-MetaSploit_Exploited_Machine_Detection type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4898
name=One of your local systems has been compromised through a MetaSploit payload and is communicating back to the MetaSploit server. 
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=lo
match=ed
match=|5975|MetaSploit exploited machine detection|
match=ser
match=rom
match=ing
match=The machine was just observed connecting to the server to register itself as a connection
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-MetaSploit_Exploited_Machine_Detection type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4899
name=One of your local systems has been compromised through a MetaSploit payload and is communicating via HTTP back to the MetaSploit server. 
match=pvs
match=|6|
match=ect
match=ion
match=detection
match=ser
match=lo
match=|5976|MetaSploit server detection|
match=ed
match=an
match=tp
match=reverse http meterpreter
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-MetaSploit_Server_Detection type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

# Skipping IDs 4900-4920 due to use elsewhere

id=4921
name=The PVS has observed a local host steam video from the Hulu online video service. 
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=ss
match=session
match=sta
match=ar
match=|5953|Hulu start video session detection|
match=ent
match=ing
match=ed
match=The remote hulu client just started watching
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Hulu_Start_Video_Session_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4922
name=XM Radio usage detection. A local host was identified by the PVS streaming music from XM Radio. 
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=|5962|XM Radio usage detection|
match=ent
match=lo
match=log
match=ser
match=ing
match=ed
match=The remote client was observed logging into their XM radio account
match=The user account was logged as
match=acc
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-XM_Radio_Usage_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4923
name=Box.net file share detection. This event indicates that the PVS has observed a computer upload a file to the box.net online service.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=ar
match=le
match=|5949|Box.net file share detection|
match=ent
match=The remote host is a Box.net client
match=ail
match=ol
match=lo
match=ing
match=The following email recipients were sent a box.net file
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Box.net_File_Share_Detection type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4924
name=Box.net file share detection. This event indicates that the PVS has observed a computer upload a file to the box.net online service.
match=pvs
match=ion
match=detection
match=ect
match=ar
match=le
match=|5950|Box.net file share detection|
match=ent
match=The remote host is a Box.net client
match=ol
match=lo
match=ing
match=ed
match=The following file was just uploaded to box.net
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Box.net_File_Share_Detection type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4925
name=Hotmail User ID detection.  This event indicates that the PVS has detected a Hotmail User ID being transmitted.
match=pvs
match=ion
match=detection
match=ect
match=ser
match=ail
match=|5963|Hotmail UserID detection|
match=Hotmail UserID is
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Hotmail_User_ID_Detection type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4926
name=BitTorrent Protocol Detection.  This event indicates that the PVS has detected a host participating in BitTorrent activity.
match=pvs
match=5947
match=ent
match=rr
match=ol
match=ion
match=|5947|BitTorrent Protocol Detection|
match=ect
match=etection
match=To
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]{1,3})\|
log=event:PVS-BitTorrent_Protocol_Detection type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:$5

NEXT

id=4927
name=The Passive Vulnerability Scanner has detected a DNS query from a remote client.
match=pvs
match=|70
match=DNS
match=ent
match=|7024|DNS Client Queries|
match=ser
match=ed
match= PVS has observed
match=est
match=ol
match=lo
match=ion
match=ing
match=This client has requested name resolution for the following
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-DNS_Top_Level_Domain_Querries srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:$7 type:dns

NEXT

id=4928
name=The Passive Vulnerability Scanner has detected an FTP session start.
match=|5973|FTP Client session
match=in
match=TP
match=Client
match=FTP
match=pvs
match=ent
match=session
match=|6|
match=ed
match=ion
match=ss
match=ate
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_Client_Session_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network

NEXT

id=4929
name=The Passive Vulnerability Scanner has found a new User-Agent string in the web browser list of a monitored node. 
match=|70
match=|7023
match=Web Agent Enumeration
match= client
match=in
match=lo
match= -
match=ser
match=ol
match=pvs
match=ersion
match=ent
match=|6|
match=client
match=put
match=ing
match=ion
match=client
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_Web_Agent srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:detected-change

NEXT

id=4930
name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website.
match=|60
match=|6033
match=dll
match=File Download Detection
match=ect
match= web
match= client
match=lo
match=ded
match=pvs
match=al
match=|6|
match=file
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
 
NEXT

id=4931
name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website.
match=|60
match=|6034
match=dll
match=File Download Detection
match=ect
match= web
match= client
match=lo
match=al
match=ded
match=pvs
match=|6|
match=file
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4932
name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website.
match=|60
match=|6035
match=dll
match=File Download Detection
match=ect
match= web
match= client
match=lo
match=al
match=ded
match=pvs
match=|6|
match=file
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4933
name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website.
match=|60
match=|6036
match=dll
match=File Download Detection
match=ect
match= web
match= client
match=al
match=lo
match=ded
match=pvs
match=|6|
match=file
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4934
name=The Passive Vulnerability Scanner has detected a Facebook profile edit.
match=|5887|Facebook profile edit
match=file
match=:
match=ce
match=ace
match=le
match=pvs
match=:80
match=|6|
match=ac
match=ed
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Facebook_Profile_Edit srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks

NEXT

id=4935
name=The Passive Vulnerability Scanner has detected a host running a Tumblr client uploading a photo
match=|60
match=|6048
match=ho
match=photo
match=Tumblr photo upload detection
match=etection
match= network
match= service
match=al
match=erv
match=ice
match=pvs
match=ect
match=run
match=|6|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Tumblr_Photo_Uploaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4936
name=The Passive Vulnerability Scanner has detected a host running a Tumblr client updating a blog
match=|60
match=|6047
match=blog
match=Tumblr blog edit detection
match=etection
match= network
match= service
match=erv
match=ice
match=pvs
match=ect
match=al
match=run
match=ho
match=|6|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Tumblr_Blog_Uploaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4937
name=The Passive Vulnerability Scanner has detected a host accessing an iheartradio stream
match=|60
match=|6049
match=radio
match=iheartradio stream detection
match=etection
match= user
match= name
match=sso
match=ss
match=cia
match=pvs
match=ect
match=ho
match=|6|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*stream is: ([^ ]{1,30})
log=event:PVS-Iheartradio_Stream_Accessed srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access user:$8

NEXT

id=4938
name=The Passive Vulnerability Scanner has detected a host running a Netflix client
match=|60
match=|6040
match=NetFlix
match=NetFlix user detection
match=etection
match=al
match= stream
match= videos
match=vid
match=eos
match=pvs
match=ect
match=ho
match=run
match=|6|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-NetFlix_Client_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4939
name=The Passive Vulnerability Scanner has detected a host running a Netflix client
match=|60
match=|6042
match=NetFlix
match=NetFlix user detection
match=etection
match= stream
match= videos
match=al
match=vid
match=eos
match=pvs
match=ect
match=run
match=ho
match=|6|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-NetFlix_User_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4940
name=The PVS has detected a user login to the AOL chat service. 
match=User
match=|70
match=|7017|AIM
match= client
match=associated
match=ser
match=pvs
match=cia
match=ent
match=|6|
match=client
match=ass
match=ed
match=ion
match=sso
match=ss
match=ate
regex=pvs: ([0-9]+(\.[0-9]+){3}):.*client is: ([^ ]{1,30})
log=event:PVS-AIM_User_Detected srcip:$1 dstip:$1 proto:6 type:login user:$3

NEXT

id=4941
name=The PVS has detected the presence of a vulnerable ActiveX widget on one of your web servers. 
match= web
match=|70
match=|7020|
match=ar
match=ded
match=in
match=lo
match=an
match=IN
match= PVS has observed
match=associated
match=ser
match=ce
match=ol
match=CL
match= on
match=ecu
match=PVS
match=FO
match=cia
match=ersion
match=ty
match=|6|
match=INFO
match=ass
match=put
match=ing
match=ed
match=st
match=ion
match=sso
match=ss
match=ate
match=al
match=erv
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Vulnerable_ActiveX_Component_Detected srcip:$1 dstip:$4 proto:6 type:vulnerability 

NEXT

id=4942
name=The PVS has detected a web session which leveraged unencrypted HTTP authentication.
match=in
match=TP
match=nti
match=pvs
match=ent
match=HTTP
match=|6|
match=ass
match=uthentication
match=ion
match=ss
match=|3018|HTTP Plaintext
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-HTTP_Plaintext_Authentication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4943
name=The Passive Vulnerability Scanner has detected a host running a GoToMyPC client
match=|60
match=|6055
match=GoToMyPC
match=GoToMyPC Detected
match=etected
match= remote
match= administration
match=pvs
match=|6|
match=ho
match=ote
match=rem
match=To
match=ersion
match=ect
match=ed
match=st
match=host
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-GoToMyPC_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4944
name=The Passive Vulnerability Scanner has detected a host running a World of Warcraft/Battle.net client
match=|60
match=|6061
match=World of Warcraft
match=World of Warcraft/Battle.net Detected
match=etected
match= online
match= games
match=pvs
match=|6|
match=nti
match=ote
match=ce
match=le
match= on
match=rem
match= remote
match=for
match=run
match=ire
match=ersion
match=ent
match=ect
match=uthentication
match=ac
match=ed
match=st
match=acc
match=ess
match=host
match=ion
match=client
match=ss
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-World_of_Warcraft_Battle.net_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT 

id=4945
name=The Passive Vulnerability Scanner has detected a host logging into the PS3 Network
match=|60
match=|6063
match=PS3 Login
match=PS3 Login detection
match=etection
match=pvs
match=|6|
match=ote
match=ersion
match=ect
match=etw
match=ork
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-PS3_Network_Login_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4946
name=The Passive Vulnerability Scanner has detected a remote client initiating a VNC connection
match=|60
match=|6065
match=VNC Client
match=VNC Client Session started
match=arted
match=pvs
match=|6|
match=ated
match=init
match=cli
match=ent
match=ect
match=ion
match=rem
match=ote
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-VNC_Client_Connection_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network


NEXT

id=4947
name=The Passive Vulnerability Scanner has detected a connection to the Andriod Marketplace
match=|60
match=|6066
match=Android Market
match=Android Market detection
match=ccessed
match=pvs
match=|6|
match=dev
match=ice
match=dr
match=oid
match=rem
match=ote
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Android_Market_Connection_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4948
name=The Passive Vulnerability Scanner has detected a host running PCAnywhere
match=|17|
match=an
match=17
match=608
match=Symantec
match=|60
match=pcAnywhere
match=pcAnywhere Detection
match=er
match=etection
match=ect
match=|6087
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-PCAnywhere_Detected srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:network

NEXT

id=4949
name=The Passive Vulnerability Scanner has detected an SSH server session start.
match=SSH
match=608
match=time
match=|60
match=er
match=alt
match=|6088
match=|6|
match=etection
match=ver
match=ect
match=SSH Server
match=ion
match=al
match=erv
match=SSH Server Detection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-SSH_Server_Detected srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:network

NEXT

id=4950
name=The Passive Vulnerability Scanner has detected a SSH client login
match=|60
match=|6089
match=SSH
match=SSH Client
match=SSH Client login detected (realtime)
match=log
match=pvs
match=|6|
match=lo
match=in
match=ogin
match=login
match=Client
match=ent
match=etected
match=detected
match=alt
match=ed
match=al
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-SSH_Client_Login_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network

NEXT

id=4951
name=The Passive Vulnerability Scanner has detected a client uploading a file to Google Music
match=|60
match=|6091
match=Google music
match=Google music client upload detection
match=pvs
match=|6|
match=upl
match=oad
match=mus
match=ic
match=Goo
match=gle
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Google_Music_Upload_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4952
name=The Passive Vulnerability Scanner has detected a client starting a Google Music session
match=|60
match=|6092
match=Google music
match=Google music client session initiated
match=pvs
match=|6|
match=str
match=eam
match=mus
match=ic
match=Goo
match=gle
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Google_Music_Upload_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4953
name=The Passive Vulnerability Scanner has detected a FTP session where a file was uploaded
match=|61
match=|6103
match=FTP file
match=FTP file upload detection
match=ect
match=file
match=FTP
match=ST
match=etection
match=|6|
match=pvs
match=STOR
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_Upload_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access

NEXT

id=4954
name=The LCE has summarized detected SSL Certificate organization names from observed SSL sessions by the Passive Vulnerability Scanner. 
match=ar
match=ho
match=in
match=ser
match=ce
match=ol
match=session
match=SSL
match=ver
match=ing
match=st
match=ess
match=host
match=ion
match=ss
match=erv
match=SSL_Cert_Summary
regex=host ([0-9]+(\.[0-9]+){3})
log=event:SSL_Cert_Summary srcip:$1 proto:6 type:network

NEXT

id=4955
name=The PVS has observed a host perform DNS lookups to a new DNS server. Active DNS servers in use should be audited to ensure that internal systems are configured correctly.
match=|70
match=ho
match=|17|
match=in
match=lo
match=Client
match=17
match=DNS
match=ser
match=ol
match=to the following
match=for
match=to
match=er
match=ersion
match=ent
match=ver
match=ing
match=ed
match=st
match=host
match=ion
match=erv
match=|7053|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_DNS_Server_In_Use srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:dns

NEXT

id=4956
name=The PVS has detected a telnet account. 
match=|62
match=|6|
match=SEL
match=telnet
match=account
match=6
match=cou
match=ect
match=detection
match=|6265|
match=SEL telnet account detection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Telnet_Account_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network

NEXT

id=4957
name=The PVS has observed a user using Hulu.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=user
match=name
match=username
match=ar
match=|5944|Hulu username detection|
match=ion
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).*hulu\_uname\=([A-Za-z0-9\$\-\.\_\#\_]{1,25})
log=event:PVS-Hulu_Username_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 user:$5 proto:6

NEXT

id=4958
name=The PVS has observed Apple iTunes being user.
match=pvs
match=|6|
match=ion
match=etection
match=ect
match=App
match=Apple
match=une
match=iTunes
match=en
match=ar
match=|6051|Apple iTunes Client Detection|
match=ion
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Apple_iTunes_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4959
name=The PVS has observed LinkedIn user name.
match=pvs
match=|6|
match=ame
match=Name
match=Use
match=User
match=|5960|LinkedIn User Name|
match=Link
match=ked
match=In
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_User_Name type:social-networks srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4960
name=The PVS has observed LinkedIn message creation.
match=pvs
match=|6|
match=ss
match=mess
match=age
match=message
match=eat
match=create
match=|5959|LinkedIn create message|
match=Link
match=ked
match=In
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_Message_Created type:social-networks srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4961
name=The PVS has observed a Facebook link.
match=pvs
match=|6|
match=in
match=Link
match=|6396|Facebook Link Detection|
match=ect
match=ion
match=Detection
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Facebook_Link_Detected type:social-networks srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4962
name=The PVS has detected a NetBios domain.
match=pvs
match=|17|
match=Net
match=Bios
match=NetBios
match=|7030|NetBios domain detection|
match=mai
match=domain
match=ect
match=ion
match=detection
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-NetBios_Domain_Detected type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17

NEXT

id=4963
name=The PVS has detected a dangerous CLSID embedded within the webserver. This CLSID has been flagged, in the past, as one which may introduce security risk.
match=pvs
match=|6|
match=dan
match=ger
match=dangerous
match=|7020|ActiveX dangerous CLSIDs|
match=Act
match=ive
match=ActiveX
match=CLSIDs
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-ActiveX_Dangerous_CLSIDs type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4964
name=The PVS has detected an outbound Microsoft WinErr message.
match=pvs
match=|6|
match=Out
match=bound
match=Outbound
match=|2284|Outbound Microsoft WinErr Message|
match=Micro
match=soft
match=WinErr
match=Mess
match=age
match=Message
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-WinErr_Outbound_Message type:error srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4965
name=The PVS has detected an OS.
match=pvs
match=|6|
match=|4345|WinErr Messages OS Detection|
match=OS
match=ect
match=ion
match=Detection
match=WinErr
match=Mess
match=age
match=Messages
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-WinErr_Messages_OS_Detected type:error srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4966
name=The PVS has detected a SMTP client return email address.
match=pvs
match=|6|
match=|1329|SMTP Client Return Email Address Detection|
match=SMTP
match=ien
match=Client
match=etu
match=Return
match=ect
match=Detection
match=Email
match=ss
match=Address
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Email_Address_Detected type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6

NEXT

id=4967
name=The Passive Vulnerability Scanner has detected a host accessing an iheartradio stream
match=ar
match=radio
match=iheartradio stream detection
match=GET
match=str
match=GE
match=ea
match=pvs
match=|6
match=|6342
match=art
match=detection
match=6
match=|6|
match=etection
match=ect
match=st
match=ion
match= stream
match=eam
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Iheartradio_Stream_Accessed srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access 

NEXT

id=4968
name=The Passive Vulnerability Scanner has detected a successful finger attack.
match=Fi
match=ng
match=tt
match=ack
match=Suc
match=cc
match=ss
match=er
match=pvs
match=Finger Attack -
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Successful_Finger_Attack  srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion

NEXT

id=4969
name=The Passive Vulnerability Scanner has detected a Windows command shell running as a service.
match=Wi
match=ndo
match=mm
match=Co
match=ll
match=as
match=er
match=vi
match=pvs
match=Windows Command Shell as Service
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Windows_Command_Shell_As_Service srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion

NEXT

id=4970
name=The Passive Vulnerability Scanner has observed a login to eBay.
match=pvs
match=eBay Auction Detected
match=etected
match=ti
match=on
match=tion
match=te
match=ect
match=ed
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-eBay_Auction srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access

NEXT

id=4971
name=The Passive Vulnerability Scanner has observed a login to the Orkut social network. 
match=pvs
match=|Orkut Social Application
match=pp
match=etected
match=ic
match=cat
match=at
match=ti
match=li
match=on
match=cia
match=tion
match=te
match=ut
match=ect
match=App
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Orkut_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks