# LCE PRM LIBRARY
# Copyright 2006-2014 Tenable Network Security
# This library may only be used with the Log Correlation Engine and may not
# be used with other products or open source projects
#
# NAME:
# Passive Vulnerability Scanner realtime syslog parser
#
# DESCRIPTION:
# The Passive Vulnerability Scanner will detect a majority of
# the systems, applications and vulnerabilities through passive
# protocol analysis. PVS also has the ability to look for events
# indicative of a succsesful attack only on the discovered applications
# it has identified. This library allows the LCE to process those
# events.
#
# To use this with PVS, the PVS sensor must be configured to send
# SYSLOG messages to the LCE daemon.
# LAST UPDATED: $Date$
id=4639
name=The Passive Vulnerability Scanner detected a MAC address addition
match=17
match=7076
match=pvs
match=MAC address
match=MA
match=ss
match=AC
match=dr
match=es
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-MAC_Addition srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:network
NEXT
id=4640
name=The Passive Vulnerability Scanner detected a client FTP session to a port other than port 21
match=70
match=78
match=7078|
match=non-standard
match=ct
match=De
match=FTP
match=nt
match=port
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*FTP server \(([0-9\.]+)\) on port ([0-9]+)
log=event:PVS-FTP_NON_STANDARD_PORT srcip:$1 srcport:$3 dstip:$8 dstport:$9 proto:6 type:network
NEXT
id=4641
name=A Citrix client has just initiated a session to a server
E
match=67
match=25
match=6725|
match=Cit
match=Citrix
match=ICA
match=7f
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-CITRIX_Client_Connection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4700
name=The Passive Vulnerability Scanner detected a website hosting malicious content.
match=4334
match=6
match=pvs
match=Malicious Website
match=Ma
match=te
match=al
match=ou
match=ic
match=Web
match=li
match=Mal
match=ici
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Malicious_Website srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4701
name=The Passive Vulnerability Scanner detected DNS tunneling.
match=pvs
match=unnel
match=Detection
match=|DNS Tunneling
match=un
match=on
match=tion
match=te
match=etection
match=ing
match=in
match=ng
match=nn
match=DNS
match=ti
match=ect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-DNS_Tunnel_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4702
name=The Passive Vulnerability Scanner detected XMPP protocol usage.
match=pvs
match=5687|XMPP client detection
match=on
match=ent
match=te
match=de
match=etection
match=ien
match=en
match=ti
match=li
match=detection
match=ect
match=MP
match=ion
match=client
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-XMPP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4703
name=The Passive Vulnerability Scanner detected OpenVPN client connection.
match=pvs
match=|17|
match=|3541|
match=VPN
match=sess
match=tu
match=pe
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-OpenVPN_Client_Connection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection
NEXT
id=4704
name=The Passive Vulnerability Scanner detected suspicious SCADA ICCP activity.
match=pvs
match=In
match=al
match=li
match=SCADA
match=ICCP Invalid
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_Invalid_ICCP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4705
name=The Passive Vulnerability Scanner detected a login to the RealWin Management Server HMI interface.
match=pvs
match=6305
match=SCADA
match=RealWin Management Server HMI
match=Server
match=Wi
match=ag
match=ea
match=ent
match=nag
match=Re
match=al
match=erv
match=en
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_RealWin_Login srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:login
NEXT
id=4706
name=The Passive Vulnerability Scanner detected a Voice Over IP (VoIP) session start.
match=pvs
match=6474
match=VoIP Client Detection
match=Detection
match=Cl
match=on
match=ent
match=tion
match=te
match=etection
match=ien
match=en
match=Client
match=IP
match=ti
match=li
match=ect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-VoIP_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4707
name=The Passive Vulnerability Scanner detected BitTorrent file download activity.
match=pvs
match=lo
match=Detection
match=Fi
match=le
match=File Download Detection
match=To
match=on
match=.torrent
match=own
match=ent
match=te
match=re
match=Download
match=ile
match=File
match=ect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-BitTorrent_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4708
name=The Passive Vulnerability Scanner detected Facebook application activity.
match=pvs
match=|6|
match=6397|Facebook Application Access
match=oo
match=at
match=cc
match=tion
match=App
match=Access
match=ess
match=ss
match=pp
match=ic
match=Acc
match=ce
match=ti
match=li
match=ok
match=ccess
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|6397\|
log=event:PVS-Facebook_Application_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks
NEXT
id=4709
name=The Passive Vulnerability Scanner detected a potential cleartext command-line Unix or Windows shell.
match=pvs
match=ss
match=|Successful Shell Attack Detected -
match=ect
match=ack
match=ed
match=ttack
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Potential_Shell_Compromise srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4710
name=The Passive Vulnerability Scanner detected Rockwell Automation Service protocol activity.
match=pvs
match=Rockwell Automation Service Detection
match=at
match=Detection
match=ice
match=on
match=tion
match=te
match=etection
match=Auto
match=erv
match=ll
match=ti
match=Service
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_Rockwell_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
#NEXT
#id=4711
#name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems.
#example=<36>May 13 17:47:58 pvs: 192.168.1.102:21|207.35.251.172:2243|6|xxxx|MODBUS Client 'Force Listen Only Mode' Request (SCADA)
#example=<36>May 13 17:47:58 pvs: 192.168.1.102:21|207.35.251.172:2243|6|xxxx|MODBUS Client 'Clear Counters and Diagnostic Registers' Request (SCADA)
#match=pvs
#match=MOD
#match=MODBUS Client '
#match=Cl
#match=ent
#match=ien
#match=en
#match=Client
#match=li
#match=SCADA
#regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
#log=event:PVS-SCADA_MODBUS_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4712
name=The Passive Vulnerability Scanner tracked network activity from a post-attack source IP.
match=pvs
match=ion
match=ss
match=session
match=ack
match=ed
match=|10|tracked-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Tracked_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4713
name=The Passive Vulnerability Scanner detected a YouTube video being played.
match=pvs
match=|6|
match=ion
match=:80|6|5273|YouTube Usage Detection|
match=ect
match=age
match=io
match=Detection
match=ag
match=on
match=tion
match=te
match=etection
match=ou
match=be
match=ti
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|5273\|
log=event:PVS-YouTube_Usage_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks
NEXT
id=4714
name=The Passive Vulnerability Scanner detected Twitter usage.
match=pvs
match=|6|
match=etection
match=ion
match=ect
match=:80
match=4814|Twitter Usage Detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4814\|
log=event:PVS-Twitter_Usage_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks
NEXT
id=4715
name=The Passive Vulnerability Scanner detected evidence of a backdoored host.
match=pvs
match=ack
match=|Trojan/Backdoor
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Backdoor_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:intrusion
NEXT
id=4716
name=The Passive Vulnerability Scanner detected client or server botnet activity.
match=pvs
match=|6|
match=|Generic Botnet
match=ion
match=ect
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Botnet_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4717
name=The Passive Vulnerability Scanner detected a DVD or CD .iso image being transmitted over SMB.
match=pvs
match=ent
match=lo
match=le
match=|SMB Client File Download
match=Do
match=rom
match=.iso' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_ISO_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:file-access
NEXT
id=4718
name=The Passive Vulnerability Scanner detected a generic "Attack" event which look for post-compromise network activity.
match=pvs
match=TP
match=FTP
match=ack
match= Attack -
match=ttack
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Successful_Attack srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4719
name=The Passive Vulnerability Scanner detected a suspicious file (tftp or ftp) transfer from a known server.
match=pvs
match=|17|
match=ent
match=TP
match=rom
match=ate
match=ed
match=|TFTP Client initiated from
match=FTP
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Suspicious_File_Transfer srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:intrusion
NEXT
id=4720
name=The Passive Vulnerability Scanner detected a web server which has proxied an email message.
match=pvs
match=|6|
match=TP
match=SMTP
match=ect
match=|6|6231|SMTP Proxy Traffic Detected
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SMTP_Proxy srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4721
name=The Passive Vulnerability Scanner detected an email being sent by a tool known as 'The Bat'. This is likely a source of SPAM email.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=ail
match=ss
match=ass
match=le
match=|6|3643|'The Bat' Mass mailer detection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SPAM_Mass_Mailing srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:spam
NEXT
id=4722
name=The Passive Vulnerability Scanner detected a Windows Error message being sent to Microsoft.
match=pvs
match=|6|
match=rr
match=ing
match=le
match=ss
match=|6|2284|WinErr message leaving the network
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Windows_Error_Message srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:error
NEXT
id=4723
name=The Passive Vulnerability Scanner detected a potential SPAM server on your network.
match=|Potential SPAM Server Detection|
match=nti
match=ote
match=SPAM
match=pvs
match=ent
match=|6|
match=etection
match=:25|6|4
match=ect
match=ial
match=ion
match=al
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Potential_SPAM_Server srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:spam
NEXT
id=4724
name=The Passive Vulnerability Scanner has observed a local system request an ISO file via FTP.
match=pvs
match=|6|
match=ect
match=ion
match=Detection
match=ent
match=TP
match=lo
match=le
match=|6|5056|FTP Client File Download Detection|
match=.iso{0d}{0a}|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_ISO_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access
NEXT
id=4725
name=The Passive Vulnerability Scanner has observed a local system request a ZIP file via FTP.
match=pvs
match=|6|
match=TP
match=FTP
match=ion
match=Detection
match=ect
match=ent
match=lo
match=le
match=|6|5056|FTP Client File Download Detection|
match=.zip{0d}{0a}|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_ZIP_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access
NEXT
id=4726
name=The Passive Vulnerability Scanner has observed a local system request an EXE file via FTP.
match=pvs
match=|6|
match=TP
match=FTP
match=ect
match=ent
match=lo
match=ion
match=le
match=|6|5056|FTP Client File Download Detection|
match=Detection
match=.exe{0d}{0a}|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_EXE_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access
NEXT
id=4727
name=The Passive Vulnerability Scanner has observed a local system request an RPM file via FTP.
match=pvs
match=|6|
match=TP
match=FTP
match=ect
match=ion
match=Detection
match=ent
match=lo
match=le
match=|6|5056|FTP Client File Download Detection|
match=.rpm{0d}{0a}|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_RPM_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access
NEXT
id=4728
name=The Passive Vulnerability Scanner detected Facebook or Twitter "Pinterest" Activity
match=pvs
match=ter
match=Facebook/Twitter Pinterest Activity
match=ace
match=est
match=ty
match=te
match=Act
match=Fa
match=re
match=tt
match=in
match=ti
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Pinterest_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks
NEXT
id=4729
name=The PVS has logged an SSL session initiated from a client to a service and has identified the name of the SSL certificate in use.
match=!This connection should
match=7062|SSL client session starting
match=sess
match=|70
match=se
match=|6
match=cli
match=art
match=ent
match=|6|
match=sta
match=client
match=ien
match=ing
match=ess
match=ss
match=nt
match=en
match=rt
match=ar
match= client
match=in
match=ng
match=start
match=ti
match=ses
match=pvs
match=session
match=SSL
match=ion
match=client
match=starting
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|
log=event:PVS-SSL_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4730
name=The PVS has detected a Tivoli Endpoint Manager (BigFix) server push a patch or software to an end client for deployment.
match=pvs:
match=enumeration
match=io
match=at
match=event
match=Fi
match=ent
match=tion
match=nt
match=en
match=me
match=ti
match=pvs
match=er
match=6
match=ve
match=ion
match= event
match=7066|BigFix event enumeration
regex=BigFix Client \(([0-9]+(\.[0-9]+){3})\) is .* server \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-BigFix_Client_Patch_Update srcip:$1 srcport:0 dstip:$3 dstport:0 proto:6 type:detected-change
NEXT
id=4731
name=The Passive Vulnerability Scanner detected a webserver serving pornographic materials.
match=pvs
match=|6|
match=ser
match=ate
match=ing
match=|Webserver serving pornographic materials
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Webserver_With_Pornography srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4732
name=The Passive Vulnerability Scanner has detected an HTTP session which resulted in a 4xx message.
match=pvs
match=6843|HTTP 4xx Detection|
match=io
match=Detection
match=|6
match=on
match=tion
match=te
match=etection
match=cti
match=TP
match=De
match=ct
match=ti
match=P
match=6
match=HTTP
match=684
match=ect
match=Detect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Web_4xx_Error srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:web-error
NEXT
id=4733
name=The Passive Vulnerability Scanner has detected a local client connecting to a network socket and immediately receiving a Microsoft executable. This may indicate malicious types of file sharing, but can also indicate some forms of P2P and Torrent sharing of executable programs.
match=pvs
match=|6|
match=ect
match=ion
match=Detection
match=ent
match=ecu
match=le
match=|5706|Microsoft Executable in Transit Detection (Client)|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Potential_Client_Download_of_Malicious_EXE srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4734
name=The Passive Vulnerability Scanner has detected a local server hosting a network socket and immediately sending a Microsoft executable. This may indicate malicious types of file sharing, but can also indicate some forms of P2P and Torrent sharing of executable programs.
match=pvs
match=|6|
match=ect
match=ion
match=Detection
match=ecu
match=le
match=|5701|Microsoft Executable in Transit Detection|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Potential_Serving_of_Malicious_EXE srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4735
name=The Passive Vulnerability Scanner has detected a new website being hosted on an existing web server. If this website is unauthorized on your network, you should investigate it. If you have a web application assessment program, this website should be targeted for analysis if it holds sensitive data or is Internet facing.
match=pvs
match=ect
match=ion
match=detection
match=ser
match=TP
match=|7033|HTTP server vhost detection|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-New_WebSite_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:detected-change
NEXT
id=4736
name=The Passive Vulnerability Scanner has observed an email being sent from your network which was blocked by the recipient email server because of an RBL lookup. This means that a remote email server believes that an email system on your network is sending SPAM and has possibly been reported to one or more RBL services. if you encounter large numbers of these errors, you may in fact have an email server that is inadvertently carrying SPAM email, or perhaps have a botnet or malicious piece of software sending large numbers of SPAM emails.
match=|Possible RBL/CBL Blacklisting Message Detected|
match=la
match=age
match=ag
match=le
match=Message
match=Black
match=|6
match=Poss
match=|6|
match=ing
match=ess
match=ack
match=ss
match=in
match=ng
match=is
match=ti
match=lis
match=li
match=P
match=ck
match=pvs
match=ossible
match=ac
match=st
match=list
match=bl
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-RBL_Blocked_Spam_Email srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:spam
NEXT
id=4737
name=The Passive Vulnerability Scanner has logged the most recent list of user accounts active on an RDP (Windows Remote Desktop) server.
~
match=pvs
match=7047|RDP
match=ession
match=|70
match=ess
match=io
match=ss
match=in
match=ti
match=RDP
match=es
match=on
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-RDP_User_List srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4738
name=The Passive Vulnerability Scanner has detected files being hosted on a web server.
match=pvs
match=|70
match=io
match=file
match=le
match=|6
match=on
match=tion
match=|6|
match=te
match=de
match=etection
match=fi
match=TP
match=il
match=ti
match=ile
match=detection
match=er
match=HTTP
match=ect
match=7039|HTTP file detection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-HTTP_Hosted_Files srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4739
name=The PVS has detected a login to a database via SQL.
match=|70
match=|7035|
match=tem
match=lo
match=an
match=as
match=PVS has observed
match=da
match= user
match=Database command logging
match=se
match=ser
match=at
match=th
match=has
match=he
match=mm
match=PVS
match=|6
match=log
match=attempt
match=login
match=fo
match=pvs
match=ma
match=to
match=command
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server.*\(([0-9]+(\.[0-9]+){3})\).*\:
log=event:PVS-Database_Login srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:login
################################################################################
### 4740 - 4749
### Specific SCADA normalizations
###
################################################################################
NEXT
id=4740
name=The Passive Vulnerability Scanner detected SCADA DNPv3 activity.
match=pvs
match=|6|
match=ol
match=ed
match=|Distributed Network Protocol v3 '
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_DNPv3_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
#NEXT
#id=4741
#name=The Passive Vulnerability Scanner detected SCADA MODBUS activity.
#example=<36>Apr 20 17:16:44 pvs: 192.168.20.200:0|192.168.20.9:0|6|309|MODBUS Client 'Restart Communications' request
#match=pvs
#match=|6|
#match=ent
#match=|MODBUS Client '
#regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
#log=event:PVS-SCADA_MODBUS_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4742
name=The Passive Vulnerability Scanner detected SCADA ICCP activity.
match=pvs
match=|6|
match=|SCADA - ICCP
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_ICCP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4743
name=The PVS has detected SCADA GE D20 TFTP activity
match=|62
match=|17|
match=GE
match=D20
match=TFTP
match=Client
match=FT
match=Access
match=ect
match=Detection
match=|6271|
match=Client Access Detection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-SCADA_GED20_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:intrusion
NEXT
id=4744
name=The PVS has observed a failed login to a SQL database.
match=wa
match=|70
match=|7037|
match=Database failed login detection
match=tem
match=lo
match=as
match=fa
match=PVS has observed
match=se
match= from
match=at
match=has
match=ail
match=he
match=PVS
match=log
match=login
match=was
match=|6|
match=te
match=de
match=etection
match=ed
match=erv
match=failed
match=server
match=in
match=login
match=rom
match=from
match=ai
match=ailed
match=error
match=P
match=pvs
match=ile
match=detection
match=has
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}).*database server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-Database_Login_Failure srcip:$1 srcport:$3 dstip:$4 proto:6 type:login-failure
NEXT
id=4745
name=The PVS has just observed an ActiveSync connection to an Exchange server, most likely from a mobile device such as an iPhone or Android.
match=no
match=|70
match=Active Sync detection and decode
match=TYPE
match=ho
match=lo
match=an
match=ive
match=as
match=Use
match=da
match=at
match=has
match=User
match=Sync
match=he
match=PVS
match=connection
match=cli
match=Active
match=ogged
match=ent
match=The
match=|6|
match=etection
match=connect
match=Act
match=host
match=co
match=en
match=or
match=User
match= client
match=in
match=ng
match=nn
match=for
match=client
match=op
regex=DIP: ([0-9]+(\.[0-9]+){3}) SIP: ([0-9]+(\.[0-9]+){3})
log=event:PVS-ActiveSync_Login srcip:$1 srcport:0 dstip:$3 dstport:0 proto:6 type:network
#NEXT
#
# This log is from tasl not pvs and duplicates prm 20095
#id=4746
#name=The PVS has detected a query to a URL known to be part of a botnet.
#example=PVS-Malicious_Web_Request detected from 192.168.1.24:0 to the following URL: www.nessus.org/foo/ at 4.59.136.200:80 identified as MALWARE
#match=_Request
#match=Ma
#match=detected
#match= from
#match=est
#match=PVS
#match=ent
#match=fo
#match=URL
#match=den
#match=Re
#match=identified as
#match=rom
#match=from
#match=etected
#match=ic
#match=nti
#match=Web
#match=to the following
#match=PVS-Malicious_Web_Request
#match=to
#match=from
#match=detected from
#match=Mal
#match=ici
#match=_Request
#regex=from ([0-9]+(\.[0-9]+){3}).* at ([0-9]+(\.[0-9]+){3}):([0-9]+)
#log=event:PVS-Malicious_Web_Request srcip:$1 srcport:0 dstip:$3 dstport:$5 proto:6 type:threatlist
NEXT
id=4747
name=The PVS has detected a new server to client pair.
match=io
match=se
match=ser
match=|6
match=connection
match=on
match=tion
match=|6|
match=ver
match=connect
match=co
match=erv
match=onnect
match=server
match=onnection
match=nn
match=ti
match=pvs
match=er
match=6
match=rv
match=15|server-connection
regex= pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\|6\|
log=event:PVS-New_Server_Trust_Relationship srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:detected-change
NEXT
id=4748
name=The PVS has logged an SSL session initiated from a client to a service and has identified the name of the SSL certificate in use. This particular type of SSL certificate is associated with a cloud file storage service.
match=This connection should
match=cloud service
match=lo
match=ser
match=ice
match=erv
match=ce
match= service
match=er
match=service
match=7062|SSL client session starting
match=sess
match=|70
match=se
match=|6
match=cli
match=art
match=ent
match=|6|
match=sta
match=client
match=ien
match=ing
match=ess
match=ss
match=nt
match=ar
match= client
match=in
match=ng
match=start
match=ti
match=ses
match=pvs
match=session
match=SSL
match=ion
match=client
match=starting
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\.
log=event:PVS-SSL_Session_Cloud_Data srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4749
name=The PVS has logged an SSL session initiated from a client to a service and has identified the name of the SSL certificate in use. This particular type of SSL certificate is associated with an anonymous proxy service which allows for users to access the Internet securely and without trace.
match=This connection should
match=anonymous proxy
match=no
match=an
match=on
match=ou
match=mo
match=nonymous
match=7062|SSL client session starting
match=sess
match=|70
match=io
match=se
match=|6
match=cli
match=art
match=ent
match=|6|
match=sta
match=client
match=ien
match=ing
match=ess
match=ss
match=nt
match=ar
match= client
match=in
match=ng
match=start
match=ti
match=ses
match=pvs
match=session
match=SSL
match=ion
match=client
match=starting
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\.
log=event:PVS-SSL_Session_Anon_Proxy srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
################################################################################
### 4750 - 4759
### New Hosts, new ports, new browses, .etc
###
################################################################################
NEXT
id=4750
name=The Passive Vulnerability Scanner detected a new host.
match=pvs
match=host
match=le
# this notmatch statements ignores the IPv6 log
match=!::
match=|13|new-host-alert|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|
log=event:PVS-New_Host_Alert srcip:$1 srcport:0 dstip:$1 dstport:0 type:detected-change
NEXT
id=4751
name=The Passive Vulnerability Scanner detected a new internet connection.
match=pvs
match=ect
match=ion
match=|3|connection|INFO
match=INFO
match=IN
match=FO
match=onnection
match=onnect
match=0.0.0.0
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-New_Internet_Activity srcip:$1 srcport:$6 dstip:$1 dstport:$6 proto:6 type:detected-change
NEXT
id=4752
name=The Passive Vulnerability Scanner detected a new port browsing. This means that a host was observed connecting to the Internet on a previously undetected port.
match=pvs
match=ect
match=ser
match=ion
match=ce
match=|2|connection-to-service|INFO
match=INFO
match=IN
match=FO
match=onnection
match=onnect
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_Port_Browsing srcip:$1 srcport:$6 dstip:$1 dstport:$6 proto:6 type:detected-change
NEXT
id=4753
name=The Passive Vulnerability Scanner has detected a new open port.
match=pvs
match=IN
match=INFO
match=FO
match=|0|new-open-port|INFO
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_Open_Port srcip:$1 dstip:$1 srcport:$3 dstport:$3 type:detected-change
NEXT
id=4754
name=The Passive Vulnerability Scanner has detected a new trust relationship.
match=pvs
match=ion
match=|3|connection|INFO
match=ect
match=INFO
match=IN
match=FO
match=!0.0.0.0
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_Trust_Relationship srcip:$1 srcport:$6 dstip:$4 dstport:$6 proto:6 type:detected-change
NEXT
id=4755
name=The PVS has detected an SSL session which involved access of a social media site such as Facebook or Twitter.
match=This connection should
match=Social Media server
match=ser
match=ver
match=ed
match=ial
match=al
match=erv
match=server
match=cia
match=er
match=rv
match=7062|SSL client session starting
match=sess
match=|70
match=io
match=se
match=|6
match=cli
match=art
match=ent
match=|6|
match=sta
match=ien
match=ing
match=ess
match=ar
match= client
match=in
match=ng
match=start
match=ses
match=pvs
match=session
match=SSL
match=client
match=starting
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\.
log=event:PVS-SSL_Session_Social_Access srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4756
name=The PVS has detected an SSL session which involved access of a media or communications site such as NetFlix or Skype.
match=This connection should
match=media server
match=ser
match=ver
match=ed
match=erv
match=me
match=server
match=er
match=rv
match=ve
match=7062|SSL client session starting
match=sess
match=|70
match=io
match=se
match=|6
match=cli
match=art
match=ent
match=|6|
match=sta
match=ien
match=ing
match=ess
match=ss
match=nt
match=ar
match= client
match=in
match=ng
match=start
match=ti
match=ses
match=pvs
match=session
match=SSL
match=ion
match=client
match=starting
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\.
log=event:PVS-SSL_Session_Media_Access srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4758
name=The PVS has detected an Apple device such as an iPhone or iPad connecting to the Apple App Store.
match=pvs
match=6590|Accessing iTunes Store on an Apple iOS device
match=dev
match=an
match=un
match=le
match= on
match=ice
match=on
match=cc
match=iTunes
match=de
match=App
match=Access
match=ing
match=ess
match=re
match=ss
match=pp
match=or
match=in
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Apple_App_Store_Access srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4759
name=The PVS has logged an SSL session initiated from a client to a web conferencing server.
match=This connection should
match=web conferencing
match=lo
match=ser
match=erv
match=7062|SSL client session starting
match=sess
match=|70
match=io
match=se
match=|6
match=cli
match=art
match=ent
match=|6|
match=sta
match=client
match=ien
match=ing
match=ess
match=ss
match=nt
match=ar
match= client
match=in
match=ng
match=start
match=ti
match=ses
match=pvs
match=session
match=SSL
match=ion
match=client
match=starting
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\.
log=event:PVS-SSL_Session_Web_Conference srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
################################################################################
### 4770 - 4779
### New Vulnerabilities
###
################################################################################
NEXT
id=4770
name=The Passive Vulnerability Scanner has observed a local FTP server serve a file via FTP.
match=pvs
match=|6|
match=TP
match=FTP
match=ion
match=ect
match=le
match=|6|5055|FTP Server File Detection|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_Served srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access
NEXT
id=4771
name=The Passive Vulnerability Scanner detected a LOW severity vulnerability.
match=pvs
match=!:0|0|11|portscan-detection|
match=!|13|new-host-alert|
match=!|3|connection|INFO
match=!|2|connection-to-service|INFO
match=!|0|new-open-port|INFO
match=|LOW
match=LO
match=!|6|1329|Local Email Account
match=!110|6|2341|Local POP Account|USER
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Low_Vulnerability srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:vulnerability
NEXT
id=4772
name=The Passive Vulnerability Scanner detected a MEDIUM severity vulnerability.
match=pvs
match=!:0|0|11|portscan-detection|
match=!|13|new-host-alert|
match=!|3|connection|INFO
match=!|2|connection-to-service|INFO
match=!|0|new-open-port|INFO
match=|MEDIUM
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Medium_Vulnerability srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:vulnerability
NEXT
id=4773
name=The Passive Vulnerability Scanner detected a HIGH severity vulnerability.
match=pvs
match=!:0|0|11|portscan-detection|
match=!|13|new-host-alert|
match=!|3|connection|INFO
match=!|2|connection-to-service|INFO
match=!|0|new-open-port|INFO
match=|HIGH
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-High_Vulnerability srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:vulnerability
NEXT
id=4774
name=The Passive Vulnerability Scanner has detected an HTTP session which resulted in a 5xx web error message.
match=pvs
match=6844|HTTP 500 Detection|
match=io
match=Detection
match=on
match=tion
match=te
match=etection
match=cti
match=TP
match=De
match=ct
match=ti
match=P
match=6
match=HTTP
match=684
match=ect
match=Detect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
# Note: although normally $1 and $3 are the sources, we flip them in the normalization because in fact, the destination logged by PVS is really the guy attacking or causing the web error
log=event:PVS-Web_5xx_Error srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:web-error
NEXT
id=4775
name=The PVS has logged an SSL session initiated from a client to a service with an SSL certificate known to be in use by malware.
match=This connection should
match=been
match=certificate
match=The
match=ass
match=ing
match=malware
match=identified as
match=7062|SSL client session starting
match=sess
match=|70
match=io
match=se
match=|6
match=cli
match=art
match=ent
match=|6|
match=sta
match=client
match=ien
match=ing
match=ess
match=ss
match=nt
match=ar
match= client
match=in
match=ng
match=start
match=ti
match=ses
match=pvs
match=session
match=SSL
match=ion
match=client
match=starting
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\.
log=event:PVS-SSL_Malware_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4776
name=The Passive Vulnerability Scanner detected a web query which resulted in a 5xx HTTP error code.
match=6853|HTTP 500 Detection (Client)|
match=pvs
match=685
match=io
match=Detection
match=|6
match=Cl
match=on
match=ent
match=tion
match=te
match=etection
match=ien
match=nt
match=cti
match=en
match=TP
match=De
match=Client
match=ct
match=ti
match=li
match=6
match=HTTP
match=ect
match=Detect
match=ion
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Web_5xx srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-error
NEXT
id=4777
name=The Passive Vulnerability Scanner detected a Windows .msi file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.msi' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_MSI_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=4778
name=The Passive Vulnerability Scanner detected a Windows .dll file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.dll' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_DLL_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=4779
name=The Passive Vulnerability Scanner has observed a local system request a file via FTP.
match=pvs
match=TP
match=FTP
match=|6|
match=ent
match=ion
match=le
match=wn
match=lo
match=Client
match=io
match=FT
match=il
match=|6|5056|FTP Client File Download Detection|
match=ect
match=!.exe{0d}{0a}|
match=!.iso{0d}{0a}|
match=!.rpm{0d}{0a}|
match=!.zip{0d}{0a}|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access
NEXT
id=4780
name=The Passive Vulnerability Scanner detected a PGP email identity.
match=pvs
match=|6|
match=io
match=Email
match=Detection
match=ail
match=Cl
match=on
match=tion
match=te
match=etection
match=nt
match=cti
match=De
match=Client
match=ai
match=il
match=li
match=P
match=ect
match=Detect
match=ion
match=:25|6|2609|PGP Email Client Detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2609\|
log=event:PVS-PGP_Detection srcip:$1 srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4781
name=The Passive Vulnerability Scanner detected Facebook activity.
match=pvs
match=|6|
match=oo
match=ce
match=ace
match=Detection
match=ok
match=ect
match=ac
match=Fa
match=ion
match=:80|6|5272|Facebook Usage Detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|5272\|
log=event:PVS-Facebook_Usage_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks
NEXT
id=4782
name=The Passive Vulnerability Scanner detected a POP login.
match=ER
match=pvs
match=|6|
match=!{20}
match=!{0d}
match=!{0a}
match=Lo
match=:110|6|2341|Local POP Account|USER
match=cal
match=SE
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2341\|
log=event:PVS-POP_Session_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4783
name=The Passive Vulnerability Scanner detected a user return SMTP email address.
match=pvs
match=|6|
match=!{20}
match=!{0d}
match=!{0a}
match=ail
match=Lo
match=:25|6|1329|Local Email Account|
match=cal
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|1329\|
log=event:PVS-SMTP_Return_Address srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4784
name=The Passive Vulnerability Scanner detected a myspace account login.
match=pvs
match=|6|
match=ion
match=Detection
match=ect
match=ce
match=ace
match=|6|5271|Myspace Usage Detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|5271\|
log=event:PVS-Myspace_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks
NEXT
id=4785
name=The Passive Vulnerability Scanner detected a gmail account login.
match=pvs
match=age
match=io
match=ag
match=ail
match=on
match=tion
match=te
match=etection
match=ai
match=il
match=ti
match=ma
match=|6|
match=Detection
match=ect
match=ion
match=|6|5275|Gmail Usage Detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6
log=event:PVS-Gmail_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:web-access
NEXT
id=4786
name=The Passive Vulnerability Scanner detected an MSN Messenger login.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=!{20}
match=!{0d}
match=!{0a}
match=ser
match=ss
match=|6|2600|MSN Messenger UserID detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2600\|
log=event:PVS-MSN_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4787
name=The Passive Vulnerability Scanner detected a Yahoo Messenger login.
match=ho
match=io
match=Use
match=4081|Yahoo! Messenger User Enumeration|
match=se
match=ser
match=oo
match=at
match=User
match=on
match=tion
match=sen
match=ess
match= User
match=ss
match=eng
match=en
match=me
match=User
match=Mess
match=ng
match=ti
match=pvs
match=er
match=ger
match=ion
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4081\|
log=event:PVS-Yahoo_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4788
name=The Passive Vulnerability Scanner detected an AOL Instant Messenger login.
match=|6|4082|AOL Instant Messenger User Enumeration|
match=an
match=io
match=In
match=Use
match=se
match=ser
match=at
match=User
match=Inst
match=on
match=tion
match=sta
match=sen
match=ess
match= User
match=ss
match=eng
match=nt
match=en
match=User
match=Mess
match=ng
match=ti
match=pvs
match=er
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4082\|
log=event:PVS-AOL_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4789
name=The Passive Vulnerability Scanner could not be shutdown.
match=pvs
match=ail
match=le
match=ed
match=failed
match=pvs shutdown failed
log=event:PVS-Shutdown_Failed type:restart
NEXT
id=4790
name=The Passive Vulnerability Scanner proxy was shutdown.
match=pvs
match=ce
match=ed
match=pvs-proxy shutdown succeeded
log=event:PVS-Proxy_Shutdown_Succeeded type:restart
NEXT
id=4791
name=The Passive Vulnerability Scanner has found a system which accepts connections.
match=pvs
match=|6|
match=ion
match=onnection
match=onnect
match=ect
match=ce
match=pt
match=0|6|14|accepts-external-connections|
match=acc
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|14\|
log=event:PVS-Accepts_External_Connections srcip:$1 srcport:$2 dstip:$1 dstport:$2 proto:6 type:detected-change
NEXT
id=4792
name=The Passive Vulnerability Scanner could not be shutdown.
match=pvs
match=ce
match=ed
match=pvs shutdown succeeded
log=event:PVS-Shutdown_Succeeded type:restart
NEXT
id=4793
name=The Passive Vulnerability Scanner has observed a POP login event.
match=pvs
match=|6|
match=Lo
match=Local
match=cal
match={20}
match={0d}
match={0a}
match=:110|6|2341|Local POP Account
match=USER
match=ER
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2341\|
log=event:PVS-POP_Session_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4794
name=The Passive Vulnerability Scanner detected a web query which resulted in a 4xx HTTP error code.
match=pvs
match=6852|HTTP 4xx Detection (Client)|
match=685
match=io
match=Detection
match=|6
match=Cl
match=on
match=ent
match=tion
match=|6|
match=te
match=etection
match=ien
match=nt
match=cti
match=en
match=TP
match=De
match=Client
match=ct
match=ti
match=li
match=6
match=HTTP
match=ect
match=Detect
match=ion
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Web_4xx srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-error
NEXT
id=4795
name=The Passive Vulnerability Scanner detected a user return SMTP email address.
match=pvs
match=|6|
match=Lo
match=Local
match=cal
match={20}
match={0d}
match={0a}
match=ail
match=:25|6|1329|Local Email Account|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|1329\|
log=event:PVS-SMTP_User_Return_Address srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4796
name=The Passive Vulnerability Scanner detected an AOL Instant Messenger login.
match=pvs
match=|6|
match=ion
match=enumeration
match={20}
match={0d}
match={0a}
match=sta
match=ser
match=ss
match=|6|4082|AOL Instant Messenger user enumeration|
match=an
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4082\|
log=event:PVS-AOL_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4797
name=The Passive Vulnerability Scanner detected an MSN Messenger login.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match={20}
match={0d}
match={0a}
match=ser
match=ss
match=|6|2600|MSN Messenger UserID detection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2600\|
log=event:PVS-MSN_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
#############################
# #
# Housekeeping Key messages #
# #
#############################
id=4798
name=The Passive Vulnerability Scanner has an invalid key.
match=PVS
match=ERROR
match=ER
match=AL
match= (PVS) [ERROR] !! INVALID KEY !!
match=IN
log=event:PVS-Invalid_Key type:error
NEXT
id=4799
name=The Passive Vulnerability Scanner has a bad time in key file.
match=PVS
match=ERROR
match=ER
match=le
match= (PVS) [ERROR] Bad time in key file
log=event:PVS-Invalid_Time_In_Key type:error
NEXT
id=4800
name=The Passive Vulnerability Scanner has a keyfile that has expired.
match=PVS
match=ERROR
match=ER
match=ire
match=ing
match=le
match=ed
match= (PVS) [ERROR] main - The keyfile has expired. Exiting.
log=event:PVS-Key_Expired type:error
#
# Back to regular PRMs
NEXT
id=4801
name=The Passive Vulnerability Scanner has detected a system connecting the to the whatismyip.com web site. This web site is commonly used by botnets and malware to determine the IP address of the external gateway router. It is a legitimate service and does not necessarily mean your system is compromised, however, if you observe port scanning, network anomalies or other suspicious activity, this event could corroborate as evidence of a potential infected system.
match=pvs
match=|6|
match=ion
match=Detection
match=ect
match=ent
match=Cl
match=on
match=tion
match=te
match=etection
match=ien
match=co
match=nt
match=en
match=Client
match=|6|5280|whatismyip.com Client Detection|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-WhatIsMyIP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4802
name=The Passive Vulnerability Scanner detected a file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=!.csv' from the
match=!.dll' from the
match=!.doc' from the
match=!.docx' from the
match=!.exe' from the
match=!.ini' from the
match=!.iso' from the
match=!.msi' from the
match=!.pdf' from the
match=!.pps' from the
match=!.pst' from the
match=!.ppt' from the
match=!.pptx' from the
match=!.rtf' from the
match=!.sql' from the
match=!.txt' from the
match=!.xls' from the
match=!.xlsx' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=4803
name=The Passive Vulnerability Scanner detected an executable file being transmitted over SMB.
match=pvs
match=SMB
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.exe' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_EXE_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=4804
name=The Passive Vulnerability Scanner detected a Windows .ini file being transmitted over SMB.
match=pvs
match=SMB
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.ini' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_INI_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=4805
name=The Passive Vulnerability Scanner has detected a DNS query from a remote client.
match=pvs
match=|70
match=DNS
match=ent
match=|7024|DNS Client Queries|
match=ser
match=ed
match=PVS has observed
match=!This client has requested name resolution for the following
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-DNS_Client_Query srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:17 type:dns
NEXT
id=4806
name=The Passive Vulnerability Scanner has detected an internal interactive session.
match=pvs
match=ion
match=ss
match=session
match=|4|internal-interactive-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Internal_Interactive_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network
NEXT
id=4807
name=The Passive Vulnerability Scanner has detected an outbound-interactive-session.
match=pvs
match=ion
match=ss
match=session
match=|5|outbound-interactive-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Outbound_Interactive_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network
NEXT
id=4808
name=The Passive Vulnerability Scanner has detected an inbound-interactive-session.
match=pvs
match=ion
match=ss
match=session
match=|6|inbound-interactive-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Inbound_Interactive_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network
NEXT
id=4809
name=The Passive Vulnerability Scanner has detected an internal-encrypted-session.
match=pvs
match=ion
match=ss
match=session
match=ed
match=pt
match=|7|internal-encrypted-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Internal_Encrypted_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network
NEXT
id=4810
name=The Passive Vulnerability Scanner has detected an outbound-encrypted-session.
match=pvs
match=ion
match=ss
match=session
match=ed
match=pt
match=|8|outbound-encrypted-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Outbound_Encrypted_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network
NEXT
id=4811
name=The Passive Vulnerability Scanner has detected an inbound-encrypted-session.
match=pvs
match=ion
match=ss
match=session
match=ed
match=pt
match=|9|inbound-encrypted-session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Inbound_Encrypted_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network
NEXT
id=4812
name=The Passive Vulnerability Scanner has detected hidden ViewState form field.
match=pvs
match=|70
match=St
match=ate
match=ion
match=|7005|ViewState detection and decode|
match=ect
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*to web server \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-ViewState_Detection_and_Decode srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:vulnerability
NEXT
id=4813
name=The Passive Vulnerability Scanner has detected a FTP file download.
match=pvs
match=|70
match=TP
match=ion
match=le
match=|7006|FTP file detection|
match=FTP
match=ser
match= remote FTP server
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*remote FTP server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-FTP_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:file-access
NEXT
id=4814
name=The Passive Vulnerability Scanner has enumerated an FTP username.
match=pvs
match=|70
match=ser
match=TP
match=ion
match=|7008|FTP UserID enumeration|
match=FTP
match=ent
match=The remote FTP client
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*these credentials to log into.*?([0-9]+(\.[0-9]+){3})
log=event:PVS-FTP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:network
NEXT
id=4815
name=The Passive Vulnerability Scanner has enumerated a POP username.
match=pvs
match=|70
match=ser
match=ion
match=|7010|POP UserID enumeration|
match=The remote POP UserID
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*these credentials to log into ([0-9]+(\.[0-9]+){3})
log=event:PVS-POP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:network
NEXT
id=4816
name=The Passive Vulnerability Scanner has enumerated an IMAP username.
match=pvs
match=|70
match=ser
match=ion
match=|7012|IMAP UserID Enumeration|
match=ss
match=ass
match=ate
match=ed
match=associated with the IMAP account
match=acc
match=AP
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*account is: ([A-za-z0-9._\-\@]+) and the user was observed using these credentials to log into ([0-9]+(\.[0-9]+){3})
log=event:PVS-IMAP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$9 dstport:$6 type:network user:$8
NEXT
id=4817
name=The Passive Vulnerability Scanner has enumerated a list of SMTP usernames.
match=pvs
match=|70
match=ser
match=TP
match=ion
match=|7015|SMTP UserID Enumeration|
match=ent
match=ss
match=ass
match=ate
match=ed
match=SMTP UserIDs associated with this client
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*
log=event:PVS-SMTP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network
NEXT
id=4818
name=The Passive Vulnerability Scanner has identified default credentials being used.
match=pvs
match=|70
match=ent
match=ed
match=|7022|Default Credentials check|
match=ser
match=default credentials.
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*These credentials were used to log into ([0-9]+(\.[0-9]+){3})
log=event:PVS-Default_Credentials_Detected srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:vulnerability
NEXT
id=4819
name=The Passive Vulnerability Scanner has detected a DNS lookups to a potentially dangerous server.
match=pvs
match=|70
match=DNS
match=ent
match=|7055|DNS Client Queries|
match=ser
match=lo
match=DNSChanger
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*to the following servers \| -([0-9]+(\.[0-9]+){3})
log=event:PVS-DNSChanger_Malware srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:virus
NEXT
id=4820
name=The Passive Vulnerability Scanner has reported on a DNS resolution.
match=pvs
match=|70
match=DNS
match=ol
match=ion
match=ing
match=|7026|DNS resolution reporting|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*DNS server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-DNS_Resolution_Reporting srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:17 type:dns
NEXT
id=4821
name=The Passive Vulnerability Scanner has detected a DNS Client Failed Query.
match=pvs
match=|70
match=DNS
match=PVS
match=ent
match=ail
match=le
match=ed
match=|7027|DNS Client Failed Query|
match=lo
match=perform a failed DNS lookup
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*DNS server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-DNS_Client_Failed_Query srcip:$1 srcport:$3 dstip:$8 dstport:53 proto:17 type:dns
NEXT
id=4822
name=The PVS has detected a Microsoft Group Policy server.
match=|70
match=ser
match=ol
match=ion
match=|7031|Microsoft Group Policy server detection
match=ect
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Microsoft_Group_Policy_Server_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4823
name=The PVS has observed a Microsoft Group Policy client download.
match=|70
match=ent
match=ol
match=lo
match=ion
match=|7032|Microsoft Group Policy client download detection
match=ect
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*from server\(([0-9]+(\.[0-9]+){3})
log=event:PVS-Microsoft_Group_Policy_Client_Download_Detection srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:file-access
# id=4824 available
NEXT
id=4825
name=The PVS has detected a failed MySQL database login.
match=|5633|MySQL Server Failed Login
match=Login
match=io
match=Server
match=Detection
match=le
match=ail
match=on
match=|6|
match=etection
match=Failed
match=De
match=ct
match= Failed
match=il
match=ailed
match=Lo
match=pvs
match=er
match=Ser
match=gi
match=rv
match=|5633|MySQL Server Failed Login
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)\|
log=event:PVS-MySQL_Server_Failed_Login srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:login-failure
NEXT
id=1950
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP.
match=pvs
match=|70
match=TP
match=HTTP
match=est
match=ion
match=|7041|HTTP request detection|The
match=ect
match=GET
# note - all of these have spaces at the end of them
match=!.asp;Referer:
match=!.avi;Referer:
match=!.bmp;Referer:
match=!.cgi;Referer:
match=!.dmg;Referer:
match=!.doc;Referer:
match=!.docx;Referer:
match=!.gif;Referer:
match=!.exe;Referer:
match=!.flv;Referer:
match=!gz;Referer:
match=!.htm;Referer:
match=!.html;Referer:
match=!.iso;Referer:
match=!.java;Referer:
match=!.jpeg;Referer:
match=!.jpg;Referer:
match=!.js;Referer:
match=!.mpg;Referer:
match=!.mpeg;Referer:
match=!.mpa;Referer:
match=!.m4a;Referer:
match=!.mp3;Referer:
match=!.mp4;Referer:
match=!.mov;Referer:
match=!.msi;Referer:
match=!.pdf;Referer:
match=!.php;Referer:
match=!.pkg;Referer:
match=!.png;Referer:
match=!.pps;Referer:
match=!.ppt;Referer:
match=!.pptx;Referer:
match=!.ra;Referer:
match=!.ram;Referer:
match=!.rar;Referer:
match=!.rpm;Referer:
match=!.rtf;Referer:
match=!.rm;Referer:
match=!.rss;Referer:
match=!.swf;Referer:
match=!.torrent;Referer:
match=!.txt;Referer:
match=!.vcd;Referer:
match=!.wav;Referer:
match=!.wma;Referer:
match=!.wmv;Referer:
match=!.xap;Referer:
match=!.xls;Referer:
match=!.xml;Referer:
match=!.xlsx;Referer:
match=!.xls;Referer:
match=!.zip;Referer:
match=!;Query: YES;
match=!PVS-Malicious_Web_Request
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1951
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an XML file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.xml;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_File_XML_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1952
name=The PVS Proxy has received a connection.
match=onnect
match=onnection
match=rom
match= [
match= from
match=PVS
match=(PVS Proxy)
match=Connection
match=from
match=ect
match=ion
match=Connection from
regex=Connection from ([0-9]+(\.[0-9]+){3})
log=event:PVS-Proxy_Connection type:connection srcip:$1
NEXT
id=1953
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a web page rendered by a Microsoft Active Server Pages application.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.asp;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_ASP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1954
name=The PVS Proxy had a connection resulting in a login failure.
match=failed
match= client
match=in
match=lo
match= [
match=:
match=(PVS Proxy)
match=ailed
match=le
match=ail
match=PVS
match=, client
match=log
match=ent
match=login
match= failed
match=ed
match=ogin
match=host
match=client
match=svr_login() failed, client host
regex=client host \: ([0-9]+(\.[0-9]+){3})
log=event:PVS-Proxy_Login_Failure srcip:$1 type:login-failure
NEXT
id=1955
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an AVI video file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.avi;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_AVI_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1956
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an BMP image file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.bmp;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Image_BMP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1957
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a web site rendered by a CGI form.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.cgi;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_CGI_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1959
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a DMG file which is likely a Mac OS X application file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.dmg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Disk_DMG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1960
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft Word .doc file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.doc;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_DOC_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1961
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft Word .docx file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.docx;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_DOCX_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1963
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a GIF image.
match=GET
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=.gif;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Image_GIF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1964
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Windows executable file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.exe;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_EXE_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1965
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a flash video file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.flv;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_FLV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1966
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for file compressed by the Gnu Zip program.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=gz;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_File_GZ_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1967
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an HTML file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.htm;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_HTM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1968
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an HTML file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.html;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_HTML_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1969
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a CD or DVD .iso image.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.iso;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Disk_ISO_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1970
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Java source code. This code may have been executed by the browser.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.java;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_JAVA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1971
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a .jpeg image file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.jpeg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Image_JPEG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1972
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a .jpg image file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.jpg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Image_JPG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1973
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for javascript code. This code was likely executed on the downloading web browser.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.js;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_JS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1974
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpg extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.mpg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_MPG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1975
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpeg extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.mpeg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_MPEG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1976
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-2 audio file with a .mpa extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.mpa;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_MPA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1977
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-4 audio file with a .m4a extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.m4a;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_M4A_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1978
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-3 audio file with a .mp3 extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.mp3;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_MP3_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1979
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-4 media file with a .mp4 extension.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.mp4;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Media_MP4_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1980
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an Apple Quicktime video file.
match=GET
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=.mov;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_MOV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1981
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft installer package file.
match=GET
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=.msi;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_MSI_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1982
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an Adobe PDF or compatible file.
match=pvs
match=|70
match=TP
match=HTTP
match=ion
match=detection
match=ect
match=est
match=|7041|HTTP request detection|The
match=GET
match=.pdf;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_PDF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1983
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for dynamic content generates by a PHP program.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.php;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_PHP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1984
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Unix software package file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.pkg;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_PKG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1985
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a PNG image file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.png;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Image_PNG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1986
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft .pps PowerPoint presentation file.
match=pvs
match=|70
match=TP
match=HTTP
match=ion
match=detection
match=ect
match=est
match=|7041|HTTP request detection|The
match=GET
match=.pps;Referer:
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_PPS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1987
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft .ppt PowerPoint presentation file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=pt
match=.ppt;Referer:
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_PPT_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1988
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Real Audio .ram sound file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.ram;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_RAM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1989
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Real Audio .ra sound file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.ra;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_RA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1990
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Roshal Archive .rar file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=ar
match=.rar;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_File_RAR_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1991
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Redhat Package Manager .rpm file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.rpm;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Executable_RPM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1992
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Real Media audio or video file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.rm;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Media_RM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1993
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Rich Site Summary .rss file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=ss
match=.rss;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Content_RSS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1994
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a FLASH video file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.swf;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Media_SWF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1996
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a .torrent file. Torrent files contain information for downloading files via common Torrent applications such as uTorrent and BitTorrent.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=ent
match=rr
match=.torrent;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_File_TORRENT_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1999
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a virtual CD image file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.vcd
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Disk_VCD_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
# id=1750 available
NEXT
id=1751
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wav audio file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.wav;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_WAV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1752
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wma audio file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.wma;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Audio_WMA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1753
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wmv video file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=Re
match=re
match=.wmv
match=er
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Video_WMV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1754
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls spreadsheet file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.xlsx;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_XLSX_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1756
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a ZIP compressed file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.zip;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_File_ZIP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1757
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft .pptx PowerPoint presentation file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=pt
match=.pptx;Referer:
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_PPTX_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1758
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an ASCII text file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.txt;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_TXT_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
# id=1759 available
NEXT
id=1760
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Rich Text Format .rtf file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.rtf;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_RTF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1761
name=The Passive Vulnerability Scanner detected a Word Document file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.doc' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_DOC_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1762
name=The Passive Vulnerability Scanner detected a Word Document file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.docx' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_DOCX_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1763
name=The Passive Vulnerability Scanner detected an Excel spreadsheet being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.xls' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_XLS_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1764
name=The Passive Vulnerability Scanner detected an Excel spreadsheet being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.xlsx' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_XLSX_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1765
name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=pt
match=.ppt' from the
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_PPT_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1766
name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=pt
match=.pptx' from the
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_PPTX_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1767
name=The Passive Vulnerability Scanner detected a PowerPoint presentation file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.pps' from the
match=pp
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_PPS_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1768
name=The Passive Vulnerability Scanner detected an ASCII text file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.txt' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_TXT_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1769
name=The Passive Vulnerability Scanner detected a Rich Text Format document file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.rtf' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_RTF_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1770
name=The Passive Vulnerability Scanner detected an Adobe PDF file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.pdf' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_PDF_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1771
name=The Passive Vulnerability Scanner detected an Outlook mailbox file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.pst' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_PST_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
# id=1772 available
# id=1773 available
# id=1774 available
# id=1775 available
# id=1776 available
# id=1777 available
# id=1778
NEXT
id=1779
name=The Passive Vulnerability Scanner detected a comma separated variable file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.csv' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_CSV_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1780
name=The Passive Vulnerability Scanner detected a SQL database file being transmitted over SMB.
match=pvs
match=lo
match=Download
match=Do
match=ent
match=le
match=|SMB Client File Download
match=rom
match=.sql' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3})
log=event:PVS-SMB_Client_SQL_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access
NEXT
id=1781
name=The Passive Vulnerability Scanner has reported the IP protocols in use on given server.
match=pvs
match=|7043|Generic Protocol Detection
match=io
match=on
match=tion
match=te
match=De
match=etection
match=co
match=en
match=ic
match=ol
match=ti
match=Detection
match=to
match=er
match=ect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})\|
log=event:PVS-IP_Protocol_Tracking srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network
NEXT
id=1782
name=The Passive Vulnerability Scanner has reported an expired SSL certificate in use.
match=pvs
match=|7052|SSL Expired Certificate Detection|
match=|70
match=Ex
match=ed
match=Ce
match=te
match=De
match=on
match=6
match=SSL
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})\|
log=event:PVS-SSL_Expired_Certificate_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
# id=1783
# id=1784 available
NEXT
id=1785
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Silverlight .xap file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.xap;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Media_XAP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1786
name=The Passive Vulnerability Scanner has detected a system performing a web query.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=!;Host: www.google.com;
match=!search.yahoo.com;User-Agent:
match=!Host: www.bing.com;
match=!.wikipedia.org;User-Agent:
match=!Host: www.ask.com
match=!.baidu.com;
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1787
name=The Passive Vulnerability Scanner has detected a system performing a Baiduweb search.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=.baidu.com;
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Baidu_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1788
name=The Passive Vulnerability Scanner has detected a system performing a web query to Google.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=le
match=;Host: www.google.com;
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Google_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1789
name=The Passive Vulnerability Scanner has detected a system performing a web search to Yahoo.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=ent
match=ser
match=ar
match=search.yahoo.com;User-Agent:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Yahoo_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1790
name=The Passive Vulnerability Scanner has detected a system performing a web search to Microsoft Bing.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=ing
match=Host: www.bing.com;
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Bing_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1791
name=The Passive Vulnerability Scanner has detected a system performing a Wikipedia web search.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=ent
match=ser
match=ed
match=.wikipedia.org;User-Agent:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Wikipedia_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1792
name=The Passive Vulnerability Scanner has detected a system performing an Ask.com web search.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=;Query: YES;
match=Host: www.ask.com
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Query_Ask.Com_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=1793
name=The Passive Vulnerability Scanner has detected an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=!.doc' from the
match=!.docx' from the
match=!.exe' from the
match=!.msi' from the
match=!.pdf' from the
match=!.pps' from the
match=!.pst' from the
match=!.ppt' from the
match=!.pptx' from the
match=!.rtf' from the
match=!.xls' from the
match=!.xlsx' from the
match=!.vcf' from the
match=!.zip' from the
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_Detection type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=1794
name=The Passive Vulnerability Scanner has detected Dropbox installed on the remote host.
match=pvs
match=sta
match=|4936|
match=le
match=ed
match=|Dropbox is installed
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|4936|Dropbox is installed
log=event:PVS-Dropbox_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 proto:17
# Beginning IDs at 4827 due to duplicate issues at 1800
NEXT
id=4827
name=The Passive Vulnerability Scanner detected an executable file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.exe" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_EXE_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4829
name=The Passive Vulnerability Scanner detected a Word Document file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.doc" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_DOC_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4830
name=The Passive Vulnerability Scanner detected a Word Document file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.docx" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_DOCX_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4834
name=The Passive Vulnerability Scanner has detected an FTP server session start.
match=|5972|FTP Server Session Initiated
match=In
match=TP
match=Server
match=FTP
match=pvs
match=Session
match=|6|
match=ed
match=ss
match=ate
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_Server_Session_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4835
name=The Passive Vulnerability Scanner detected an installable executable file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.msi" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_MSI_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
# id=4836 available
NEXT
id=4837
name=The PVS has observed a node perform an mDNS query.
match=|7051|
match=|70
match=|17|
match=lo
match=Client
match=PVS has observed
match=17
match=DNS
match=ser
match=ce
match=pvs
match=PVS
match=for
match=ent
match=ed
match=host
regex=pvs: ([0-9]+(\.[0-9]+){3})\:.* server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-mDNS_Lookup type:dns srcip:$1 dstip:$3 proto:17
NEXT
id=4838
name=The Passive Vulnerability Scanner detected an PDF file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.pdf" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_PDF_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4839
name=The Passive Vulnerability Scanner detected a PPS file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.pps" as an
match=pp
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_PPS_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4840
name=The Passive Vulnerability Scanner detected a PST file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.pst" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_PST_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4841
name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=pt
match=.ppt" as an
match=pp
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_PPT_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4842
name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=pt
match=.pptx" as an
match=pp
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_PPTX_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4843
name=The Passive Vulnerability Scanner detected a Rich Text file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.rtf" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_RTF_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4844
name=The Passive Vulnerability Scanner detected a Microsoft Excel file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.xls" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_XLS_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4845
name=The Passive Vulnerability Scanner detected a Microsoft Excel file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.xlsx" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_XLSX_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4846
name=The Passive Vulnerability Scanner detected a VCF file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.vcf" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_VCF_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4847
name=The Passive Vulnerability Scanner detected a ZIP file being transmitted as an email attachment.
match=pvs
match=|70
match=ail
match=Email
match=ect
match=ion
match=detection
match=ent
match=|7042|Email attachment detection
match=.zip" as an
match=an
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\)
log=event:PVS-Email_Attachment_ZIP_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6
NEXT
id=4848
name=The Passive Vulnerability Scanner detected a Credit Card number being leaked.
match=pvs
match=|70
match=|6|
match=|7065
match=ect
match=ion
match=detection
match=Data
match=ent
match=|7065|Client Data Leakage detection|
match=ar
match=ed
match=pp
match=ss
match=Credit Card Number
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).* IP :([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:PVS-Credit_Card_Client_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 proto:6 type:data-leak
NEXT
id=4849
name=The Passive Vulnerability Scanner detected a Social Security number being leaked.
match=pvs
match=|70
match=|6|
match=|7044
match=ect
match=ion
match=Client
match=client
match=detection
match=Data
match=ent
match=|7044|Client Data Leakage detection|
match=ecu
match=ty
match=pp
match=ss
match=Social Security Number
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).* IP :([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:PVS-Social_Security_Number_Client_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 proto:6 type:data-leak
### 4850 to 4879 taken by Cisco switch PRMs
NEXT
id=4880
name=The Passive Vulnerability Scanner detected a Facebook user ID being transmitted.
match=pvs
match=ser
match=ce
match=ace
match=ion
match=|7045|FaceBook UserID User Enumeration|
match=|70
match=ss
match=ass
match=ate
match=ed
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Facebook_ID_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks
NEXT
id=4881
name=The Passive Vulnerability Scanner detected a Credit Card number being leaked.
match=pvs
match=|6|
match=|70
match=|7065
match=Data
match=ect
match=ion
match=|7065|Server Data Leakage detection|
match=ar
match=ed
match=pp
match=ss
match=Credit Card Number
#regex=Session data\: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Credit_Card_Server_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:data-leak
NEXT
id=4882
name=The Passive Vulnerability Scanner detected a Social Security number being leaked.
match=pvs
match=|6|
match=|70
match=|7044
match=Data
match=ect
match=ion
match=|7044|Server Data Leakage detection|
match=ecu
match=ty
match=ed
match=pp
match=Social Security Number
#regex=Session data\: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Social_Security_Number_Server_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:data-leak
NEXT
id=4883
name=The Passive Vulnerability Scanner has detected a Facebook status update.
match=pvs
match=|6|
match=ce
match=ace
match=St
match=ate
match=Facebook Status Update Detection
match=date
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Facebook_Status_Update_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks
NEXT
id=4884
name=The Passive Vulnerability Scanner has detected CPE Data
match=pvs
match=|70
match=|7025|CPE Data|
match=tem
match=ate
match=le
match=ed
match=ss
match= It is possible to enumerate the CPE names that matched on the remote system
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-CPE_Data_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4885
name=The Passive Vulnerability Scanner has detected the start of a SSH server session.
match=pvs
match=SSH
match=St
match=ion
match=ar
match=ss
match=|5936|PVS-SSH-Server-Session_Start|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-SSH_Server_Session_Start srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 type:network
NEXT
id=4886
name=The Passive Vulnerability Scanner has detected the start of a SSH session.
match=pvs
match=SSH
match=St
match=ion
match=ar
match=ss
match=|5937|PVS-SSH-Session_Start|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-SSH_Session_Start srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network
NEXT
id=4887
name=The Passive Vulnerability Scanner has detected a VNC server session.
match=pvs
match=VNC
match=ect
match=ion
match=|5934|VNC Detection|
regex=pvs:[ ]*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-VNC_Session_Started srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 type:network
NEXT
id=4888
name=The Passive Vulnerability Scanner has detected a Windows RDP server session.
match=pvs
match=RDP
match=ion
match=indo
match=ce
match=|Windows RDP / Terminal Services Detection
match=ect
match={00}
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Windows_RDP_Session_Started srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 type:network
NEXT
id=4889
name=The Passive Vulnerability Scanner has detected the start of an SSL session.
match=pvs
match=|70
match=SSL
match=ion
match=ss
match=session
match=sta
match=ar
match=start
match=ing
match=|7046|SSL session starting|
match=ssl session starting
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|.*DIP:([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-SSL_Session_Starting srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4890
name=The PVS has observed a local network user read their LinkedIn mail.
match=pvs
match=|6|
match=ed
match=|5958|LinkedIn Message Inbox Access Detection|
match=GET{20}/mbox
match=GET
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_Read_Email type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6
NEXT
id=4891
name=The PVS has observed a local network user create a LinkedIn message.
match=pvs
match=|6|
match=Link
match=ate
match=ed
match=ss
match=|5959|LinkedIn Message Creation Detection|
match=age
match=io
match=In
match=at
match=Detection
match=ag
match=es
match=etection
match=ed
match=ess
match=re
match=Mess
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_Create_Message type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6
NEXT
id=4892
name=The PVS has observed a local network user access the LinkedIn service.
match=pvs
match=|6|
match=Link
match=ser
match=ed
match=|5960|LinkedIn User Name Detection|
match=rom
match=&fromName
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_User_Name type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6
NEXT
id=4893
name=The PVS has observed a local network user update their LinkedIn status.
match=pvs
match=|6|
match=Link
match=sta
match=ate
match=ed
match=|5955|LinkedIn Status Update Detection|
match=date
match=ent
match=The remote client updated their LinkedIn status with:
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_Status_Update type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6
NEXT
id=4894
name=The PVS has observed a local network user update their LinkedIn profile.
match=pvs
match=|6|
match=Link
match=ate
match=le
match=ed
match=|5957|LinkedIn Profile Update Detection
match=date
match=ent
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_Profile_Update type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6
NEXT
id=4895
name=The PVS has observed a local Xbox log into the Microsoft Xbox Live network, most likely to play online games.
match=pvs
match=|17|
match=Lo
match=|5961|Xbox Live Login Detection
match=Login
match=ive
match=io
match=Detection
match=on
match=tion
match=te
match=etection
match=cti
match=in
match=De
match=ct
match=og
match=gi
match=ect
match=Detect
match=ogin
match=in
match=ion
match=Log
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Xbox_Live_Login type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17
NEXT
id=4896
name=The PVS has detected non HTTP traffic over port 80. Many potentially legitimate services, such as some forms of video streaming and desktop sharing, communicate over port 80 but do not use the HTTP protocol. Many forms of back doors and botnet command and control systems also run non-HTTP services over port 80. Any alerts from this rule should be treated with caution and suspicion until the connection can be properly identified.
match=pvs
match=|70
match=TP
match=|7048|Non-HTTP traffic over port 80|
match=rom
match=ss
match=ass
match=ed
match=Non-HTTP traffic passed over port 80
match=rr
match=has occurred
regex=from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:PVS-Non_HTTP_Traffic_Over_Port_80 type:network srcip:$1 dstip:$2 dstport:80 proto:6
NEXT
id=4897
name=One of your local systems has been compromised through a MetaSploit payload and has downloaded a staging executable from the MetaSploit server.
match=pvs
match=|6|
match=ion
match=Detection
match=ect
match=lo
match=ed
match=|5974|MetaSploit Exploited Machine Detection|
match=ser
match=rom
match=The remote host has been compromised by a MetaSploit server
match=sta
match=ecu
match=ing
match=le
match=staging executable from the server at
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-MetaSploit_Exploited_Machine_Detection type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4898
name=One of your local systems has been compromised through a MetaSploit payload and is communicating back to the MetaSploit server.
match=pvs
match=|6|
match=ion
match=Detection
match=ect
match=lo
match=ed
match=|5975|MetaSploit Exploited Machine Detection|
match=ser
match=rom
match=ing
match=The machine was just observed connecting to the server to register itself as a connection
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-MetaSploit_Exploited_Machine_Detection type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4899
name=One of your local systems has been compromised through a MetaSploit payload and is communicating via HTTP back to the MetaSploit server.
match=pvs
match=|6|
match=ect
match=ion
match=Detection
match=ser
match=lo
match=|5976|MetaSploit Server Detection|
match=ed
match=an
match=tp
match=reverse http meterpreter
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-MetaSploit_Server_Detection type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
# Skipping IDs 4900-4920 due to use elsewhere
id=4921
name=The PVS has observed a local host steam video from the Hulu online video service.
match=pvs
match=|6|
match=ion
match=detection
match=ect
match=ss
match=session
match=sta
match=ar
match=|5953|Hulu start video session detection|
match=ent
match=ing
match=ed
match=The remote hulu client just started watching
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Hulu_Start_Video_Session_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4922
name=XM Radio usage detection. A local host was identified by the PVS streaming music from XM Radio.
match=pvs
match=|6|
match=ion
match=Detection
match=ect
match=|5962|XM Radio Usage Detection|
match=ent
match=lo
match=log
match=ser
match=ing
match=ed
match=The remote client was observed logging into their XM radio account
match=The user account was logged as
match=acc
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-XM_Radio_Usage_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4923
name=Box.com file share detection. This event indicates that the PVS has observed a computer upload a file to the box.net online service.
match=pvs
match=|6|
match=ion
match=Detection
match=ect
match=ar
match=le
match=|5949|Box
match=File Share Detection|
match=ent
match=The remote host is a Box
match=ail
match=ol
match=lo
match=ing
match=The following email recipients were sent a
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Box_File_Share_Detection type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4924
name=Box.com file share detection. This event indicates that the PVS has observed a computer upload a file to the box.net online service.
match=pvs
match=ion
match=Detection
match=ect
match=ar
match=le
match=|5950|Box
match=File Share Detection|
match=ent
match=The remote host is a Box
match=ol
match=lo
match=ing
match=ed
match=The following file was just uploaded to
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Box_File_Share_Detection type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4925
name=Hotmail User ID detection. This event indicates that the PVS has detected a Hotmail User ID being transmitted.
match=pvs
match=|5963|Hotmail UserID Detection|
match=io
match=Use
match=se
match=ser
match=Detection
match=ail
match=Ho
match=on
match=tion
match=te
match=etection
match=User
match=ai
match=il
match=ti
match=ma
match=er
match=6
match=ect
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Hotmail_User_ID_Detection type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4926
name=BitTorrent Protocol Detection. This event indicates that the PVS has detected a host participating in BitTorrent activity.
match=pvs
match=ent
match=rr
match=ol
match=ion
match=|5947|BitTorrent Protocol Traffic Detection|
match=ect
match=etection
match=To
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]{1,3})\|
log=event:PVS-BitTorrent_Protocol_Detection type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17
NEXT
id=4927
name=The Passive Vulnerability Scanner has detected a DNS query from a remote client.
match=pvs
match=|70
match=DNS
match=ent
match=|7024|DNS Client Queries|
match=ser
match=ed
match=PVS has observed
match=est
match=ol
match=lo
match=ing
match=This client has requested name resolution for the following
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*server at ([0-9]+(\.[0-9]+){3})
log=event:PVS-DNS_Top_Level_Domain_Queries srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:17 type:dns
NEXT
id=4928
name=The Passive Vulnerability Scanner has detected an FTP session start.
match=|5973|FTP Client Session
match=In
match=TP
match=Client
match=FTP
match=pvs
match=ent
match=Session
match=|6|
match=ed
match=ion
match=ss
match=ate
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_Client_Session_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4929
name=The Passive Vulnerability Scanner has found a new User-Agent string in the web browser list of a monitored node.
match=|70
match=|7023
match=Web Agent Enumeration
match= client
match=in
match=lo
match=ser
match=ol
match=pvs
match=ent
match=|6|
match=put
match=ing
match=ion
match=client
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_Web_Agent srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:detected-change
NEXT
id=4930
name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website.
match=|6
match=|60
match=|6033
match=dll
match=File Download Detection
match=io
match=Detection
match=Fi
match=le
match=on
match=own
match=tion
match=te
match=etection
match=.dll
match=ll
match=Do
match=wn
match=il
match=ti
match=dl
match=Download
match=ile
match=oad
match=File
match=ect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4931
name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website.
match=|60
match=|6034
match=dll
match=File Download Detection
match=ect
match= web
match= client
match=lo
match=al
match=ded
match=pvs
match=|6|
match=file
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4932
name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website.
match=|60
match=|6035
match=dll
match=File Download Detection
match=ect
match= web
match= client
match=lo
match=al
match=ded
match=pvs
match=|6|
match=file
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4933
name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website.
match=|60
match=dll
match=File Download Detection
match=ect
match= web
match= client
match=al
match=lo
match=ded
match=pvs
match=|6|
match=file
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4934
name=The Passive Vulnerability Scanner has detected a Facebook profile edit.
match=|5887|Facebook Profile Edit Detection
match=file
match=:
match=ce
match=ace
match=le
match=pvs
match=:80
match=|6|
match=ac
match=ed
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Facebook_Profile_Edit srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks
NEXT
id=4935
name=The Passive Vulnerability Scanner has detected a host running a Tumblr client uploading a photo.
match=ho
match=lo
match=io
match=6048|Tumblr Photo Upload Detection
match=Detection
match=on
match=tion
match=te
match=etection
match=ti
match=P
match=pvs
match=oad
match=to
match=6
match=ect
match=ion
match=bl
match=Ph
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Tumblr_Photo_Uploaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4936
name=The Passive Vulnerability Scanner has detected a host running a Tumblr client updating a blog.
match=lo
match=io
match=6047|Tumblr Blog Edit Detection
match=Detection
match=on
match=log
match=tion
match=te
match=etection
match=ti
match=og
match=pvs
match=6
match=it
match=ect
match=ion
match=bl
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Tumblr_Blog_Uploaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4937
name=The Passive Vulnerability Scanner has detected a host accessing an iheartradio stream
match=|60
match=|6049
match=iheartradio stream detection
match=etection
match= user
match= name
match=sso
match=ss
match=cia
match=pvs
match=ect
match=ho
match=|6|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*stream is: ([^ ]{1,30})
log=event:PVS-Iheartradio_Stream_Accessed srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access user:$8
NEXT
id=4938
name=The Passive Vulnerability Scanner has detected a host running a Netflix client
match=NetFlix
match=io
match=6040
match=pvs
match=se
match=ser
match=Detection
match=User
match=NetFlix User Detection
match=on
match=tion
match=te
match=etection
match= User
match=cti
match=User
match=De
match=ct
match=li
match=Net
match=ect
match=Detect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-NetFlix_Client_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4939
name=The Passive Vulnerability Scanner has detected a host running a Netflix client
match=|60
match=|6042
match=NetFlix
match=io
match=Use
match=se
match=ser
match=Detection
match=User
match=NetFlix User Detection
match=on
match=tion
match=te
match=etection
match= User
match=User
match=ti
match=li
match=Net
match=er
match=6
match=ect
match=ion
match=pvs
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-NetFlix_User_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4940
name=The PVS has detected a user login to the AOL chat service.
match=User
match=|70
match=|7017|AIM
match= client
match=associated
match=ser
match=pvs
match=cia
match=ent
match=|6|
match=client
match=ass
match=ed
match=ion
match=sso
match=ss
match=ate
regex=pvs: ([0-9]+(\.[0-9]+){3}):.*client is: ([^ ]{1,30})
log=event:PVS-AIM_User_Detected srcip:$1 dstip:$1 proto:6 type:login user:$3
NEXT
id=4941
name=The PVS has detected the presence of a vulnerable ActiveX widget on one of your web servers.
match= web
match=|70
match=|7020|
match=ar
match=ded
match=in
match=lo
match=an
match=IN
match=PVS has observed
match=associated
match=ce
match=ol
match=CL
match= on
match=ecu
match=PVS
match=FO
match=cia
match=ty
match=|6|
match=INFO
match=ass
match=put
match=ing
match=ed
match=st
match=sso
match=ss
match=ate
match=al
match=erv
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Vulnerable_ActiveX_Component_Detected srcip:$1 dstip:$4 proto:6 type:vulnerability
NEXT
id=4942
name=The PVS has detected a web session which leveraged unencrypted HTTP authentication.
match=in
match=TP
match=nti
match=pvs
match=ent
match=HTTP
match=|6|
match=ass
match=uthentication
match=ion
match=ss
match=|3018|HTTP Plaintext
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-HTTP_Plaintext_Authentication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4943
name=The Passive Vulnerability Scanner has detected a host running a GoToMyPC client
match=|60
match=|6055
match=GoToMyPC
match=etected
match= remote
match= administration
match=pvs
match=|6|
match=ho
match=ote
match=rem
match=To
match=ect
match=ed
match=st
match=host
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-GoToMyPC_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4944
name=The Passive Vulnerability Scanner has detected a host running a World of Warcraft/Battle.net client
match=|60
match=|6061
match=World of Warcraft
match=World of Warcraft/Battle.net Detected
match=etected
match= online
match= games
match=pvs
match=|6|
match=nti
match=ote
match=ce
match=le
match= on
match=rem
match= remote
match=for
match=run
match=ire
match=ent
match=ect
match=uthentication
match=ac
match=ed
match=st
match=acc
match=ess
match=host
match=ion
match=client
match=ss
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-World_of_Warcraft_Battle.net_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4945
name=The Passive Vulnerability Scanner has detected a host logging into the PS3 Network
match=|60
match=|6063
match=PS3 Login
match=PS3 Login detection
match=etection
match=pvs
match=|6|
match=ote
match=ect
match=etw
match=ork
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-PS3_Network_Login_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4946
name=The Passive Vulnerability Scanner has detected a remote client initiating a VNC connection
match=Se
match=io
match=VNC
match=Cl
match=on
match=art
match=ent
match=te
match=6065|VNC Client Session Started|
match=ien
match=ed
match=ess
match=ss
match=Start
match=nt
match=en
match=rt
match=ar
match=Client
match=Session
match=li
match=pvs
match=6
match=ion
match=VNC Client
match=St
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-VNC_Client_Connection_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4947
name=The Passive Vulnerability Scanner has detected a connection to the Android Marketplace
match=dr
match=Ma
match=io
match=:
match=Detection
match=Android Market
match=on
match=tion
match=te
match=etection
match=ar
match=ti
match=pvs
match=6
match=Android
match=ect
match=Android Market Detection
match=ion
match=oid
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Android_Market_Connection_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4948
name=The Passive Vulnerability Scanner has detected a host running PCAnywhere
match=|17|
match=an
match=17
match=608
match=Symantec
match=|60
match=pcAnywhere
match=pcAnywhere Detection
match=er
match=etection
match=ect
match=|6087
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-PCAnywhere_Detected srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:network
NEXT
id=4949
name=The Passive Vulnerability Scanner has detected an SSH server session start.
match=SSH
match=608
match=time
match=|60
match=er
match=alt
match=|6088
match=|6|
match=etection
match=ver
match=ect
match=SSH Server
match=ion
match=al
match=erv
match=SSH Server Detection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-SSH_Server_Detected srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:network
NEXT
id=4950
name=The Passive Vulnerability Scanner has detected a SSH client login
match=|60
match=|6089
match=SSH
match=SSH Client
match=SSH Client login detected (realtime)
match=log
match=pvs
match=|6|
match=lo
match=in
match=ogin
match=login
match=Client
match=ent
match=etected
match=detected
match=alt
match=ed
match=al
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-SSH_Client_Login_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:login
NEXT
id=4951
name=The Passive Vulnerability Scanner has detected a client uploading a file to Google Music
match=|60
match=|6091
match=Google music
match=Google music client upload detection
match=pvs
match=|6|
match=oad
match=mus
match=ic
match=Goo
match=gle
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Google_Music_Upload_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4952
name=The Passive Vulnerability Scanner has detected a client starting a Google Music session
match=|60
match=|6092
match=Google music
match=Google music client session initiated
match=pvs
match=|6|
match=str
match=eam
match=mus
match=ic
match=Goo
match=gle
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Google_Music_Upload_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4953
name=The Passive Vulnerability Scanner has detected a FTP session where a file was uploaded
match=|61
match=|6103
match=FTP File
match=FTP File Upload Detection
match=ect
match=FTP
match=ST
match=etection
match=|6|
match=pvs
match=STOR
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-FTP_File_Upload_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access
NEXT
id=4954
name=The LCE has summarized detected SSL Certificate organization names from observed SSL sessions by the Passive Vulnerability Scanner.
match=ar
match=ho
match=in
match=ser
match=ce
match=ol
match=session
match=SSL
match=ver
match=ing
match=st
match=ess
match=host
match=ion
match=ss
match=erv
match=SSL_Cert_Summary
regex=host ([0-9]+(\.[0-9]+){3})
log=event:SSL_Cert_Summary srcip:$1 proto:6 type:network
NEXT
id=4955
name=The PVS has observed a host perform DNS lookups to a new DNS server. Active DNS servers in use should be audited to ensure that internal systems are configured correctly.
match=|70
match=ho
match=|17|
match=in
match=lo
match=Client
match=17
match=DNS
match=ser
match=ol
match=to the following
match=for
match=to
match=er
match=ent
match=ing
match=ed
match=st
match=host
match=erv
match=|7053|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-New_DNS_Server_In_Use srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:detected-change
NEXT
id=4956
name=The PVS has detected a telnet account.
match=|62
match=|6|
match=elnet
match=ccount
match=6
match=cou
match=ect
match=etection
match=|6265|
match=SEL
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Telnet_Account_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4957
name=The PVS has observed a user using Hulu.
match=pvs
match=|6|
match=Detection
match=ect
match=User
match=name
match=Username
match=|5944|Hulu Username Detection|
match=ion
match=hulu_uname
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).*hulu\_uname\=([A-Za-z0-9\$\-\.\_\#\_]{1,25})
log=event:PVS-Hulu_Username_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 user:$5 proto:6
NEXT
id=4958
name=The PVS has observed Apple iTunes being user.
match=pvs
match=|6|
match=etection
match=ect
match=App
match=Apple
match=une
match=iTunes
match=en
match=|6051|Apple iTunes Client Detection|
match=ion
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Apple_iTunes_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4959
name=The PVS has observed LinkedIn user name.
match=pvs
match=|6|
match=ame
match=Name
match=Use
match=User
match=|5960|LinkedIn User Name|
match=Link
match=ked
match=In
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_User_Name type:social-networks srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4960
name=The PVS has observed LinkedIn message creation.
match=pvs
match=|6|
match=ss
match=mess
match=age
match=message
match=at
match=create
match=|5959|LinkedIn create message|
match=Link
match=ked
match=In
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-LinkedIn_Message_Created type:social-networks srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4961
name=The PVS has observed a Facebook link.
match=pvs
match=|6|
match=in
match=Link
match=|6396|Facebook Link Detection|
match=ect
match=ion
match=Detection
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Facebook_Link_Detected type:social-networks srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4962
name=The PVS has detected a NetBios domain.
match=pvs
match=|17|
match=Net
match=Bios
match=NetBios
match=|7030|NetBios domain detection|
match=domain
match=ect
match=ion
match=detection
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-NetBios_Domain_Detected type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17
NEXT
id=4963
name=The PVS has detected a dangerous CLSID embedded within the webserver. This CLSID has been flagged, in the past, as one which may introduce security risk.
match=pvs
match=|6|
match=ger
match=dangerous
match=|7020|ActiveX dangerous CLSIDs|
match=Act
match=ive
match=ActiveX
match=CLSIDs
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-ActiveX_Dangerous_CLSIDs type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4964
name=The PVS has detected an outbound Microsoft WinErr message.
match=pvs
match=|6|
match=Out
match=bound
match=Outbound
match=|2284|Outbound Microsoft WinErr Message|
match=Micro
match=WinErr
match=Mess
match=age
match=Message
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-WinErr_Outbound_Message type:error srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4965
name=The PVS has detected an OS.
match=pvs
match=|6|
match=|4345|WinErr Messages OS Detection|
match=OS
match=ect
match=ion
match=Detection
match=WinErr
match=Mess
match=age
match=Messages
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-WinErr_Messages_OS_Detected type:error srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4966
name=The PVS has detected a SMTP client return email address.
match=pvs
match=|6|
match=|1329|SMTP Client Return Email Address Detection|
match=SMTP
match=ien
match=Client
match=Return
match=ect
match=Detection
match=Email
match=ss
match=Address
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Email_Address_Detected type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=4967
name=The Passive Vulnerability Scanner has detected a host accessing an iheartradio stream
match=io
match=6342|iHeartRadio Stream Detection
match=Detection
match=ea
match=on
match=art
match=tion
match=te
match=etection
match=re
match=rt
match=ar
match=ti
match=pvs
match=ect
match=ion
match=eam
match=St
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Iheartradio_Stream_Accessed srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4968
name=The Passive Vulnerability Scanner has detected a successful finger attack.
match=Fi
match=ng
match=tt
match=ack
match=cc
match=ss
match=er
match=pvs
match=Finger Attack -
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Successful_Finger_Attack srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4969
name=The Passive Vulnerability Scanner has detected a Windows command shell running as a service.
match=Wi
match=mm
match=Co
match=ll
match=as
match=er
match=vi
match=pvs
match=Windows Command Shell as Service
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Windows_Command_Shell_As_Service srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion
NEXT
id=4970
name=The Passive Vulnerability Scanner has observed a login to eBay.
match=pvs
match=eBay Auction Detected
match=etected
match=ti
match=on
match=tion
match=te
match=ect
match=ed
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-eBay_Auction srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4971
name=The Passive Vulnerability Scanner has observed a login to the Orkut social network.
match=pvs
match=|Orkut Social Application
match=pp
match=etected
match=ic
match=cat
match=at
match=ti
match=li
match=on
match=cia
match=tion
match=te
match=ut
match=ect
match=App
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Orkut_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks
NEXT
id=4972
name=The Passive Vulnerability Scanner has observed a DNS Client Flame Infection.
match=pvs
match=|DNS Client Flame Infection
match=In
match=me
match=Client
match=DNS
match=ti
match=li
match=tion
match=ect
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-DNS_Client_Flame_Infection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:intrusion
NEXT
id=4973
name=The PVS has detected a web session which leveraged unencrypted HTTP authentication.
match=pvs
match=Se
match=ho
match=as
match=io
match=Server
match=at
match=Detection
match=uth
match=on
match=tion
match=te
match=etection
match=ver
match=erv
match=or
match=TP
match=iz
match=ic
match=ti
match=uthorization
match=er
match=HTTP
match=|5252|HTTP Server Basic Authorization
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-HTTP_Plaintext_Authentication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4974
name=The PVS has detected a Facebook user watching a Viddy video. The video name is logged in the Referer field.
match=pvs
match=|6504|Facebook Viddy Application Detection
match=io
match=oo
match=at
match=ace
match=Detection
match=|6
match=on
match=tion
match=Vi
match=etection
match=App
match=Fa
match=pp
match=ic
match=cat
match=ti
match=li
match=6
match=ok
match=ect
match=ion
match=Application
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Facebook_Viddy_Usage srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks
NEXT
id=4975
name=The Passive Vulnerability Scanner has detected a download of an Andriod application from the Android market.
match=Android Mobile Device App Download Detection
match=Device
match=Detection
match=le
match=ice
match=|6
match=on
match=tion
match=|6|
match=te
match=etection
match=App
match=pp
match=Do
match=vi
match=ce
match=ti
match=Download
match=pvs
match=ile
match=oad
match=6
match=Android
match=ect
match=ion
match=oid
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-Android_App_Download srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=4976
name=The Passive Vulnerability Scanner detected a new host.
match=pvs
match=host
match=le
match=|13|new-host-alert|
regex=pvs: \[\:\:\].*\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|
log=event:PVS-New_Host_Alert dstip:$1 dstport:0 proto:17 type:detected-change
NEXT
id=4977
name=The Passive Vulnerability Scanner has detected a DNS query from a remote client.
match=pvs
match=|70
match=DNS
match=ent
match=|7051|DNS Client Queries|
match=ser
match=ed
match=PVS has observed
match=!This client has requested name resolution for the following
regex=pvs: \[fe80:.*\[fe80:.*server at
log=event:PVS-DNS_Client_Query proto:17 type:dns
NEXT
id=4978
name=The Passive Vulnerability Scanner detected a Credit Card number being leaked. No Luhn validation.
match=!LUHN : TRUE
match=pvs
match=|70
match=|6|
match=ect
match=ion
match=etection
match=Data
match=ent
match=|7064|Client Data Leakage
match=ar
match=ed
match=pp
match=ss
match=Credit Card Number
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).* IP :([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:PVS-Credit_Card_Client_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 proto:6 type:data-leak
NEXT
id=4979
name=The Passive Vulnerability Scanner detected a Social Security number being leaked.
match=pvs
match=|70
match=|6|
match=|7061
match=oci
match=ecu
match=detection
match=Data
match=ent
match=|7061|Client Data Leakage detection|
match=ar
match=ed
match=pp
match=ss
match=Social Security Number
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).* IP :([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:PVS-Social_Security_Number_Client_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 proto:6 type:data-leak
NEXT
id=4980
name=The Passive Vulnerability Scanner detected a Credit Card number being leaked.
match=pvs
match=|6|
match=|70
match=Data
match=ect
match=ion
match=|7064|Server Data Leakage Detection|
match=ar
match=ed
match=pp
match=ss
match=Credit Card Number
#regex=Session data\: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Credit_Card_Server_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:data-leak
NEXT
id=4981
name=The Passive Vulnerability Scanner detected an exe download.
match=pvs
match=ent
match=lo
match=|5254|Client
match=.exe Download Detection|
match=Do
match=tion
match=Download
match=Client
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Client_Exe_Download_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access
NEXT
id=4982
name=The Passive Vulnerability Scanner detected a Web Sever.
match=pvs
match=1442|Web
match=Web
match=Server
match=Detection
match=Se
match=tion
match=te
match=ver
match=erv
match=ti
match=er
match=rv
match=ect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Web_Server_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4983
name=The Passive Vulnerability Scanner detected a SSL Sever Certificate Exchange.
match=pvs
match=5620|SSL
match=SSL
match=Server
match=Certificate
match=Exchange
match=Se
match=cate
match=te
match=ver
match=erv
match=ti
match=er
match=rv
match=ate
match=change
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SSL_Server_Certificate_Exchange srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4984
name=The Passive Vulnerability Scanner detected a Red Hat client / server event enumeration. The client has subscribed to the Red Hat Satellite server.
match=pvs
match=7072|Red
match=Red Hat client
match=server
match=event
match=ent
match=se
match=te
match=erv
match=ti
match=er
match=rv
match=ate
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Red_Hat_Server_Subscription srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4985
name=The Passive Vulnerability Scanner detected a Red Hat client / server event enumeration. The client has downloaded a package from the Red Hat Satellite server.
match=pvs
match=7073|Red
match=Red Hat client
match=server
match=event
match=ent
match=se
match=te
match=erv
match=ti
match=er
match=rv
match=ate
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Red_Hat_Server_Download srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4986
name=The Passive Vulnerability Scanner detected a Red Hat client / server event enumeration. Package(s) were marked for removal.
match=pvs
match=7070|Red
match=Red Hat client
match=server
match=event
match=ent
match=se
match=te
match=erv
match=ti
match=er
match=rv
match=ate
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Red_Hat_Packages_Marked_For_Removal srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:detected-change
NEXT
id=4987
name=The Passive Vulnerability Scanner detected a Red Hat client / server event enumeration. Package(s) were marked for installation.
match=pvs
match=7071|Red
match=Red Hat client
match=server
match=event
match=ent
match=se
match=te
match=erv
match=ti
match=er
match=rv
match=ate
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Red_Hat_Packages_Marked_For_Installation srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:detected-change
NEXT
id=4988
name=The Passive Vulnerability Scanner detected a Red Hat Satellite Client Communication.
match=pvs
match=6660|Red
match=Red Hat Satellite Client
match=Sat
match=lite
match=Client
match=ent
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Red_Hat_Satellite_Client_Communication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4989
name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls spreadsheet file.
match=pvs
match=|70
match=TP
match=HTTP
match=ect
match=ion
match=detection
match=est
match=|7041|HTTP request detection|The
match=GET
match=.xls;Referer:
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5});
log=event:PVS-Web_Office_XLS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access
NEXT
id=4990
name=The PVS has detected a command issued from a database client to the database server.
match=!login
match=|7019|
match=as
match=PVS has observed
match=da
match=Database command logging
match=se
match=ser
match=has
match=he
match=mm
match=PVS
match=|6
match=log
match=fo
match=pvs
match=ma
match=command
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \((?:\|)?([0-9]+(\.[0-9]+){3})\).*\:
log=event:PVS-Database_Command_Issued srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:database
NEXT
id=4991
name=The PVS has detected a command issued from a database client to the database server.
match=!login
match=|7019|
match=as
match=PVS has observed
match=da
match=Database command logging
match=se
match=ser
match=has
match=he
match=mm
match=PVS
match=|6
match=log
match=fo
match=pvs
match=ma
match=to
match=command
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \((?:\|)?\):
log=event:PVS-Database_Command_Issued srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:database
NEXT
id=4992
name=The PVS has detected an SSL session which is usually a service commonly used to maintain sensitive organizational data (e.g., payroll, PII, etc.).
match=This connection should
match=ser
match=ed
match=erv
match=al
match=er
match=rv
match=ve
match=7062|SSL client session starting
match=sess
match=|70
match=io
match=se
match=|6
match=cli
match=art
match=ent
match=|6|
match=sta
match=ien
match=ing
match=ess
match=ar
match= client
match=in
match=ng
match=start
match=ses
match=pvs
match=session
match=SSL
match=ion
match=client
match=starting
match=maintain sensitive organizational data
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\.
log=event:PVS-SSL_Session_Sensitive_Data srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4993
name=The PVS has detected a RADIUS server has failed login.
match=Ser
match=ver
match=ed
match=erv
match=er
match=rv
match=ve
match=1145|RADIUS Server Failed Login Detection|
match=|11
match=|17|
match=io
match=pvs
match=RADIUS
match=Fail
match=ai
match=Login
match=Log
match=in
match=Detect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*RADIUS Server Failed Login Detection
log=event:PVS-Radius_Server_Failed_Login_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:login-failure
NEXT
id=4994
name=The PVS has detected a mDNS client response.
match=ed
match=erv
match=er
match=rv
match=ve
match=7074|mDNS Client Response Detection
match=|70
match=|17|
match=io
match=pvs
match=Client
match=Response
match=Detection
match=mDNS
match=ent
match=se
match=Detect
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*mDNS Client Response Detection
log=event:PVS-mDNS_Client_Response_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:dns
NEXT
id=4995
name=The PVS has detected a windows update.
match=msd
match=er
match=ve
match=6702|Windows Update Detection
match=|67
match=|6|
match=pvs
match=Windows
match=Update
match=Detection
match=dow
match=nlo
match=pda
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*Windows Update
log=event:PVS-Windows_Client_Software_Download srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access
NEXT
id=4996
name=The PVS has detected a network session which leverages clear text user and password transmission, such as FTP, POP or IMAP. If this event occurs on non-standard ports, it should be investigated.
match=cti
match=ser
match=er
match=gi
match=6704|Detection of User Login
match=|67
match=|6|
match=pvs
match=Detection
match=User
match=Login
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*Detection of User Login
log=event:PVS-User_Authentication_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=4997
name=The PVS has detected an internal client trust connection.
match=al
match=in
match=trust
match=tion
match=3|internal-client-trust-connection
match=pvs
match=client
match=nn
match=connection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*internal-client-trust-connection
log=event:PVS-Internal_Client_Trust_Connection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection
NEXT
id=4998
name=The PVS has detected an internal server trust connection.
match=al
match=in
match=trust
match=tion
match=15|internal-server-trust-connection
match=pvs
match=server
match=nn
match=connection
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*internal-server-trust-connection
log=event:PVS-Internal_Server_Trust_Connection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection
NEXT
id=4999
name=The Passive Vulnerability Scanner detected a Credit Card number being leaked. Passed Luhn validation.
match=TRUE
match=pvs
match=|70
match=|6|
match=ect
match=ion
match=etection
match=Data
match=ent
match=|7064|Client Data Leakage
match=ar
match=ed
match=pp
match=ss
match=Credit Card Number
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).* IP :([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:PVS-Credit_Card_Client_Data_Leakage_Detected_Luhn srcip:$1 srcport:$2 dstip:$3 proto:6 type:data-leak
NEXT
id=15000
name=The PVS has detected a Microsoft Executable being served. Possibly the remote server is a file server. The remote server appears to offer Microsoft Windows executables for download.
match=Microsoft
match=Micro
match=able
match=ing
match=|4670|
match=pvs
match=Ser
match=ed
match=erv
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*Microsoft Executable Being Served
log=event:PVS-Microsoft_Executable_Being_Served srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15001
name=The Passive Vulnerability Scanner has found a system with an outbout external connection.
match=pvs
match=|6|
match=ion
match=onnection
match=onnect
match=out
match=outbound
match=tion
match=|6|16|outbound-external-connection|
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|16\|
log=event:PVS-Outbound_External_Connections srcip:$1 srcport:$2 dstip:$1 dstport:$2 proto:6 type:detected-change
NEXT
id=15002
name=The PVS has observed a user using Hulu.
# note - this is the same as #4957 but the "hulu_uname=" string is not in the post and the user name is not attempted to be extracted
match=pvs
match=|6|
match=Detection
match=ect
match=User
match=name
match=Username
match=|5944|Hulu Username Detection|
match=ion
match=!hulu_uname
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Hulu_Username_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=15003
name=The PVS has observed a user posting an image to Instagram.
match=pvs
match=|6|
match=Instagram Upload Activity Detected
match=Upload
match=A
match=lo
match=In
match=ag
match=Inst
match=Up
match=|6
match=ty
match=te
match=sta
match=Act
match=ed
match=etected
match=ti
match=oad
match=6
match=it
match=ect
match=ad
match=Detect
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-Instagram_Upload_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=15004
name=The Passive Vulnerability Scanner detected a new IPv6 address.
match=pvs
match=host
match=le
match=::
match=|13|new-host-alert|
log=event:PVS-New_IPv6_Host_Alert type:detected-change
NEXT
id=15005
name=The Passive Vulnerability Scanner detected an SSL session which was indicative of a jalbroken iPhone, ipad or ipod.
match=Apple Jailbroken Device Detection via HTTPS
match=conn
match=rem
match=o
match=HT
match=70
match=PS
match=pvs
match=mo
match=ll
match= destination
match=at
match=6
match=dev
match=7063
match=ja
match=ok
match=ect
match=pp
match=st
match=remote
match=ion
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Apple_Jailbroken_Device_Detection_via_HTTPS srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15006
name=The Passive Vulnerability Scanner detected a Yahoo search.
match=Yahoo search string
match=pvs
match=|6771|
match=sea
match=rch
match=search
match=ing
match=str
match=string
match=oo
match=hoo
match=Yahoo
match=71|
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Yahoo_Search srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=15007
name=The Passive Vulnerability Scanner detected a Google search.
match=Google search string
match=pvs
match=|6772|
match=sea
match=rch
match=search
match=ing
match=str
match=string
match=oo
match=Goo
match=Google
match=72|
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Google_Search srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=15008
name=The Passive Vulnerability Scanner detected a Bing search.
match=Bing search string
match=pvs
match=|6770|
match=sea
match=rch
match=search
match=ing
match=str
match=string
match=Bi
match=Bing
match=70|
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Bing_Search srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=15009
name=The Passive Vulnerability Scanner detected the Microsoft metadata service. A remote has requested new metadata.
match=Microsoft metadata service
match=pvs
match=|7080|
match=ice
match=ser
match=service
match=meta
match=data
match=Micro
match=soft
match=80|
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-Microsoft_Metadata_Service srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access
NEXT
id=15010
name=The Passive Vulnerability Scanner detected an SNMP query list of running processes.
match=pvs
match=|7081|
match=running
match=lo
match=SNMP
match=un
match=cli
match=ent
match=tion
match=te
match=client
match=re
match=ng
match=ch
match=ine
match=Detection of running processes
regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SNMP_Client_Processes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:process
NEXT
id=15011
name=The PVS has logged an SSL session initiated from a client to a service used for processing credit card transactions.
match=sess
match=id
match=|70
match=Se
match=nformation
match=associated
match=comp
match=with
match=form
match=eas
match=ea
match=up
match=le
match=es
match=he
match=for
match=certificate
match=connection
match=cli
match=ent
match=|6|
match=7062|SSL client session starting
match=is
match=identified as
match=onnection
match=ng
match=following
match=nn
match=pvs
match= remote
match= destination
match=ssl
match=SSL
match=This connection should
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\.
log=event:PVS-SSL_ECom_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15012
name=The PVS has logged a Flickr image view.
match=|69
match=pvs
match=|6971|Flickr Image View Detection
match=ion
match=age
match=ect
match=ew
match=Flickr
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-Flickr_Image_View_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks
NEXT
id=15013
name=The PVS has logged a Flickr search.
match=pvs
match=|69
match=6968|Flickr Search Detection
match=ion
match=rch
match=Search
match=Detect
match=Flickr
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-Flickr_Search_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks
NEXT
id=15014
name=The PVS has logged that Schneider Electric Accutech Manager RF Failed Authentication.
match=pvs
match=|8038
match=Schneider Electric Accutech Manager RF Failed Authentication
match=ion
match=RF
match=age
match=Man
match=ech
match=Fail
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-Schneider_Electric_Accutech_Failed_Authentication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:access-denied
NEXT
id=15015
name=The PVS has logged a Schneider Electric Accutech Manager RF successful authentication.
match=pvs
match=|8037
match=Schneider Electric Accutech Manager RF Successful Authentication
match=ion
match=RF
match=age
match=Man
match=ech
match=ss
match=cc
match=ful
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-Schneider_Electric_Accutech_Successful_Authentication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:login
NEXT
id=15016
name=The PVS has detected an ISAKMP client.
match=pvs
match=|8042
match=17
match=ISAKMP Client Detection
match=ion
match=Det
match=ct
match=ISAKMP
match=MP
match=ent
match=Cl
match=Client
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-ISAKMP_Client_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:network
NEXT
id=15017
name=The PVS has detected an ISAKMP server.
match=pvs
match=|8043
match=17
match=ISAKMP Server Detection
match=ion
match=Det
match=ct
match=ISAKMP
match=MP
match=er
match=ver
match=Server
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-ISAKMP_Server_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:network
NEXT
id=15018
name=The PVS has detected an encapsulating security payload (ESP) setup.
match=pvs
match=|8041
match=50
match=|Encapsulating Security Payload (ESP) Session Setup
match=ion
match=ing
match=ity
match=Pay
match=ad
match=ss
match=up
match=Session
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-Encapsulating_Security_Payload_Setup srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:50 type:network
NEXT
id=15019
name=The PVS has detected a Magnet link.
match=pvs
match=|8069
match=69
match=|Magnet Link Detection
match=ion
match=Mag
match=et
match=net
match=Li
match=nk
match=Det
match=ect
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-Magnet_Link_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15020
name=The PVS has detected a non-SSL protocol over port 443
match=|7085
match=pvs
match=SSL
match=wa
match=ai
match=mo
match=pr
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-Non_SSL_Traffic_Over_Port_443 srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15021
name=The PVS has detected a non-SSH protocol over port 22
match=|7086
match=pvs
match=No
match=-SSH
match=ov
match=er
match=po
match=rt
match=22
match=Non-SSH over port 22
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-Non_SSH_Over_Port_22 srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15022
name=The PVS has detected a non-FTP protocol over port 21
match=|7087
match=pvs
match=No
match=-FTP
match=ov
match=er
match=po
match=rt
match=21
match=Non-FTP over port 21
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-Non_FTP_Over_Port_21 srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15023
name=The PVS has detected a MSN UserID Enumeration.
match=|7011
match=pvs
match=MSN
match=Us
match=er
match=ID
match=En
match=um
match=|6|
match=ion
match=MSN UserID Enumeration
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-MSN_UserID_Enumeration srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15024
name=The PVS has detected a DNP3 TCP cold restart command.
match=|7094
match=pvs
match=DNP3
match=TCP
match=Co
match=ld
match=Re
match=st
match=|70
match=rt
match=Cold Restart
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-DNP3_TCP_Cold_Restart srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15025
name=The PVS has detected a DNP3 TCP disable unsolicited messages command.
match=|7097
match=pvs
match=DNP3
match=TCP
match=Di
match=le
match=Un
match=ed
match=|70
match=ss
match=Me
match=es
match=mm
match=nd
match=Disable Unsolicited Messages
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-DNP3_TCP_Disable_Unsolicited_Messages srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15026
name=The PVS has detected a DNP3 TCP stop application command.
match=|7096
match=pvs
match=DNP3
match=TCP
match=St
match=op
match=Ap
match=pp
match=|70
match=ca
match=ti
match=on
match=Stop Application
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-DNP3_TCP_Stop_Application srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15027
name=The PVS has detected a DNP3 TCP warm restart command.
match=|7095
match=pvs
match=DNP3
match=TCP
match=Wa
match=rm
match=Re
match=st
match=|70
match=ar
match=rt
match=Warm Restart
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})
log=event:PVS-DNP3_TCP_Warm_Restart srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15028
name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems has returned query data.
match=pvs
match=7099
match=MOD
match=MODBUS/TCP
match=Re
match=tu
match=rn
match=Qu
match=ry
match=Da
match=ta
match=Return Query Data
match=SCADA
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_MODBUS_Return_Query_Data srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15029
name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems has restarted communications.
match=pvs
match=7100
match=MOD
match=MODBUS/TCP
match=Re
match=st
match=art
match=Co
match=mm
match=un
match=ion
match=Restart Communications
match=SCADA
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_MODBUS_Restart_Communications srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15030
name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems is in force listen mode.
match=pvs
match=7101
match=MOD
match=MODBUS/TCP
match=Fo
match=ce
match=Li
match=st
match=en
match=Mo
match=de
match=Force Listen Mode
match=SCADA
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_MODBUS_Force_Listen_Mode srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15031
name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems has cleared counters and diagnostic registers
match=pvs
match=6259
match=MOD
match=MODBUS Client
match=Cl
match=ar
match=Co
match=ters
match=nd
match=Di
match=tic
match=Reg
match=Clear Counters and Diagnostic Registers
match=SCADA
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_MODBUS_Clear_Counters_Diagnostic_Registers srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15032
name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems has sent a report server ID request.
match=pvs
match=7103
match=MOD
match=MODBUS/TCP
match=Re
match=po
match=rt
match=Se
match=ver
match=ID
match=Report Server ID
match=SCADA
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_MODBUS_Report_Server_ID srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15033
name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems CANopen protocol request.
match=pvs
match=7104
match=MOD
match=MODBUS/TCP
match=CANopen
match=CA
match=AN
match=op
match=en
match=SCADA
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_MODBUS_CANopen_Protocol srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15034
name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems issued a device identification request.
match=pvs
match=7105
match=MOD
match=MODBUS/TCP
match=De
match=vi
match=ce
match=Id
match=en
match=fi
match=ion
match=SCADA
match=Device Identification
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SCADA_MODBUS_Device_Identification srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15035
name=The Passive Vulnerability Scanner has detected a DNS query from a remote client
match=pvs
match=7106
match=ve
match=rm
match=ob
match=DNS
match=DNSSEC
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-DNSSEC_Client_Query srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:dns
NEXT
id=15036
name=The Passive Vulnerability Scanner has logged the SSL Certificate information from a session.
match=pvs
match=|70
match=SSL
match=ion
match=iz
match=rv
match=rk
match=client
match=|7046|SSL Certificate information
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SSL_Certificate_Info srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15037
name=The Passive Vulnerability Scanner has detected a RDP session.
match=pvs
match=7107
match=RDP
match=ut
match=rv
match=yb
match=|RDP session start
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-RDP_Session_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network
NEXT
id=15038
name=The Passive Vulnerability Scanner has detected an SSL error code, the client has responded with an SSL error message.
match=pvs
match=7117
match=SSL
match=Error
match=rr
match=Co
match=|SSL Error Code|The client has
match=The
match=cl
match=nt
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SSL_Error_Code_Client srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:error
NEXT
id=15039
name=The Passive Vulnerability Scanner has detected an SSL error code, the server has responded with an SSL error message.
match=pvs
match=7116
match=SSL
match=Error
match=rr
match=Co
match=|SSL Error Code|The server has
match=The
match=se
match=er
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})
log=event:PVS-SSL_Error_Code_Server srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:error
NEXT
id=15040
name=The Passive Vulnerability Scanner has detected a (Gateway Control Protocol) H.248.1 User Detection.
match=H.248.1
match=User Detection
match=8269
match=H.
match=.248.
match=pvs
match=Us
match=ser
match=Detection
match=User
match=tion
match=etection
match= User
match=De
match=ct
match=Detect
match=ion
match=|17|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)
log=event:PVS-H248_1_User_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:web-access
NEXT
id=15041
name=The Passive Vulnerability Scanner has detected a passed in plaintext UserID and password.
match=7137
match=UserID
match=ID
match=pvs:
match=And
match=Password
match=ss
match=ser
match=Us
match=Pa
match=ed
match=In
match=Pl
match=xt
match=UserID And Password Passed In Plaintext
match=|6|
match=!user=
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*login=([A-Za-z0-9._-]+)
log=event:PVS-UserID_And_Password_Passed_In_Plaintext srcip:$1 srcport:$3 dstip:$4 dstport:$6 user:$8 proto:6 type:login
NEXT
id=15042
name=PVS has observed a TCP session.
match=pvs:
match=|17|
match=TCP
match=end
match=do
match=nd
match=wn
match=up
match=down
match=TCP Session|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,3})\|
log=event:PVS-TCP_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15043
name=The Passive Vulnerability Scanner has detected a passed in plaintext UserID and password.
match=7137
match=UserID
match=ID
match=pvs:
match=And
match=Password
match=ss
match=ser
match=Us
match=Pa
match=ed
match=In
match=Pl
match=xt
match=UserID And Password Passed In Plaintext
match=|6|
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*user=([A-Za-z0-9._-]+)
log=event:PVS-UserID_And_Password_Passed_In_Plaintext srcip:$1 srcport:$3 dstip:$4 dstport:$6 user:$8 proto:6 type:login
NEXT
id=15044
name=The PVS has detected activex control.
match=pvs
match=|6|
match=|4669|ActiveX Control Detection
match=Act
match=ive
match=ActiveX
match=Co
match=ol
match=De
match=on
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})
log=event:PVS-ActiveX_Control_Detection type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=15045
name=The PVS has detected an NTP client connection.
match=pvs
match=|17|
match=|7171|NTP Client Connection Detection
match=NTP
match=Client
match=Connection
match=Detection
match=Cl
match=Co
match=De
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]{1,5})
log=event:PVS-NTP_Client_Connection_Detection type:connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17
NEXT
id=15046
name=The PVS has detected that the remote host has Apple software installed.
match=pvs
match=|6|
match=|7084|Apple Software Listing
match=Apple
match=Software
match=Li
match=tin
match=ing
match=Ap
match=So
regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]{1,5})
log=event:PVS-Apple_Software_Listing type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6
NEXT
id=15047
name=The Passive Vulnerability Scanner has reported Non-DNS traffic over port 53, the remote host has sent data over port 53 which does not seem to be valid DNS traffic.
match=pvs
match=|7172|Non-DNS Traffic Over Port 53|
match=|71
match=Non
match=DNS
match=Tr
match=ic
match=Ov
match=er
match=53
match=Po
match=6
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})\|
log=event:PVS-Non_DNS_Traffic_Over_Port_53 srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network
NEXT
id=15048
name=The Passive Vulnerability Scanner has reported a DNS text type record, the remote host has sent a large DNS response which contained a text record.
match=pvs
match=|7173|DNS TEXT Type Record Detection|
match=|71
match=DNS
match=TE
match=Re
match=rd
match=De
match=on
match=17
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})\|
log=event:PVS-DNS_Text_Type_Record_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:network
NEXT
id=15049
name=The Passive Vulnerability Scanner has reported a DNS TCP connection detection, the remote host is a DNS client utilizing TCP. This can be an indicator of malicious activity.
match=pvs
match=|7174|DNS TCP Connection Detection|
match=|71
match=DNS
match=TCP
match=Co
match=nn
match=De
match=on
match=6
regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})\|
log=event:PVS-DNS_TCP_Connection_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network