# LCE PRM LIBRARY # Copyright 2006-2014 Tenable Network Security # This library may only be used with the Log Correlation Engine and may not # be used with other products or open source projects # # NAME: # Passive Vulnerability Scanner realtime syslog parser # # DESCRIPTION: # The Passive Vulnerability Scanner will detect a majority of # the systems, applications and vulnerabilities through passive # protocol analysis. PVS also has the ability to look for events # indicative of a succsesful attack only on the discovered applications # it has identified. This library allows the LCE to process those # events. # # To use this with PVS, the PVS sensor must be configured to send # SYSLOG messages to the LCE daemon. # LAST UPDATED: $Date$ id=4639 name=The Passive Vulnerability Scanner detected a MAC address addition match=17 match=7076 match=pvs match=MAC address match=MA match=ss match=AC match=dr match=es regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-MAC_Addition srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:network NEXT id=4640 name=The Passive Vulnerability Scanner detected a client FTP session to a port other than port 21 match=70 match=78 match=7078| match=non-standard match=ct match=De match=FTP match=nt match=port regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*FTP server \(([0-9\.]+)\) on port ([0-9]+) log=event:PVS-FTP_NON_STANDARD_PORT srcip:$1 srcport:$3 dstip:$8 dstport:$9 proto:6 type:network NEXT id=4641 name=A Citrix client has just initiated a session to a server E match=67 match=25 match=6725| match=Cit match=Citrix match=ICA match=7f regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-CITRIX_Client_Connection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4700 name=The Passive Vulnerability Scanner detected a website hosting malicious content. match=4334 match=6 match=pvs match=Malicious Website match=Ma match=te match=al match=ou match=ic match=Web match=li match=Mal match=ici regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Malicious_Website srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4701 name=The Passive Vulnerability Scanner detected DNS tunneling. match=pvs match=unnel match=Detection match=|DNS Tunneling match=un match=on match=tion match=te match=etection match=ing match=in match=ng match=nn match=DNS match=ti match=ect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-DNS_Tunnel_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4702 name=The Passive Vulnerability Scanner detected XMPP protocol usage. match=pvs match=5687|XMPP client detection match=on match=ent match=te match=de match=etection match=ien match=en match=ti match=li match=detection match=ect match=MP match=ion match=client regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-XMPP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4703 name=The Passive Vulnerability Scanner detected OpenVPN client connection. match=pvs match=|17| match=|3541| match=VPN match=sess match=tu match=pe regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-OpenVPN_Client_Connection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection NEXT id=4704 name=The Passive Vulnerability Scanner detected suspicious SCADA ICCP activity. match=pvs match=In match=al match=li match=SCADA match=ICCP Invalid regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_Invalid_ICCP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4705 name=The Passive Vulnerability Scanner detected a login to the RealWin Management Server HMI interface. match=pvs match=6305 match=SCADA match=RealWin Management Server HMI match=Server match=Wi match=ag match=ea match=ent match=nag match=Re match=al match=erv match=en regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_RealWin_Login srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:login NEXT id=4706 name=The Passive Vulnerability Scanner detected a Voice Over IP (VoIP) session start. match=pvs match=6474 match=VoIP Client Detection match=Detection match=Cl match=on match=ent match=tion match=te match=etection match=ien match=en match=Client match=IP match=ti match=li match=ect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-VoIP_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4707 name=The Passive Vulnerability Scanner detected BitTorrent file download activity. match=pvs match=lo match=Detection match=Fi match=le match=File Download Detection match=To match=on match=.torrent match=own match=ent match=te match=re match=Download match=ile match=File match=ect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-BitTorrent_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4708 name=The Passive Vulnerability Scanner detected Facebook application activity. match=pvs match=|6| match=6397|Facebook Application Access match=oo match=at match=cc match=tion match=App match=Access match=ess match=ss match=pp match=ic match=Acc match=ce match=ti match=li match=ok match=ccess regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|6397\| log=event:PVS-Facebook_Application_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks NEXT id=4709 name=The Passive Vulnerability Scanner detected a potential cleartext command-line Unix or Windows shell. match=pvs match=ss match=|Successful Shell Attack Detected - match=ect match=ack match=ed match=ttack regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Potential_Shell_Compromise srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4710 name=The Passive Vulnerability Scanner detected Rockwell Automation Service protocol activity. match=pvs match=Rockwell Automation Service Detection match=at match=Detection match=ice match=on match=tion match=te match=etection match=Auto match=erv match=ll match=ti match=Service regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_Rockwell_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network #NEXT #id=4711 #name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems. #example=<36>May 13 17:47:58 pvs: 192.168.1.102:21|207.35.251.172:2243|6|xxxx|MODBUS Client 'Force Listen Only Mode' Request (SCADA) #example=<36>May 13 17:47:58 pvs: 192.168.1.102:21|207.35.251.172:2243|6|xxxx|MODBUS Client 'Clear Counters and Diagnostic Registers' Request (SCADA) #match=pvs #match=MOD #match=MODBUS Client ' #match=Cl #match=ent #match=ien #match=en #match=Client #match=li #match=SCADA #regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) #log=event:PVS-SCADA_MODBUS_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4712 name=The Passive Vulnerability Scanner tracked network activity from a post-attack source IP. match=pvs match=ion match=ss match=session match=ack match=ed match=|10|tracked-session| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Tracked_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4713 name=The Passive Vulnerability Scanner detected a YouTube video being played. match=pvs match=|6| match=ion match=:80|6|5273|YouTube Usage Detection| match=ect match=age match=io match=Detection match=ag match=on match=tion match=te match=etection match=ou match=be match=ti regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|5273\| log=event:PVS-YouTube_Usage_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks NEXT id=4714 name=The Passive Vulnerability Scanner detected Twitter usage. match=pvs match=|6| match=etection match=ion match=ect match=:80 match=4814|Twitter Usage Detection| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4814\| log=event:PVS-Twitter_Usage_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks NEXT id=4715 name=The Passive Vulnerability Scanner detected evidence of a backdoored host. match=pvs match=ack match=|Trojan/Backdoor match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Backdoor_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:intrusion NEXT id=4716 name=The Passive Vulnerability Scanner detected client or server botnet activity. match=pvs match=|6| match=|Generic Botnet match=ion match=ect regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Botnet_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4717 name=The Passive Vulnerability Scanner detected a DVD or CD .iso image being transmitted over SMB. match=pvs match=ent match=lo match=le match=|SMB Client File Download match=Do match=rom match=.iso' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_ISO_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:file-access NEXT id=4718 name=The Passive Vulnerability Scanner detected a generic "Attack" event which look for post-compromise network activity. match=pvs match=TP match=FTP match=ack match= Attack - match=ttack regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Successful_Attack srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4719 name=The Passive Vulnerability Scanner detected a suspicious file (tftp or ftp) transfer from a known server. match=pvs match=|17| match=ent match=TP match=rom match=ate match=ed match=|TFTP Client initiated from match=FTP regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Suspicious_File_Transfer srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:intrusion NEXT id=4720 name=The Passive Vulnerability Scanner detected a web server which has proxied an email message. match=pvs match=|6| match=TP match=SMTP match=ect match=|6|6231|SMTP Proxy Traffic Detected regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SMTP_Proxy srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4721 name=The Passive Vulnerability Scanner detected an email being sent by a tool known as 'The Bat'. This is likely a source of SPAM email. match=pvs match=|6| match=ion match=detection match=ect match=ail match=ss match=ass match=le match=|6|3643|'The Bat' Mass mailer detection regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SPAM_Mass_Mailing srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:spam NEXT id=4722 name=The Passive Vulnerability Scanner detected a Windows Error message being sent to Microsoft. match=pvs match=|6| match=rr match=ing match=le match=ss match=|6|2284|WinErr message leaving the network regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Windows_Error_Message srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:error NEXT id=4723 name=The Passive Vulnerability Scanner detected a potential SPAM server on your network. match=|Potential SPAM Server Detection| match=nti match=ote match=SPAM match=pvs match=ent match=|6| match=etection match=:25|6|4 match=ect match=ial match=ion match=al regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Potential_SPAM_Server srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:spam NEXT id=4724 name=The Passive Vulnerability Scanner has observed a local system request an ISO file via FTP. match=pvs match=|6| match=ect match=ion match=Detection match=ent match=TP match=lo match=le match=|6|5056|FTP Client File Download Detection| match=.iso{0d}{0a}| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-FTP_File_ISO_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access NEXT id=4725 name=The Passive Vulnerability Scanner has observed a local system request a ZIP file via FTP. match=pvs match=|6| match=TP match=FTP match=ion match=Detection match=ect match=ent match=lo match=le match=|6|5056|FTP Client File Download Detection| match=.zip{0d}{0a}| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-FTP_File_ZIP_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access NEXT id=4726 name=The Passive Vulnerability Scanner has observed a local system request an EXE file via FTP. match=pvs match=|6| match=TP match=FTP match=ect match=ent match=lo match=ion match=le match=|6|5056|FTP Client File Download Detection| match=Detection match=.exe{0d}{0a}| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-FTP_File_EXE_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access NEXT id=4727 name=The Passive Vulnerability Scanner has observed a local system request an RPM file via FTP. match=pvs match=|6| match=TP match=FTP match=ect match=ion match=Detection match=ent match=lo match=le match=|6|5056|FTP Client File Download Detection| match=.rpm{0d}{0a}| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-FTP_File_RPM_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access NEXT id=4728 name=The Passive Vulnerability Scanner detected Facebook or Twitter "Pinterest" Activity match=pvs match=ter match=Facebook/Twitter Pinterest Activity match=ace match=est match=ty match=te match=Act match=Fa match=re match=tt match=in match=ti regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Pinterest_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks NEXT id=4729 name=The PVS has logged an SSL session initiated from a client to a service and has identified the name of the SSL certificate in use. match=!This connection should match=7062|SSL client session starting match=sess match=|70 match=se match=|6 match=cli match=art match=ent match=|6| match=sta match=client match=ien match=ing match=ess match=ss match=nt match=en match=rt match=ar match= client match=in match=ng match=start match=ti match=ses match=pvs match=session match=SSL match=ion match=client match=starting regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\| log=event:PVS-SSL_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4730 name=The PVS has detected a Tivoli Endpoint Manager (BigFix) server push a patch or software to an end client for deployment. match=pvs: match=enumeration match=io match=at match=event match=Fi match=ent match=tion match=nt match=en match=me match=ti match=pvs match=er match=6 match=ve match=ion match= event match=7066|BigFix event enumeration regex=BigFix Client \(([0-9]+(\.[0-9]+){3})\) is .* server \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-BigFix_Client_Patch_Update srcip:$1 srcport:0 dstip:$3 dstport:0 proto:6 type:detected-change NEXT id=4731 name=The Passive Vulnerability Scanner detected a webserver serving pornographic materials. match=pvs match=|6| match=ser match=ate match=ing match=|Webserver serving pornographic materials regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Webserver_With_Pornography srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4732 name=The Passive Vulnerability Scanner has detected an HTTP session which resulted in a 4xx message. match=pvs match=6843|HTTP 4xx Detection| match=io match=Detection match=|6 match=on match=tion match=te match=etection match=cti match=TP match=De match=ct match=ti match=P match=6 match=HTTP match=684 match=ect match=Detect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Web_4xx_Error srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:web-error NEXT id=4733 name=The Passive Vulnerability Scanner has detected a local client connecting to a network socket and immediately receiving a Microsoft executable. This may indicate malicious types of file sharing, but can also indicate some forms of P2P and Torrent sharing of executable programs. match=pvs match=|6| match=ect match=ion match=Detection match=ent match=ecu match=le match=|5706|Microsoft Executable in Transit Detection (Client)| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Potential_Client_Download_of_Malicious_EXE srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4734 name=The Passive Vulnerability Scanner has detected a local server hosting a network socket and immediately sending a Microsoft executable. This may indicate malicious types of file sharing, but can also indicate some forms of P2P and Torrent sharing of executable programs. match=pvs match=|6| match=ect match=ion match=Detection match=ecu match=le match=|5701|Microsoft Executable in Transit Detection| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Potential_Serving_of_Malicious_EXE srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4735 name=The Passive Vulnerability Scanner has detected a new website being hosted on an existing web server. If this website is unauthorized on your network, you should investigate it. If you have a web application assessment program, this website should be targeted for analysis if it holds sensitive data or is Internet facing. match=pvs match=ect match=ion match=detection match=ser match=TP match=|7033|HTTP server vhost detection| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-New_WebSite_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:detected-change NEXT id=4736 name=The Passive Vulnerability Scanner has observed an email being sent from your network which was blocked by the recipient email server because of an RBL lookup. This means that a remote email server believes that an email system on your network is sending SPAM and has possibly been reported to one or more RBL services. if you encounter large numbers of these errors, you may in fact have an email server that is inadvertently carrying SPAM email, or perhaps have a botnet or malicious piece of software sending large numbers of SPAM emails. match=|Possible RBL/CBL Blacklisting Message Detected| match=la match=age match=ag match=le match=Message match=Black match=|6 match=Poss match=|6| match=ing match=ess match=ack match=ss match=in match=ng match=is match=ti match=lis match=li match=P match=ck match=pvs match=ossible match=ac match=st match=list match=bl regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-RBL_Blocked_Spam_Email srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:spam NEXT id=4737 name=The Passive Vulnerability Scanner has logged the most recent list of user accounts active on an RDP (Windows Remote Desktop) server. ~ match=pvs match=7047|RDP match=ession match=|70 match=ess match=io match=ss match=in match=ti match=RDP match=es match=on match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-RDP_User_List srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4738 name=The Passive Vulnerability Scanner has detected files being hosted on a web server. match=pvs match=|70 match=io match=file match=le match=|6 match=on match=tion match=|6| match=te match=de match=etection match=fi match=TP match=il match=ti match=ile match=detection match=er match=HTTP match=ect match=7039|HTTP file detection regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-HTTP_Hosted_Files srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4739 name=The PVS has detected a login to a database via SQL. match=|70 match=|7035| match=tem match=lo match=an match=as match=PVS has observed match=da match= user match=Database command logging match=se match=ser match=at match=th match=has match=he match=mm match=PVS match=|6 match=log match=attempt match=login match=fo match=pvs match=ma match=to match=command regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server.*\(([0-9]+(\.[0-9]+){3})\).*\: log=event:PVS-Database_Login srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:login ################################################################################ ### 4740 - 4749 ### Specific SCADA normalizations ### ################################################################################ NEXT id=4740 name=The Passive Vulnerability Scanner detected SCADA DNPv3 activity. match=pvs match=|6| match=ol match=ed match=|Distributed Network Protocol v3 ' regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_DNPv3_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion #NEXT #id=4741 #name=The Passive Vulnerability Scanner detected SCADA MODBUS activity. #example=<36>Apr 20 17:16:44 pvs: 192.168.20.200:0|192.168.20.9:0|6|309|MODBUS Client 'Restart Communications' request #match=pvs #match=|6| #match=ent #match=|MODBUS Client ' #regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) #log=event:PVS-SCADA_MODBUS_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4742 name=The Passive Vulnerability Scanner detected SCADA ICCP activity. match=pvs match=|6| match=|SCADA - ICCP regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_ICCP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4743 name=The PVS has detected SCADA GE D20 TFTP activity match=|62 match=|17| match=GE match=D20 match=TFTP match=Client match=FT match=Access match=ect match=Detection match=|6271| match=Client Access Detection regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-SCADA_GED20_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:intrusion NEXT id=4744 name=The PVS has observed a failed login to a SQL database. match=wa match=|70 match=|7037| match=Database failed login detection match=tem match=lo match=as match=fa match=PVS has observed match=se match= from match=at match=has match=ail match=he match=PVS match=log match=login match=was match=|6| match=te match=de match=etection match=ed match=erv match=failed match=server match=in match=login match=rom match=from match=ai match=ailed match=error match=P match=pvs match=ile match=detection match=has regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}).*database server at ([0-9]+(\.[0-9]+){3}) log=event:PVS-Database_Login_Failure srcip:$1 srcport:$3 dstip:$4 proto:6 type:login-failure NEXT id=4745 name=The PVS has just observed an ActiveSync connection to an Exchange server, most likely from a mobile device such as an iPhone or Android. match=no match=|70 match=Active Sync detection and decode match=TYPE match=ho match=lo match=an match=ive match=as match=Use match=da match=at match=has match=User match=Sync match=he match=PVS match=connection match=cli match=Active match=ogged match=ent match=The match=|6| match=etection match=connect match=Act match=host match=co match=en match=or match=User match= client match=in match=ng match=nn match=for match=client match=op regex=DIP: ([0-9]+(\.[0-9]+){3}) SIP: ([0-9]+(\.[0-9]+){3}) log=event:PVS-ActiveSync_Login srcip:$1 srcport:0 dstip:$3 dstport:0 proto:6 type:network #NEXT # # This log is from tasl not pvs and duplicates prm 20095 #id=4746 #name=The PVS has detected a query to a URL known to be part of a botnet. #example=PVS-Malicious_Web_Request detected from 192.168.1.24:0 to the following URL: www.nessus.org/foo/ at 4.59.136.200:80 identified as MALWARE #match=_Request #match=Ma #match=detected #match= from #match=est #match=PVS #match=ent #match=fo #match=URL #match=den #match=Re #match=identified as #match=rom #match=from #match=etected #match=ic #match=nti #match=Web #match=to the following #match=PVS-Malicious_Web_Request #match=to #match=from #match=detected from #match=Mal #match=ici #match=_Request #regex=from ([0-9]+(\.[0-9]+){3}).* at ([0-9]+(\.[0-9]+){3}):([0-9]+) #log=event:PVS-Malicious_Web_Request srcip:$1 srcport:0 dstip:$3 dstport:$5 proto:6 type:threatlist NEXT id=4747 name=The PVS has detected a new server to client pair. match=io match=se match=ser match=|6 match=connection match=on match=tion match=|6| match=ver match=connect match=co match=erv match=onnect match=server match=onnection match=nn match=ti match=pvs match=er match=6 match=rv match=15|server-connection regex= pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]+)\|6\| log=event:PVS-New_Server_Trust_Relationship srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:detected-change NEXT id=4748 name=The PVS has logged an SSL session initiated from a client to a service and has identified the name of the SSL certificate in use. This particular type of SSL certificate is associated with a cloud file storage service. match=This connection should match=cloud service match=lo match=ser match=ice match=erv match=ce match= service match=er match=service match=7062|SSL client session starting match=sess match=|70 match=se match=|6 match=cli match=art match=ent match=|6| match=sta match=client match=ien match=ing match=ess match=ss match=nt match=ar match= client match=in match=ng match=start match=ti match=ses match=pvs match=session match=SSL match=ion match=client match=starting regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\. log=event:PVS-SSL_Session_Cloud_Data srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4749 name=The PVS has logged an SSL session initiated from a client to a service and has identified the name of the SSL certificate in use. This particular type of SSL certificate is associated with an anonymous proxy service which allows for users to access the Internet securely and without trace. match=This connection should match=anonymous proxy match=no match=an match=on match=ou match=mo match=nonymous match=7062|SSL client session starting match=sess match=|70 match=io match=se match=|6 match=cli match=art match=ent match=|6| match=sta match=client match=ien match=ing match=ess match=ss match=nt match=ar match= client match=in match=ng match=start match=ti match=ses match=pvs match=session match=SSL match=ion match=client match=starting regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\. log=event:PVS-SSL_Session_Anon_Proxy srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network ################################################################################ ### 4750 - 4759 ### New Hosts, new ports, new browses, .etc ### ################################################################################ NEXT id=4750 name=The Passive Vulnerability Scanner detected a new host. match=pvs match=host match=le # this notmatch statements ignores the IPv6 log match=!:: match=|13|new-host-alert| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\| log=event:PVS-New_Host_Alert srcip:$1 srcport:0 dstip:$1 dstport:0 type:detected-change NEXT id=4751 name=The Passive Vulnerability Scanner detected a new internet connection. match=pvs match=ect match=ion match=|3|connection|INFO match=INFO match=IN match=FO match=onnection match=onnect match=0.0.0.0 regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-New_Internet_Activity srcip:$1 srcport:$6 dstip:$1 dstport:$6 proto:6 type:detected-change NEXT id=4752 name=The Passive Vulnerability Scanner detected a new port browsing. This means that a host was observed connecting to the Internet on a previously undetected port. match=pvs match=ect match=ser match=ion match=ce match=|2|connection-to-service|INFO match=INFO match=IN match=FO match=onnection match=onnect regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-New_Port_Browsing srcip:$1 srcport:$6 dstip:$1 dstport:$6 proto:6 type:detected-change NEXT id=4753 name=The Passive Vulnerability Scanner has detected a new open port. match=pvs match=IN match=INFO match=FO match=|0|new-open-port|INFO regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-New_Open_Port srcip:$1 dstip:$1 srcport:$3 dstport:$3 type:detected-change NEXT id=4754 name=The Passive Vulnerability Scanner has detected a new trust relationship. match=pvs match=ion match=|3|connection|INFO match=ect match=INFO match=IN match=FO match=!0.0.0.0 regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-New_Trust_Relationship srcip:$1 srcport:$6 dstip:$4 dstport:$6 proto:6 type:detected-change NEXT id=4755 name=The PVS has detected an SSL session which involved access of a social media site such as Facebook or Twitter. match=This connection should match=Social Media server match=ser match=ver match=ed match=ial match=al match=erv match=server match=cia match=er match=rv match=7062|SSL client session starting match=sess match=|70 match=io match=se match=|6 match=cli match=art match=ent match=|6| match=sta match=ien match=ing match=ess match=ar match= client match=in match=ng match=start match=ses match=pvs match=session match=SSL match=client match=starting regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\. log=event:PVS-SSL_Session_Social_Access srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4756 name=The PVS has detected an SSL session which involved access of a media or communications site such as NetFlix or Skype. match=This connection should match=media server match=ser match=ver match=ed match=erv match=me match=server match=er match=rv match=ve match=7062|SSL client session starting match=sess match=|70 match=io match=se match=|6 match=cli match=art match=ent match=|6| match=sta match=ien match=ing match=ess match=ss match=nt match=ar match= client match=in match=ng match=start match=ti match=ses match=pvs match=session match=SSL match=ion match=client match=starting regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\. log=event:PVS-SSL_Session_Media_Access srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4758 name=The PVS has detected an Apple device such as an iPhone or iPad connecting to the Apple App Store. match=pvs match=6590|Accessing iTunes Store on an Apple iOS device match=dev match=an match=un match=le match= on match=ice match=on match=cc match=iTunes match=de match=App match=Access match=ing match=ess match=re match=ss match=pp match=or match=in regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Apple_App_Store_Access srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4759 name=The PVS has logged an SSL session initiated from a client to a web conferencing server. match=This connection should match=web conferencing match=lo match=ser match=erv match=7062|SSL client session starting match=sess match=|70 match=io match=se match=|6 match=cli match=art match=ent match=|6| match=sta match=client match=ien match=ing match=ess match=ss match=nt match=ar match= client match=in match=ng match=start match=ti match=ses match=pvs match=session match=SSL match=ion match=client match=starting regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\. log=event:PVS-SSL_Session_Web_Conference srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network ################################################################################ ### 4770 - 4779 ### New Vulnerabilities ### ################################################################################ NEXT id=4770 name=The Passive Vulnerability Scanner has observed a local FTP server serve a file via FTP. match=pvs match=|6| match=TP match=FTP match=ion match=ect match=le match=|6|5055|FTP Server File Detection| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-FTP_File_Served srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access NEXT id=4771 name=The Passive Vulnerability Scanner detected a LOW severity vulnerability. match=pvs match=!:0|0|11|portscan-detection| match=!|13|new-host-alert| match=!|3|connection|INFO match=!|2|connection-to-service|INFO match=!|0|new-open-port|INFO match=|LOW match=LO match=!|6|1329|Local Email Account match=!110|6|2341|Local POP Account|USER regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Low_Vulnerability srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:vulnerability NEXT id=4772 name=The Passive Vulnerability Scanner detected a MEDIUM severity vulnerability. match=pvs match=!:0|0|11|portscan-detection| match=!|13|new-host-alert| match=!|3|connection|INFO match=!|2|connection-to-service|INFO match=!|0|new-open-port|INFO match=|MEDIUM regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Medium_Vulnerability srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:vulnerability NEXT id=4773 name=The Passive Vulnerability Scanner detected a HIGH severity vulnerability. match=pvs match=!:0|0|11|portscan-detection| match=!|13|new-host-alert| match=!|3|connection|INFO match=!|2|connection-to-service|INFO match=!|0|new-open-port|INFO match=|HIGH regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-High_Vulnerability srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:vulnerability NEXT id=4774 name=The Passive Vulnerability Scanner has detected an HTTP session which resulted in a 5xx web error message. match=pvs match=6844|HTTP 500 Detection| match=io match=Detection match=on match=tion match=te match=etection match=cti match=TP match=De match=ct match=ti match=P match=6 match=HTTP match=684 match=ect match=Detect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) # Note: although normally $1 and $3 are the sources, we flip them in the normalization because in fact, the destination logged by PVS is really the guy attacking or causing the web error log=event:PVS-Web_5xx_Error srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:web-error NEXT id=4775 name=The PVS has logged an SSL session initiated from a client to a service with an SSL certificate known to be in use by malware. match=This connection should match=been match=certificate match=The match=ass match=ing match=malware match=identified as match=7062|SSL client session starting match=sess match=|70 match=io match=se match=|6 match=cli match=art match=ent match=|6| match=sta match=client match=ien match=ing match=ess match=ss match=nt match=ar match= client match=in match=ng match=start match=ti match=ses match=pvs match=session match=SSL match=ion match=client match=starting regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\. log=event:PVS-SSL_Malware_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4776 name=The Passive Vulnerability Scanner detected a web query which resulted in a 5xx HTTP error code. match=6853|HTTP 500 Detection (Client)| match=pvs match=685 match=io match=Detection match=|6 match=Cl match=on match=ent match=tion match=te match=etection match=ien match=nt match=cti match=en match=TP match=De match=Client match=ct match=ti match=li match=6 match=HTTP match=ect match=Detect match=ion regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Web_5xx srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-error NEXT id=4777 name=The Passive Vulnerability Scanner detected a Windows .msi file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.msi' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_MSI_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=4778 name=The Passive Vulnerability Scanner detected a Windows .dll file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.dll' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_DLL_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=4779 name=The Passive Vulnerability Scanner has observed a local system request a file via FTP. match=pvs match=TP match=FTP match=|6| match=ent match=ion match=le match=wn match=lo match=Client match=io match=FT match=il match=|6|5056|FTP Client File Download Detection| match=ect match=!.exe{0d}{0a}| match=!.iso{0d}{0a}| match=!.rpm{0d}{0a}| match=!.zip{0d}{0a}| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-FTP_File_Request srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access NEXT id=4780 name=The Passive Vulnerability Scanner detected a PGP email identity. match=pvs match=|6| match=io match=Email match=Detection match=ail match=Cl match=on match=tion match=te match=etection match=nt match=cti match=De match=Client match=ai match=il match=li match=P match=ect match=Detect match=ion match=:25|6|2609|PGP Email Client Detection| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2609\| log=event:PVS-PGP_Detection srcip:$1 srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4781 name=The Passive Vulnerability Scanner detected Facebook activity. match=pvs match=|6| match=oo match=ce match=ace match=Detection match=ok match=ect match=ac match=Fa match=ion match=:80|6|5272|Facebook Usage Detection| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|5272\| log=event:PVS-Facebook_Usage_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks NEXT id=4782 name=The Passive Vulnerability Scanner detected a POP login. match=ER match=pvs match=|6| match=!{20} match=!{0d} match=!{0a} match=Lo match=:110|6|2341|Local POP Account|USER match=cal match=SE regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2341\| log=event:PVS-POP_Session_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4783 name=The Passive Vulnerability Scanner detected a user return SMTP email address. match=pvs match=|6| match=!{20} match=!{0d} match=!{0a} match=ail match=Lo match=:25|6|1329|Local Email Account| match=cal regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|1329\| log=event:PVS-SMTP_Return_Address srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4784 name=The Passive Vulnerability Scanner detected a myspace account login. match=pvs match=|6| match=ion match=Detection match=ect match=ce match=ace match=|6|5271|Myspace Usage Detection| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|5271\| log=event:PVS-Myspace_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks NEXT id=4785 name=The Passive Vulnerability Scanner detected a gmail account login. match=pvs match=age match=io match=ag match=ail match=on match=tion match=te match=etection match=ai match=il match=ti match=ma match=|6| match=Detection match=ect match=ion match=|6|5275|Gmail Usage Detection| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6 log=event:PVS-Gmail_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:web-access NEXT id=4786 name=The Passive Vulnerability Scanner detected an MSN Messenger login. match=pvs match=|6| match=ion match=detection match=ect match=!{20} match=!{0d} match=!{0a} match=ser match=ss match=|6|2600|MSN Messenger UserID detection| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2600\| log=event:PVS-MSN_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4787 name=The Passive Vulnerability Scanner detected a Yahoo Messenger login. match=ho match=io match=Use match=4081|Yahoo! Messenger User Enumeration| match=se match=ser match=oo match=at match=User match=on match=tion match=sen match=ess match= User match=ss match=eng match=en match=me match=User match=Mess match=ng match=ti match=pvs match=er match=ger match=ion regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4081\| log=event:PVS-Yahoo_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4788 name=The Passive Vulnerability Scanner detected an AOL Instant Messenger login. match=|6|4082|AOL Instant Messenger User Enumeration| match=an match=io match=In match=Use match=se match=ser match=at match=User match=Inst match=on match=tion match=sta match=sen match=ess match= User match=ss match=eng match=nt match=en match=User match=Mess match=ng match=ti match=pvs match=er regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4082\| log=event:PVS-AOL_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4789 name=The Passive Vulnerability Scanner could not be shutdown. match=pvs match=ail match=le match=ed match=failed match=pvs shutdown failed log=event:PVS-Shutdown_Failed type:restart NEXT id=4790 name=The Passive Vulnerability Scanner proxy was shutdown. match=pvs match=ce match=ed match=pvs-proxy shutdown succeeded log=event:PVS-Proxy_Shutdown_Succeeded type:restart NEXT id=4791 name=The Passive Vulnerability Scanner has found a system which accepts connections. match=pvs match=|6| match=ion match=onnection match=onnect match=ect match=ce match=pt match=0|6|14|accepts-external-connections| match=acc regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|14\| log=event:PVS-Accepts_External_Connections srcip:$1 srcport:$2 dstip:$1 dstport:$2 proto:6 type:detected-change NEXT id=4792 name=The Passive Vulnerability Scanner could not be shutdown. match=pvs match=ce match=ed match=pvs shutdown succeeded log=event:PVS-Shutdown_Succeeded type:restart NEXT id=4793 name=The Passive Vulnerability Scanner has observed a POP login event. match=pvs match=|6| match=Lo match=Local match=cal match={20} match={0d} match={0a} match=:110|6|2341|Local POP Account match=USER match=ER regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2341\| log=event:PVS-POP_Session_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4794 name=The Passive Vulnerability Scanner detected a web query which resulted in a 4xx HTTP error code. match=pvs match=6852|HTTP 4xx Detection (Client)| match=685 match=io match=Detection match=|6 match=Cl match=on match=ent match=tion match=|6| match=te match=etection match=ien match=nt match=cti match=en match=TP match=De match=Client match=ct match=ti match=li match=6 match=HTTP match=ect match=Detect match=ion regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Web_4xx srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-error NEXT id=4795 name=The Passive Vulnerability Scanner detected a user return SMTP email address. match=pvs match=|6| match=Lo match=Local match=cal match={20} match={0d} match={0a} match=ail match=:25|6|1329|Local Email Account| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|1329\| log=event:PVS-SMTP_User_Return_Address srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4796 name=The Passive Vulnerability Scanner detected an AOL Instant Messenger login. match=pvs match=|6| match=ion match=enumeration match={20} match={0d} match={0a} match=sta match=ser match=ss match=|6|4082|AOL Instant Messenger user enumeration| match=an regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|4082\| log=event:PVS-AOL_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4797 name=The Passive Vulnerability Scanner detected an MSN Messenger login. match=pvs match=|6| match=ion match=detection match=ect match={20} match={0d} match={0a} match=ser match=ss match=|6|2600|MSN Messenger UserID detection| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|2600\| log=event:PVS-MSN_Messenger_Login_Detection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT ############################# # # # Housekeeping Key messages # # # ############################# id=4798 name=The Passive Vulnerability Scanner has an invalid key. match=PVS match=ERROR match=ER match=AL match= (PVS) [ERROR] !! INVALID KEY !! match=IN log=event:PVS-Invalid_Key type:error NEXT id=4799 name=The Passive Vulnerability Scanner has a bad time in key file. match=PVS match=ERROR match=ER match=le match= (PVS) [ERROR] Bad time in key file log=event:PVS-Invalid_Time_In_Key type:error NEXT id=4800 name=The Passive Vulnerability Scanner has a keyfile that has expired. match=PVS match=ERROR match=ER match=ire match=ing match=le match=ed match= (PVS) [ERROR] main - The keyfile has expired. Exiting. log=event:PVS-Key_Expired type:error # # Back to regular PRMs NEXT id=4801 name=The Passive Vulnerability Scanner has detected a system connecting the to the whatismyip.com web site. This web site is commonly used by botnets and malware to determine the IP address of the external gateway router. It is a legitimate service and does not necessarily mean your system is compromised, however, if you observe port scanning, network anomalies or other suspicious activity, this event could corroborate as evidence of a potential infected system. match=pvs match=|6| match=ion match=Detection match=ect match=ent match=Cl match=on match=tion match=te match=etection match=ien match=co match=nt match=en match=Client match=|6|5280|whatismyip.com Client Detection| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-WhatIsMyIP_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4802 name=The Passive Vulnerability Scanner detected a file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=!.csv' from the match=!.dll' from the match=!.doc' from the match=!.docx' from the match=!.exe' from the match=!.ini' from the match=!.iso' from the match=!.msi' from the match=!.pdf' from the match=!.pps' from the match=!.pst' from the match=!.ppt' from the match=!.pptx' from the match=!.rtf' from the match=!.sql' from the match=!.txt' from the match=!.xls' from the match=!.xlsx' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=4803 name=The Passive Vulnerability Scanner detected an executable file being transmitted over SMB. match=pvs match=SMB match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.exe' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_EXE_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=4804 name=The Passive Vulnerability Scanner detected a Windows .ini file being transmitted over SMB. match=pvs match=SMB match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.ini' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_INI_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=4805 name=The Passive Vulnerability Scanner has detected a DNS query from a remote client. match=pvs match=|70 match=DNS match=ent match=|7024|DNS Client Queries| match=ser match=ed match=PVS has observed match=!This client has requested name resolution for the following regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*server at ([0-9]+(\.[0-9]+){3}) log=event:PVS-DNS_Client_Query srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:17 type:dns NEXT id=4806 name=The Passive Vulnerability Scanner has detected an internal interactive session. match=pvs match=ion match=ss match=session match=|4|internal-interactive-session| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Internal_Interactive_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network NEXT id=4807 name=The Passive Vulnerability Scanner has detected an outbound-interactive-session. match=pvs match=ion match=ss match=session match=|5|outbound-interactive-session| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Outbound_Interactive_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network NEXT id=4808 name=The Passive Vulnerability Scanner has detected an inbound-interactive-session. match=pvs match=ion match=ss match=session match=|6|inbound-interactive-session| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Inbound_Interactive_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network NEXT id=4809 name=The Passive Vulnerability Scanner has detected an internal-encrypted-session. match=pvs match=ion match=ss match=session match=ed match=pt match=|7|internal-encrypted-session| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Internal_Encrypted_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network NEXT id=4810 name=The Passive Vulnerability Scanner has detected an outbound-encrypted-session. match=pvs match=ion match=ss match=session match=ed match=pt match=|8|outbound-encrypted-session| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Outbound_Encrypted_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network NEXT id=4811 name=The Passive Vulnerability Scanner has detected an inbound-encrypted-session. match=pvs match=ion match=ss match=session match=ed match=pt match=|9|inbound-encrypted-session| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Inbound_Encrypted_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network NEXT id=4812 name=The Passive Vulnerability Scanner has detected hidden ViewState form field. match=pvs match=|70 match=St match=ate match=ion match=|7005|ViewState detection and decode| match=ect match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*to web server \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-ViewState_Detection_and_Decode srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:vulnerability NEXT id=4813 name=The Passive Vulnerability Scanner has detected a FTP file download. match=pvs match=|70 match=TP match=ion match=le match=|7006|FTP file detection| match=FTP match=ser match= remote FTP server regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*remote FTP server at ([0-9]+(\.[0-9]+){3}) log=event:PVS-FTP_File_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:file-access NEXT id=4814 name=The Passive Vulnerability Scanner has enumerated an FTP username. match=pvs match=|70 match=ser match=TP match=ion match=|7008|FTP UserID enumeration| match=FTP match=ent match=The remote FTP client regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*these credentials to log into.*?([0-9]+(\.[0-9]+){3}) log=event:PVS-FTP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:network NEXT id=4815 name=The Passive Vulnerability Scanner has enumerated a POP username. match=pvs match=|70 match=ser match=ion match=|7010|POP UserID enumeration| match=The remote POP UserID regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*these credentials to log into ([0-9]+(\.[0-9]+){3}) log=event:PVS-POP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:network NEXT id=4816 name=The Passive Vulnerability Scanner has enumerated an IMAP username. match=pvs match=|70 match=ser match=ion match=|7012|IMAP UserID Enumeration| match=ss match=ass match=ate match=ed match=associated with the IMAP account match=acc match=AP regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*account is: ([A-za-z0-9._\-\@]+) and the user was observed using these credentials to log into ([0-9]+(\.[0-9]+){3}) log=event:PVS-IMAP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$9 dstport:$6 type:network user:$8 NEXT id=4817 name=The Passive Vulnerability Scanner has enumerated a list of SMTP usernames. match=pvs match=|70 match=ser match=TP match=ion match=|7015|SMTP UserID Enumeration| match=ent match=ss match=ass match=ate match=ed match=SMTP UserIDs associated with this client regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).* log=event:PVS-SMTP_UserID_Enumeration srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network NEXT id=4818 name=The Passive Vulnerability Scanner has identified default credentials being used. match=pvs match=|70 match=ent match=ed match=|7022|Default Credentials check| match=ser match=default credentials. regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*These credentials were used to log into ([0-9]+(\.[0-9]+){3}) log=event:PVS-Default_Credentials_Detected srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:vulnerability NEXT id=4819 name=The Passive Vulnerability Scanner has detected a DNS lookups to a potentially dangerous server. match=pvs match=|70 match=DNS match=ent match=|7055|DNS Client Queries| match=ser match=lo match=DNSChanger regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*to the following servers \| -([0-9]+(\.[0-9]+){3}) log=event:PVS-DNSChanger_Malware srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:virus NEXT id=4820 name=The Passive Vulnerability Scanner has reported on a DNS resolution. match=pvs match=|70 match=DNS match=ol match=ion match=ing match=|7026|DNS resolution reporting| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*DNS server at ([0-9]+(\.[0-9]+){3}) log=event:PVS-DNS_Resolution_Reporting srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:17 type:dns NEXT id=4821 name=The Passive Vulnerability Scanner has detected a DNS Client Failed Query. match=pvs match=|70 match=DNS match=PVS match=ent match=ail match=le match=ed match=|7027|DNS Client Failed Query| match=lo match=perform a failed DNS lookup regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*DNS server at ([0-9]+(\.[0-9]+){3}) log=event:PVS-DNS_Client_Failed_Query srcip:$1 srcport:$3 dstip:$8 dstport:53 proto:17 type:dns NEXT id=4822 name=The PVS has detected a Microsoft Group Policy server. match=|70 match=ser match=ol match=ion match=|7031|Microsoft Group Policy server detection match=ect regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Microsoft_Group_Policy_Server_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4823 name=The PVS has observed a Microsoft Group Policy client download. match=|70 match=ent match=ol match=lo match=ion match=|7032|Microsoft Group Policy client download detection match=ect regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*from server\(([0-9]+(\.[0-9]+){3}) log=event:PVS-Microsoft_Group_Policy_Client_Download_Detection srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:file-access # id=4824 available NEXT id=4825 name=The PVS has detected a failed MySQL database login. match=|5633|MySQL Server Failed Login match=Login match=io match=Server match=Detection match=le match=ail match=on match=|6| match=etection match=Failed match=De match=ct match= Failed match=il match=ailed match=Lo match=pvs match=er match=Ser match=gi match=rv match=|5633|MySQL Server Failed Login regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+)\| log=event:PVS-MySQL_Server_Failed_Login srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:login-failure NEXT id=1950 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP. match=pvs match=|70 match=TP match=HTTP match=est match=ion match=|7041|HTTP request detection|The match=ect match=GET # note - all of these have spaces at the end of them match=!.asp;Referer: match=!.avi;Referer: match=!.bmp;Referer: match=!.cgi;Referer: match=!.dmg;Referer: match=!.doc;Referer: match=!.docx;Referer: match=!.gif;Referer: match=!.exe;Referer: match=!.flv;Referer: match=!gz;Referer: match=!.htm;Referer: match=!.html;Referer: match=!.iso;Referer: match=!.java;Referer: match=!.jpeg;Referer: match=!.jpg;Referer: match=!.js;Referer: match=!.mpg;Referer: match=!.mpeg;Referer: match=!.mpa;Referer: match=!.m4a;Referer: match=!.mp3;Referer: match=!.mp4;Referer: match=!.mov;Referer: match=!.msi;Referer: match=!.pdf;Referer: match=!.php;Referer: match=!.pkg;Referer: match=!.png;Referer: match=!.pps;Referer: match=!.ppt;Referer: match=!.pptx;Referer: match=!.ra;Referer: match=!.ram;Referer: match=!.rar;Referer: match=!.rpm;Referer: match=!.rtf;Referer: match=!.rm;Referer: match=!.rss;Referer: match=!.swf;Referer: match=!.torrent;Referer: match=!.txt;Referer: match=!.vcd;Referer: match=!.wav;Referer: match=!.wma;Referer: match=!.wmv;Referer: match=!.xap;Referer: match=!.xls;Referer: match=!.xml;Referer: match=!.xlsx;Referer: match=!.xls;Referer: match=!.zip;Referer: match=!;Query: YES; match=!PVS-Malicious_Web_Request regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1951 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an XML file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.xml;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_File_XML_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1952 name=The PVS Proxy has received a connection. match=onnect match=onnection match=rom match= [ match= from match=PVS match=(PVS Proxy) match=Connection match=from match=ect match=ion match=Connection from regex=Connection from ([0-9]+(\.[0-9]+){3}) log=event:PVS-Proxy_Connection type:connection srcip:$1 NEXT id=1953 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a web page rendered by a Microsoft Active Server Pages application. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.asp;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Content_ASP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1954 name=The PVS Proxy had a connection resulting in a login failure. match=failed match= client match=in match=lo match= [ match=: match=(PVS Proxy) match=ailed match=le match=ail match=PVS match=, client match=log match=ent match=login match= failed match=ed match=ogin match=host match=client match=svr_login() failed, client host regex=client host \: ([0-9]+(\.[0-9]+){3}) log=event:PVS-Proxy_Login_Failure srcip:$1 type:login-failure NEXT id=1955 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an AVI video file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.avi;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Video_AVI_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1956 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an BMP image file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.bmp;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Image_BMP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1957 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a web site rendered by a CGI form. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.cgi;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Content_CGI_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1959 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a DMG file which is likely a Mac OS X application file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.dmg;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Disk_DMG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1960 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft Word .doc file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.doc;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Office_DOC_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1961 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft Word .docx file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.docx;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Office_DOCX_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1963 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a GIF image. match=GET match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=.gif;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Image_GIF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1964 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Windows executable file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.exe;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Executable_EXE_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1965 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a flash video file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.flv;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Video_FLV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1966 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for file compressed by the Gnu Zip program. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=gz;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_File_GZ_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1967 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an HTML file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.htm;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Content_HTM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1968 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an HTML file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.html;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Content_HTML_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1969 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a CD or DVD .iso image. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.iso;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Disk_ISO_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1970 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Java source code. This code may have been executed by the browser. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.java;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Executable_JAVA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1971 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a .jpeg image file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.jpeg;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Image_JPEG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1972 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a .jpg image file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.jpg;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Image_JPG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1973 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for javascript code. This code was likely executed on the downloading web browser. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.js;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Executable_JS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1974 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpg extension. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.mpg;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Video_MPG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1975 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpeg extension. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.mpeg;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Video_MPEG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1976 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-2 audio file with a .mpa extension. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.mpa;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Audio_MPA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1977 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-4 audio file with a .m4a extension. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.m4a;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Audio_M4A_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1978 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-3 audio file with a .mp3 extension. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.mp3;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Audio_MP3_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1979 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an MPEG-4 media file with a .mp4 extension. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.mp4;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Media_MP4_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1980 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an Apple Quicktime video file. match=GET match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=.mov;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Video_MOV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1981 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft installer package file. match=GET match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=.msi;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Executable_MSI_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1982 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an Adobe PDF or compatible file. match=pvs match=|70 match=TP match=HTTP match=ion match=detection match=ect match=est match=|7041|HTTP request detection|The match=GET match=.pdf;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Office_PDF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1983 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for dynamic content generates by a PHP program. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.php;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Content_PHP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1984 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Unix software package file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.pkg;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Executable_PKG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1985 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a PNG image file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.png;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Image_PNG_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1986 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft .pps PowerPoint presentation file. match=pvs match=|70 match=TP match=HTTP match=ion match=detection match=ect match=est match=|7041|HTTP request detection|The match=GET match=.pps;Referer: match=pp regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Office_PPS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1987 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft .ppt PowerPoint presentation file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=pt match=.ppt;Referer: match=pp regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Office_PPT_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1988 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Real Audio .ram sound file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.ram;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Audio_RAM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1989 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Real Audio .ra sound file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.ra;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Audio_RA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1990 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Roshal Archive .rar file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=ar match=.rar;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_File_RAR_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1991 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Redhat Package Manager .rpm file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.rpm;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Executable_RPM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1992 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Real Media audio or video file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.rm;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Media_RM_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1993 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Rich Site Summary .rss file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=ss match=.rss;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Content_RSS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1994 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a FLASH video file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.swf;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Media_SWF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1996 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a .torrent file. Torrent files contain information for downloading files via common Torrent applications such as uTorrent and BitTorrent. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=ent match=rr match=.torrent;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_File_TORRENT_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1999 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a virtual CD image file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.vcd regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Disk_VCD_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access # id=1750 available NEXT id=1751 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wav audio file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.wav;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Audio_WAV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1752 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wma audio file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.wma;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Audio_WMA_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1753 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wmv video file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=Re match=re match=.wmv match=er regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Video_WMV_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1754 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls spreadsheet file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.xlsx;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Office_XLSX_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1756 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a ZIP compressed file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.zip;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_File_ZIP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1757 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Microsoft .pptx PowerPoint presentation file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=pt match=.pptx;Referer: match=pp regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Office_PPTX_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1758 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for an ASCII text file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.txt;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Office_TXT_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access # id=1759 available NEXT id=1760 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Rich Text Format .rtf file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.rtf;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Office_RTF_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1761 name=The Passive Vulnerability Scanner detected a Word Document file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.doc' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_DOC_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1762 name=The Passive Vulnerability Scanner detected a Word Document file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.docx' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_DOCX_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1763 name=The Passive Vulnerability Scanner detected an Excel spreadsheet being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.xls' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_XLS_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1764 name=The Passive Vulnerability Scanner detected an Excel spreadsheet being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.xlsx' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_XLSX_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1765 name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=pt match=.ppt' from the match=pp regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_PPT_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1766 name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=pt match=.pptx' from the match=pp regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_PPTX_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1767 name=The Passive Vulnerability Scanner detected a PowerPoint presentation file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.pps' from the match=pp regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_PPS_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1768 name=The Passive Vulnerability Scanner detected an ASCII text file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.txt' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_TXT_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1769 name=The Passive Vulnerability Scanner detected a Rich Text Format document file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.rtf' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_RTF_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1770 name=The Passive Vulnerability Scanner detected an Adobe PDF file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.pdf' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_PDF_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1771 name=The Passive Vulnerability Scanner detected an Outlook mailbox file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.pst' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_PST_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access # id=1772 available # id=1773 available # id=1774 available # id=1775 available # id=1776 available # id=1777 available # id=1778 NEXT id=1779 name=The Passive Vulnerability Scanner detected a comma separated variable file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.csv' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_CSV_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1780 name=The Passive Vulnerability Scanner detected a SQL database file being transmitted over SMB. match=pvs match=lo match=Download match=Do match=ent match=le match=|SMB Client File Download match=rom match=.sql' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}).*server on ([0-9]+(\.[0-9]+){3}) log=event:PVS-SMB_Client_SQL_Download srcip:$1 srcport:$3 dstip:$8 dstport:$6 type:file-access NEXT id=1781 name=The Passive Vulnerability Scanner has reported the IP protocols in use on given server. match=pvs match=|7043|Generic Protocol Detection match=io match=on match=tion match=te match=De match=etection match=co match=en match=ic match=ol match=ti match=Detection match=to match=er match=ect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})\| log=event:PVS-IP_Protocol_Tracking srcip:$1 srcport:$3 dstip:$4 dstport:$6 type:network NEXT id=1782 name=The Passive Vulnerability Scanner has reported an expired SSL certificate in use. match=pvs match=|7052|SSL Expired Certificate Detection| match=|70 match=Ex match=ed match=Ce match=te match=De match=on match=6 match=SSL regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})\| log=event:PVS-SSL_Expired_Certificate_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network # id=1783 # id=1784 available NEXT id=1785 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for a Silverlight .xap file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.xap;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Media_XAP_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1786 name=The Passive Vulnerability Scanner has detected a system performing a web query. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=;Query: YES; match=!;Host: www.google.com; match=!search.yahoo.com;User-Agent: match=!Host: www.bing.com; match=!.wikipedia.org;User-Agent: match=!Host: www.ask.com match=!.baidu.com; regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Query_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1787 name=The Passive Vulnerability Scanner has detected a system performing a Baiduweb search. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=;Query: YES; match=.baidu.com; regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Query_Baidu_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1788 name=The Passive Vulnerability Scanner has detected a system performing a web query to Google. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=;Query: YES; match=le match=;Host: www.google.com; regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Query_Google_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1789 name=The Passive Vulnerability Scanner has detected a system performing a web search to Yahoo. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=;Query: YES; match=ent match=ser match=ar match=search.yahoo.com;User-Agent: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Query_Yahoo_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1790 name=The Passive Vulnerability Scanner has detected a system performing a web search to Microsoft Bing. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=;Query: YES; match=ing match=Host: www.bing.com; regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Query_Bing_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1791 name=The Passive Vulnerability Scanner has detected a system performing a Wikipedia web search. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=;Query: YES; match=ent match=ser match=ed match=.wikipedia.org;User-Agent: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Query_Wikipedia_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1792 name=The Passive Vulnerability Scanner has detected a system performing an Ask.com web search. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=;Query: YES; match=Host: www.ask.com regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Query_Ask.Com_Search srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=1793 name=The Passive Vulnerability Scanner has detected an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=!.doc' from the match=!.docx' from the match=!.exe' from the match=!.msi' from the match=!.pdf' from the match=!.pps' from the match=!.pst' from the match=!.ppt' from the match=!.pptx' from the match=!.rtf' from the match=!.xls' from the match=!.xlsx' from the match=!.vcf' from the match=!.zip' from the regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_Detection type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=1794 name=The Passive Vulnerability Scanner has detected Dropbox installed on the remote host. match=pvs match=sta match=|4936| match=le match=ed match=|Dropbox is installed regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|4936|Dropbox is installed log=event:PVS-Dropbox_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 proto:17 # Beginning IDs at 4827 due to duplicate issues at 1800 NEXT id=4827 name=The Passive Vulnerability Scanner detected an executable file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.exe" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_EXE_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4829 name=The Passive Vulnerability Scanner detected a Word Document file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.doc" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_DOC_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4830 name=The Passive Vulnerability Scanner detected a Word Document file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.docx" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_DOCX_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4834 name=The Passive Vulnerability Scanner has detected an FTP server session start. match=|5972|FTP Server Session Initiated match=In match=TP match=Server match=FTP match=pvs match=Session match=|6| match=ed match=ss match=ate regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-FTP_Server_Session_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4835 name=The Passive Vulnerability Scanner detected an installable executable file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.msi" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_MSI_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 # id=4836 available NEXT id=4837 name=The PVS has observed a node perform an mDNS query. match=|7051| match=|70 match=|17| match=lo match=Client match=PVS has observed match=17 match=DNS match=ser match=ce match=pvs match=PVS match=for match=ent match=ed match=host regex=pvs: ([0-9]+(\.[0-9]+){3})\:.* server at ([0-9]+(\.[0-9]+){3}) log=event:PVS-mDNS_Lookup type:dns srcip:$1 dstip:$3 proto:17 NEXT id=4838 name=The Passive Vulnerability Scanner detected an PDF file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.pdf" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_PDF_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4839 name=The Passive Vulnerability Scanner detected a PPS file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.pps" as an match=pp match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_PPS_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4840 name=The Passive Vulnerability Scanner detected a PST file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.pst" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_PST_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4841 name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=pt match=.ppt" as an match=pp match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_PPT_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4842 name=The Passive Vulnerability Scanner detected a PowerPoint file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=pt match=.pptx" as an match=pp match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_PPTX_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4843 name=The Passive Vulnerability Scanner detected a Rich Text file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.rtf" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_RTF_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4844 name=The Passive Vulnerability Scanner detected a Microsoft Excel file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.xls" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_XLS_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4845 name=The Passive Vulnerability Scanner detected a Microsoft Excel file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.xlsx" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_XLSX_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4846 name=The Passive Vulnerability Scanner detected a VCF file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.vcf" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_VCF_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4847 name=The Passive Vulnerability Scanner detected a ZIP file being transmitted as an email attachment. match=pvs match=|70 match=ail match=Email match=ect match=ion match=detection match=ent match=|7042|Email attachment detection match=.zip" as an match=an regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7042\|.*SMTP server at \(([0-9]+(\.[0-9]+){3})\) log=event:PVS-Email_Attachment_ZIP_Detected type:file-access srcip:$1 srcport:$3 dstip:$5 dstport:25 proto:6 NEXT id=4848 name=The Passive Vulnerability Scanner detected a Credit Card number being leaked. match=pvs match=|70 match=|6| match=|7065 match=ect match=ion match=detection match=Data match=ent match=|7065|Client Data Leakage detection| match=ar match=ed match=pp match=ss match=Credit Card Number regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).* IP :([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:PVS-Credit_Card_Client_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 proto:6 type:data-leak NEXT id=4849 name=The Passive Vulnerability Scanner detected a Social Security number being leaked. match=pvs match=|70 match=|6| match=|7044 match=ect match=ion match=Client match=client match=detection match=Data match=ent match=|7044|Client Data Leakage detection| match=ecu match=ty match=pp match=ss match=Social Security Number regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).* IP :([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:PVS-Social_Security_Number_Client_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 proto:6 type:data-leak ### 4850 to 4879 taken by Cisco switch PRMs NEXT id=4880 name=The Passive Vulnerability Scanner detected a Facebook user ID being transmitted. match=pvs match=ser match=ce match=ace match=ion match=|7045|FaceBook UserID User Enumeration| match=|70 match=ss match=ass match=ate match=ed regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Facebook_ID_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks NEXT id=4881 name=The Passive Vulnerability Scanner detected a Credit Card number being leaked. match=pvs match=|6| match=|70 match=|7065 match=Data match=ect match=ion match=|7065|Server Data Leakage detection| match=ar match=ed match=pp match=ss match=Credit Card Number #regex=Session data\: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Credit_Card_Server_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:data-leak NEXT id=4882 name=The Passive Vulnerability Scanner detected a Social Security number being leaked. match=pvs match=|6| match=|70 match=|7044 match=Data match=ect match=ion match=|7044|Server Data Leakage detection| match=ecu match=ty match=ed match=pp match=Social Security Number #regex=Session data\: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Social_Security_Number_Server_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:data-leak NEXT id=4883 name=The Passive Vulnerability Scanner has detected a Facebook status update. match=pvs match=|6| match=ce match=ace match=St match=ate match=Facebook Status Update Detection match=date regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Facebook_Status_Update_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks NEXT id=4884 name=The Passive Vulnerability Scanner has detected CPE Data match=pvs match=|70 match=|7025|CPE Data| match=tem match=ate match=le match=ed match=ss match= It is possible to enumerate the CPE names that matched on the remote system regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-CPE_Data_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4885 name=The Passive Vulnerability Scanner has detected the start of a SSH server session. match=pvs match=SSH match=St match=ion match=ar match=ss match=|5936|PVS-SSH-Server-Session_Start| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-SSH_Server_Session_Start srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 type:network NEXT id=4886 name=The Passive Vulnerability Scanner has detected the start of a SSH session. match=pvs match=SSH match=St match=ion match=ar match=ss match=|5937|PVS-SSH-Session_Start| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-SSH_Session_Start srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:network NEXT id=4887 name=The Passive Vulnerability Scanner has detected a VNC server session. match=pvs match=VNC match=ect match=ion match=|5934|VNC Detection| regex=pvs:[ ]*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-VNC_Session_Started srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 type:network NEXT id=4888 name=The Passive Vulnerability Scanner has detected a Windows RDP server session. match=pvs match=RDP match=ion match=indo match=ce match=|Windows RDP / Terminal Services Detection match=ect match={00} regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Windows_RDP_Session_Started srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 type:network NEXT id=4889 name=The Passive Vulnerability Scanner has detected the start of an SSL session. match=pvs match=|70 match=SSL match=ion match=ss match=session match=sta match=ar match=start match=ing match=|7046|SSL session starting| match=ssl session starting regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|.*DIP:([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-SSL_Session_Starting srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4890 name=The PVS has observed a local network user read their LinkedIn mail. match=pvs match=|6| match=ed match=|5958|LinkedIn Message Inbox Access Detection| match=GET{20}/mbox match=GET regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-LinkedIn_Read_Email type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 NEXT id=4891 name=The PVS has observed a local network user create a LinkedIn message. match=pvs match=|6| match=Link match=ate match=ed match=ss match=|5959|LinkedIn Message Creation Detection| match=age match=io match=In match=at match=Detection match=ag match=es match=etection match=ed match=ess match=re match=Mess regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-LinkedIn_Create_Message type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 NEXT id=4892 name=The PVS has observed a local network user access the LinkedIn service. match=pvs match=|6| match=Link match=ser match=ed match=|5960|LinkedIn User Name Detection| match=rom match=&fromName regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-LinkedIn_User_Name type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 NEXT id=4893 name=The PVS has observed a local network user update their LinkedIn status. match=pvs match=|6| match=Link match=sta match=ate match=ed match=|5955|LinkedIn Status Update Detection| match=date match=ent match=The remote client updated their LinkedIn status with: regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-LinkedIn_Status_Update type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 NEXT id=4894 name=The PVS has observed a local network user update their LinkedIn profile. match=pvs match=|6| match=Link match=ate match=le match=ed match=|5957|LinkedIn Profile Update Detection match=date match=ent regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-LinkedIn_Profile_Update type:social-networks srcip:$3 srcport:$4 dstip:$1 dstport:$2 proto:6 NEXT id=4895 name=The PVS has observed a local Xbox log into the Microsoft Xbox Live network, most likely to play online games. match=pvs match=|17| match=Lo match=|5961|Xbox Live Login Detection match=Login match=ive match=io match=Detection match=on match=tion match=te match=etection match=cti match=in match=De match=ct match=og match=gi match=ect match=Detect match=ogin match=in match=ion match=Log regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Xbox_Live_Login type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 NEXT id=4896 name=The PVS has detected non HTTP traffic over port 80. Many potentially legitimate services, such as some forms of video streaming and desktop sharing, communicate over port 80 but do not use the HTTP protocol. Many forms of back doors and botnet command and control systems also run non-HTTP services over port 80. Any alerts from this rule should be treated with caution and suspicion until the connection can be properly identified. match=pvs match=|70 match=TP match=|7048|Non-HTTP traffic over port 80| match=rom match=ss match=ass match=ed match=Non-HTTP traffic passed over port 80 match=rr match=has occurred regex=from ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:PVS-Non_HTTP_Traffic_Over_Port_80 type:network srcip:$1 dstip:$2 dstport:80 proto:6 NEXT id=4897 name=One of your local systems has been compromised through a MetaSploit payload and has downloaded a staging executable from the MetaSploit server. match=pvs match=|6| match=ion match=Detection match=ect match=lo match=ed match=|5974|MetaSploit Exploited Machine Detection| match=ser match=rom match=The remote host has been compromised by a MetaSploit server match=sta match=ecu match=ing match=le match=staging executable from the server at regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-MetaSploit_Exploited_Machine_Detection type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4898 name=One of your local systems has been compromised through a MetaSploit payload and is communicating back to the MetaSploit server. match=pvs match=|6| match=ion match=Detection match=ect match=lo match=ed match=|5975|MetaSploit Exploited Machine Detection| match=ser match=rom match=ing match=The machine was just observed connecting to the server to register itself as a connection regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-MetaSploit_Exploited_Machine_Detection type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4899 name=One of your local systems has been compromised through a MetaSploit payload and is communicating via HTTP back to the MetaSploit server. match=pvs match=|6| match=ect match=ion match=Detection match=ser match=lo match=|5976|MetaSploit Server Detection| match=ed match=an match=tp match=reverse http meterpreter regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-MetaSploit_Server_Detection type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT # Skipping IDs 4900-4920 due to use elsewhere id=4921 name=The PVS has observed a local host steam video from the Hulu online video service. match=pvs match=|6| match=ion match=detection match=ect match=ss match=session match=sta match=ar match=|5953|Hulu start video session detection| match=ent match=ing match=ed match=The remote hulu client just started watching regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Hulu_Start_Video_Session_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4922 name=XM Radio usage detection. A local host was identified by the PVS streaming music from XM Radio. match=pvs match=|6| match=ion match=Detection match=ect match=|5962|XM Radio Usage Detection| match=ent match=lo match=log match=ser match=ing match=ed match=The remote client was observed logging into their XM radio account match=The user account was logged as match=acc regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-XM_Radio_Usage_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4923 name=Box.com file share detection. This event indicates that the PVS has observed a computer upload a file to the box.net online service. match=pvs match=|6| match=ion match=Detection match=ect match=ar match=le match=|5949|Box match=File Share Detection| match=ent match=The remote host is a Box match=ail match=ol match=lo match=ing match=The following email recipients were sent a regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Box_File_Share_Detection type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4924 name=Box.com file share detection. This event indicates that the PVS has observed a computer upload a file to the box.net online service. match=pvs match=ion match=Detection match=ect match=ar match=le match=|5950|Box match=File Share Detection| match=ent match=The remote host is a Box match=ol match=lo match=ing match=ed match=The following file was just uploaded to regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Box_File_Share_Detection type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4925 name=Hotmail User ID detection. This event indicates that the PVS has detected a Hotmail User ID being transmitted. match=pvs match=|5963|Hotmail UserID Detection| match=io match=Use match=se match=ser match=Detection match=ail match=Ho match=on match=tion match=te match=etection match=User match=ai match=il match=ti match=ma match=er match=6 match=ect regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Hotmail_User_ID_Detection type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4926 name=BitTorrent Protocol Detection. This event indicates that the PVS has detected a host participating in BitTorrent activity. match=pvs match=ent match=rr match=ol match=ion match=|5947|BitTorrent Protocol Traffic Detection| match=ect match=etection match=To regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]{1,3})\| log=event:PVS-BitTorrent_Protocol_Detection type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 NEXT id=4927 name=The Passive Vulnerability Scanner has detected a DNS query from a remote client. match=pvs match=|70 match=DNS match=ent match=|7024|DNS Client Queries| match=ser match=ed match=PVS has observed match=est match=ol match=lo match=ing match=This client has requested name resolution for the following regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*server at ([0-9]+(\.[0-9]+){3}) log=event:PVS-DNS_Top_Level_Domain_Queries srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:17 type:dns NEXT id=4928 name=The Passive Vulnerability Scanner has detected an FTP session start. match=|5973|FTP Client Session match=In match=TP match=Client match=FTP match=pvs match=ent match=Session match=|6| match=ed match=ion match=ss match=ate regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-FTP_Client_Session_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4929 name=The Passive Vulnerability Scanner has found a new User-Agent string in the web browser list of a monitored node. match=|70 match=|7023 match=Web Agent Enumeration match= client match=in match=lo match=ser match=ol match=pvs match=ent match=|6| match=put match=ing match=ion match=client regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-New_Web_Agent srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:detected-change NEXT id=4930 name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website. match=|6 match=|60 match=|6033 match=dll match=File Download Detection match=io match=Detection match=Fi match=le match=on match=own match=tion match=te match=etection match=.dll match=ll match=Do match=wn match=il match=ti match=dl match=Download match=ile match=oad match=File match=ect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4931 name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website. match=|60 match=|6034 match=dll match=File Download Detection match=ect match= web match= client match=lo match=al match=ded match=pvs match=|6| match=file regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4932 name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website. match=|60 match=|6035 match=dll match=File Download Detection match=ect match= web match= client match=lo match=al match=ded match=pvs match=|6| match=file regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4933 name=The Passive Vulnerability Scanner has found a .dll file being downloaded from a remote website. match=|60 match=dll match=File Download Detection match=ect match= web match= client match=al match=lo match=ded match=pvs match=|6| match=file regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-DLL_File_Downloaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4934 name=The Passive Vulnerability Scanner has detected a Facebook profile edit. match=|5887|Facebook Profile Edit Detection match=file match=: match=ce match=ace match=le match=pvs match=:80 match=|6| match=ac match=ed regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Facebook_Profile_Edit srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:social-networks NEXT id=4935 name=The Passive Vulnerability Scanner has detected a host running a Tumblr client uploading a photo. match=ho match=lo match=io match=6048|Tumblr Photo Upload Detection match=Detection match=on match=tion match=te match=etection match=ti match=P match=pvs match=oad match=to match=6 match=ect match=ion match=bl match=Ph regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Tumblr_Photo_Uploaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4936 name=The Passive Vulnerability Scanner has detected a host running a Tumblr client updating a blog. match=lo match=io match=6047|Tumblr Blog Edit Detection match=Detection match=on match=log match=tion match=te match=etection match=ti match=og match=pvs match=6 match=it match=ect match=ion match=bl regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Tumblr_Blog_Uploaded srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4937 name=The Passive Vulnerability Scanner has detected a host accessing an iheartradio stream match=|60 match=|6049 match=iheartradio stream detection match=etection match= user match= name match=sso match=ss match=cia match=pvs match=ect match=ho match=|6| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*stream is: ([^ ]{1,30}) log=event:PVS-Iheartradio_Stream_Accessed srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access user:$8 NEXT id=4938 name=The Passive Vulnerability Scanner has detected a host running a Netflix client match=NetFlix match=io match=6040 match=pvs match=se match=ser match=Detection match=User match=NetFlix User Detection match=on match=tion match=te match=etection match= User match=cti match=User match=De match=ct match=li match=Net match=ect match=Detect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-NetFlix_Client_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4939 name=The Passive Vulnerability Scanner has detected a host running a Netflix client match=|60 match=|6042 match=NetFlix match=io match=Use match=se match=ser match=Detection match=User match=NetFlix User Detection match=on match=tion match=te match=etection match= User match=User match=ti match=li match=Net match=er match=6 match=ect match=ion match=pvs regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-NetFlix_User_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4940 name=The PVS has detected a user login to the AOL chat service. match=User match=|70 match=|7017|AIM match= client match=associated match=ser match=pvs match=cia match=ent match=|6| match=client match=ass match=ed match=ion match=sso match=ss match=ate regex=pvs: ([0-9]+(\.[0-9]+){3}):.*client is: ([^ ]{1,30}) log=event:PVS-AIM_User_Detected srcip:$1 dstip:$1 proto:6 type:login user:$3 NEXT id=4941 name=The PVS has detected the presence of a vulnerable ActiveX widget on one of your web servers. match= web match=|70 match=|7020| match=ar match=ded match=in match=lo match=an match=IN match=PVS has observed match=associated match=ce match=ol match=CL match= on match=ecu match=PVS match=FO match=cia match=ty match=|6| match=INFO match=ass match=put match=ing match=ed match=st match=sso match=ss match=ate match=al match=erv regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Vulnerable_ActiveX_Component_Detected srcip:$1 dstip:$4 proto:6 type:vulnerability NEXT id=4942 name=The PVS has detected a web session which leveraged unencrypted HTTP authentication. match=in match=TP match=nti match=pvs match=ent match=HTTP match=|6| match=ass match=uthentication match=ion match=ss match=|3018|HTTP Plaintext regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-HTTP_Plaintext_Authentication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4943 name=The Passive Vulnerability Scanner has detected a host running a GoToMyPC client match=|60 match=|6055 match=GoToMyPC match=etected match= remote match= administration match=pvs match=|6| match=ho match=ote match=rem match=To match=ect match=ed match=st match=host match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-GoToMyPC_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4944 name=The Passive Vulnerability Scanner has detected a host running a World of Warcraft/Battle.net client match=|60 match=|6061 match=World of Warcraft match=World of Warcraft/Battle.net Detected match=etected match= online match= games match=pvs match=|6| match=nti match=ote match=ce match=le match= on match=rem match= remote match=for match=run match=ire match=ent match=ect match=uthentication match=ac match=ed match=st match=acc match=ess match=host match=ion match=client match=ss regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-World_of_Warcraft_Battle.net_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4945 name=The Passive Vulnerability Scanner has detected a host logging into the PS3 Network match=|60 match=|6063 match=PS3 Login match=PS3 Login detection match=etection match=pvs match=|6| match=ote match=ect match=etw match=ork regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-PS3_Network_Login_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4946 name=The Passive Vulnerability Scanner has detected a remote client initiating a VNC connection match=Se match=io match=VNC match=Cl match=on match=art match=ent match=te match=6065|VNC Client Session Started| match=ien match=ed match=ess match=ss match=Start match=nt match=en match=rt match=ar match=Client match=Session match=li match=pvs match=6 match=ion match=VNC Client match=St regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-VNC_Client_Connection_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4947 name=The Passive Vulnerability Scanner has detected a connection to the Android Marketplace match=dr match=Ma match=io match=: match=Detection match=Android Market match=on match=tion match=te match=etection match=ar match=ti match=pvs match=6 match=Android match=ect match=Android Market Detection match=ion match=oid regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Android_Market_Connection_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4948 name=The Passive Vulnerability Scanner has detected a host running PCAnywhere match=|17| match=an match=17 match=608 match=Symantec match=|60 match=pcAnywhere match=pcAnywhere Detection match=er match=etection match=ect match=|6087 match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-PCAnywhere_Detected srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:network NEXT id=4949 name=The Passive Vulnerability Scanner has detected an SSH server session start. match=SSH match=608 match=time match=|60 match=er match=alt match=|6088 match=|6| match=etection match=ver match=ect match=SSH Server match=ion match=al match=erv match=SSH Server Detection regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-SSH_Server_Detected srcip:$4 srcport:$6 dstip:$1 dstport:$3 proto:6 type:network NEXT id=4950 name=The Passive Vulnerability Scanner has detected a SSH client login match=|60 match=|6089 match=SSH match=SSH Client match=SSH Client login detected (realtime) match=log match=pvs match=|6| match=lo match=in match=ogin match=login match=Client match=ent match=etected match=detected match=alt match=ed match=al regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-SSH_Client_Login_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:login NEXT id=4951 name=The Passive Vulnerability Scanner has detected a client uploading a file to Google Music match=|60 match=|6091 match=Google music match=Google music client upload detection match=pvs match=|6| match=oad match=mus match=ic match=Goo match=gle regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Google_Music_Upload_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4952 name=The Passive Vulnerability Scanner has detected a client starting a Google Music session match=|60 match=|6092 match=Google music match=Google music client session initiated match=pvs match=|6| match=str match=eam match=mus match=ic match=Goo match=gle regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Google_Music_Upload_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4953 name=The Passive Vulnerability Scanner has detected a FTP session where a file was uploaded match=|61 match=|6103 match=FTP File match=FTP File Upload Detection match=ect match=FTP match=ST match=etection match=|6| match=pvs match=STOR regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-FTP_File_Upload_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access NEXT id=4954 name=The LCE has summarized detected SSL Certificate organization names from observed SSL sessions by the Passive Vulnerability Scanner. match=ar match=ho match=in match=ser match=ce match=ol match=session match=SSL match=ver match=ing match=st match=ess match=host match=ion match=ss match=erv match=SSL_Cert_Summary regex=host ([0-9]+(\.[0-9]+){3}) log=event:SSL_Cert_Summary srcip:$1 proto:6 type:network NEXT id=4955 name=The PVS has observed a host perform DNS lookups to a new DNS server. Active DNS servers in use should be audited to ensure that internal systems are configured correctly. match=|70 match=ho match=|17| match=in match=lo match=Client match=17 match=DNS match=ser match=ol match=to the following match=for match=to match=er match=ent match=ing match=ed match=st match=host match=erv match=|7053| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-New_DNS_Server_In_Use srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:detected-change NEXT id=4956 name=The PVS has detected a telnet account. match=|62 match=|6| match=elnet match=ccount match=6 match=cou match=ect match=etection match=|6265| match=SEL regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Telnet_Account_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4957 name=The PVS has observed a user using Hulu. match=pvs match=|6| match=Detection match=ect match=User match=name match=Username match=|5944|Hulu Username Detection| match=ion match=hulu_uname regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).*hulu\_uname\=([A-Za-z0-9\$\-\.\_\#\_]{1,25}) log=event:PVS-Hulu_Username_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 user:$5 proto:6 NEXT id=4958 name=The PVS has observed Apple iTunes being user. match=pvs match=|6| match=etection match=ect match=App match=Apple match=une match=iTunes match=en match=|6051|Apple iTunes Client Detection| match=ion regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Apple_iTunes_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4959 name=The PVS has observed LinkedIn user name. match=pvs match=|6| match=ame match=Name match=Use match=User match=|5960|LinkedIn User Name| match=Link match=ked match=In regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-LinkedIn_User_Name type:social-networks srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4960 name=The PVS has observed LinkedIn message creation. match=pvs match=|6| match=ss match=mess match=age match=message match=at match=create match=|5959|LinkedIn create message| match=Link match=ked match=In regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-LinkedIn_Message_Created type:social-networks srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4961 name=The PVS has observed a Facebook link. match=pvs match=|6| match=in match=Link match=|6396|Facebook Link Detection| match=ect match=ion match=Detection regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Facebook_Link_Detected type:social-networks srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4962 name=The PVS has detected a NetBios domain. match=pvs match=|17| match=Net match=Bios match=NetBios match=|7030|NetBios domain detection| match=domain match=ect match=ion match=detection regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-NetBios_Domain_Detected type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 NEXT id=4963 name=The PVS has detected a dangerous CLSID embedded within the webserver. This CLSID has been flagged, in the past, as one which may introduce security risk. match=pvs match=|6| match=ger match=dangerous match=|7020|ActiveX dangerous CLSIDs| match=Act match=ive match=ActiveX match=CLSIDs regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-ActiveX_Dangerous_CLSIDs type:intrusion srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4964 name=The PVS has detected an outbound Microsoft WinErr message. match=pvs match=|6| match=Out match=bound match=Outbound match=|2284|Outbound Microsoft WinErr Message| match=Micro match=WinErr match=Mess match=age match=Message regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-WinErr_Outbound_Message type:error srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4965 name=The PVS has detected an OS. match=pvs match=|6| match=|4345|WinErr Messages OS Detection| match=OS match=ect match=ion match=Detection match=WinErr match=Mess match=age match=Messages regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-WinErr_Messages_OS_Detected type:error srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4966 name=The PVS has detected a SMTP client return email address. match=pvs match=|6| match=|1329|SMTP Client Return Email Address Detection| match=SMTP match=ien match=Client match=Return match=ect match=Detection match=Email match=ss match=Address regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Email_Address_Detected type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=4967 name=The Passive Vulnerability Scanner has detected a host accessing an iheartradio stream match=io match=6342|iHeartRadio Stream Detection match=Detection match=ea match=on match=art match=tion match=te match=etection match=re match=rt match=ar match=ti match=pvs match=ect match=ion match=eam match=St regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Iheartradio_Stream_Accessed srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4968 name=The Passive Vulnerability Scanner has detected a successful finger attack. match=Fi match=ng match=tt match=ack match=cc match=ss match=er match=pvs match=Finger Attack - regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Successful_Finger_Attack srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4969 name=The Passive Vulnerability Scanner has detected a Windows command shell running as a service. match=Wi match=mm match=Co match=ll match=as match=er match=vi match=pvs match=Windows Command Shell as Service regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Windows_Command_Shell_As_Service srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:intrusion NEXT id=4970 name=The Passive Vulnerability Scanner has observed a login to eBay. match=pvs match=eBay Auction Detected match=etected match=ti match=on match=tion match=te match=ect match=ed match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-eBay_Auction srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4971 name=The Passive Vulnerability Scanner has observed a login to the Orkut social network. match=pvs match=|Orkut Social Application match=pp match=etected match=ic match=cat match=at match=ti match=li match=on match=cia match=tion match=te match=ut match=ect match=App regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Orkut_Activity srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks NEXT id=4972 name=The Passive Vulnerability Scanner has observed a DNS Client Flame Infection. match=pvs match=|DNS Client Flame Infection match=In match=me match=Client match=DNS match=ti match=li match=tion match=ect regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-DNS_Client_Flame_Infection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:intrusion NEXT id=4973 name=The PVS has detected a web session which leveraged unencrypted HTTP authentication. match=pvs match=Se match=ho match=as match=io match=Server match=at match=Detection match=uth match=on match=tion match=te match=etection match=ver match=erv match=or match=TP match=iz match=ic match=ti match=uthorization match=er match=HTTP match=|5252|HTTP Server Basic Authorization regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-HTTP_Plaintext_Authentication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4974 name=The PVS has detected a Facebook user watching a Viddy video. The video name is logged in the Referer field. match=pvs match=|6504|Facebook Viddy Application Detection match=io match=oo match=at match=ace match=Detection match=|6 match=on match=tion match=Vi match=etection match=App match=Fa match=pp match=ic match=cat match=ti match=li match=6 match=ok match=ect match=ion match=Application regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Facebook_Viddy_Usage srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks NEXT id=4975 name=The Passive Vulnerability Scanner has detected a download of an Andriod application from the Android market. match=Android Mobile Device App Download Detection match=Device match=Detection match=le match=ice match=|6 match=on match=tion match=|6| match=te match=etection match=App match=pp match=Do match=vi match=ce match=ti match=Download match=pvs match=ile match=oad match=6 match=Android match=ect match=ion match=oid regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-Android_App_Download srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=4976 name=The Passive Vulnerability Scanner detected a new host. match=pvs match=host match=le match=|13|new-host-alert| regex=pvs: \[\:\:\].*\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\| log=event:PVS-New_Host_Alert dstip:$1 dstport:0 proto:17 type:detected-change NEXT id=4977 name=The Passive Vulnerability Scanner has detected a DNS query from a remote client. match=pvs match=|70 match=DNS match=ent match=|7051|DNS Client Queries| match=ser match=ed match=PVS has observed match=!This client has requested name resolution for the following regex=pvs: \[fe80:.*\[fe80:.*server at log=event:PVS-DNS_Client_Query proto:17 type:dns NEXT id=4978 name=The Passive Vulnerability Scanner detected a Credit Card number being leaked. No Luhn validation. match=!LUHN : TRUE match=pvs match=|70 match=|6| match=ect match=ion match=etection match=Data match=ent match=|7064|Client Data Leakage match=ar match=ed match=pp match=ss match=Credit Card Number regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).* IP :([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:PVS-Credit_Card_Client_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 proto:6 type:data-leak NEXT id=4979 name=The Passive Vulnerability Scanner detected a Social Security number being leaked. match=pvs match=|70 match=|6| match=|7061 match=oci match=ecu match=detection match=Data match=ent match=|7061|Client Data Leakage detection| match=ar match=ed match=pp match=ss match=Social Security Number regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).* IP :([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:PVS-Social_Security_Number_Client_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 proto:6 type:data-leak NEXT id=4980 name=The Passive Vulnerability Scanner detected a Credit Card number being leaked. match=pvs match=|6| match=|70 match=Data match=ect match=ion match=|7064|Server Data Leakage Detection| match=ar match=ed match=pp match=ss match=Credit Card Number #regex=Session data\: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) to ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Credit_Card_Server_Data_Leakage_Detected srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 type:data-leak NEXT id=4981 name=The Passive Vulnerability Scanner detected an exe download. match=pvs match=ent match=lo match=|5254|Client match=.exe Download Detection| match=Do match=tion match=Download match=Client regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Client_Exe_Download_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access NEXT id=4982 name=The Passive Vulnerability Scanner detected a Web Sever. match=pvs match=1442|Web match=Web match=Server match=Detection match=Se match=tion match=te match=ver match=erv match=ti match=er match=rv match=ect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Web_Server_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4983 name=The Passive Vulnerability Scanner detected a SSL Sever Certificate Exchange. match=pvs match=5620|SSL match=SSL match=Server match=Certificate match=Exchange match=Se match=cate match=te match=ver match=erv match=ti match=er match=rv match=ate match=change regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SSL_Server_Certificate_Exchange srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4984 name=The Passive Vulnerability Scanner detected a Red Hat client / server event enumeration. The client has subscribed to the Red Hat Satellite server. match=pvs match=7072|Red match=Red Hat client match=server match=event match=ent match=se match=te match=erv match=ti match=er match=rv match=ate regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Red_Hat_Server_Subscription srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4985 name=The Passive Vulnerability Scanner detected a Red Hat client / server event enumeration. The client has downloaded a package from the Red Hat Satellite server. match=pvs match=7073|Red match=Red Hat client match=server match=event match=ent match=se match=te match=erv match=ti match=er match=rv match=ate regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Red_Hat_Server_Download srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4986 name=The Passive Vulnerability Scanner detected a Red Hat client / server event enumeration. Package(s) were marked for removal. match=pvs match=7070|Red match=Red Hat client match=server match=event match=ent match=se match=te match=erv match=ti match=er match=rv match=ate regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Red_Hat_Packages_Marked_For_Removal srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:detected-change NEXT id=4987 name=The Passive Vulnerability Scanner detected a Red Hat client / server event enumeration. Package(s) were marked for installation. match=pvs match=7071|Red match=Red Hat client match=server match=event match=ent match=se match=te match=erv match=ti match=er match=rv match=ate regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Red_Hat_Packages_Marked_For_Installation srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:detected-change NEXT id=4988 name=The Passive Vulnerability Scanner detected a Red Hat Satellite Client Communication. match=pvs match=6660|Red match=Red Hat Satellite Client match=Sat match=lite match=Client match=ent regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Red_Hat_Satellite_Client_Communication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4989 name=The Passive Vulnerability Scanner has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls spreadsheet file. match=pvs match=|70 match=TP match=HTTP match=ect match=ion match=detection match=est match=|7041|HTTP request detection|The match=GET match=.xls;Referer: regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*\|([0-9]{1,3})\|7041\|.*DIP: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5}); log=event:PVS-Web_Office_XLS_Request srcip:$1 srcport:$3 dstip:$5 dstport:$7 proto:6 type:web-access NEXT id=4990 name=The PVS has detected a command issued from a database client to the database server. match=!login match=|7019| match=as match=PVS has observed match=da match=Database command logging match=se match=ser match=has match=he match=mm match=PVS match=|6 match=log match=fo match=pvs match=ma match=command regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \((?:\|)?([0-9]+(\.[0-9]+){3})\).*\: log=event:PVS-Database_Command_Issued srcip:$1 srcport:$3 dstip:$8 dstport:$6 proto:6 type:database NEXT id=4991 name=The PVS has detected a command issued from a database client to the database server. match=!login match=|7019| match=as match=PVS has observed match=da match=Database command logging match=se match=ser match=has match=he match=mm match=PVS match=|6 match=log match=fo match=pvs match=ma match=to match=command regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*database server \((?:\|)?\): log=event:PVS-Database_Command_Issued srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:database NEXT id=4992 name=The PVS has detected an SSL session which is usually a service commonly used to maintain sensitive organizational data (e.g., payroll, PII, etc.). match=This connection should match=ser match=ed match=erv match=al match=er match=rv match=ve match=7062|SSL client session starting match=sess match=|70 match=io match=se match=|6 match=cli match=art match=ent match=|6| match=sta match=ien match=ing match=ess match=ar match= client match=in match=ng match=start match=ses match=pvs match=session match=SSL match=ion match=client match=starting match=maintain sensitive organizational data regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\. log=event:PVS-SSL_Session_Sensitive_Data srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4993 name=The PVS has detected a RADIUS server has failed login. match=Ser match=ver match=ed match=erv match=er match=rv match=ve match=1145|RADIUS Server Failed Login Detection| match=|11 match=|17| match=io match=pvs match=RADIUS match=Fail match=ai match=Login match=Log match=in match=Detect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*RADIUS Server Failed Login Detection log=event:PVS-Radius_Server_Failed_Login_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:login-failure NEXT id=4994 name=The PVS has detected a mDNS client response. match=ed match=erv match=er match=rv match=ve match=7074|mDNS Client Response Detection match=|70 match=|17| match=io match=pvs match=Client match=Response match=Detection match=mDNS match=ent match=se match=Detect match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*mDNS Client Response Detection log=event:PVS-mDNS_Client_Response_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:dns NEXT id=4995 name=The PVS has detected a windows update. match=msd match=er match=ve match=6702|Windows Update Detection match=|67 match=|6| match=pvs match=Windows match=Update match=Detection match=dow match=nlo match=pda regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*Windows Update log=event:PVS-Windows_Client_Software_Download srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:file-access NEXT id=4996 name=The PVS has detected a network session which leverages clear text user and password transmission, such as FTP, POP or IMAP. If this event occurs on non-standard ports, it should be investigated. match=cti match=ser match=er match=gi match=6704|Detection of User Login match=|67 match=|6| match=pvs match=Detection match=User match=Login regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*Detection of User Login log=event:PVS-User_Authentication_Detected srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=4997 name=The PVS has detected an internal client trust connection. match=al match=in match=trust match=tion match=3|internal-client-trust-connection match=pvs match=client match=nn match=connection regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*internal-client-trust-connection log=event:PVS-Internal_Client_Trust_Connection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection NEXT id=4998 name=The PVS has detected an internal server trust connection. match=al match=in match=trust match=tion match=15|internal-server-trust-connection match=pvs match=server match=nn match=connection regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*internal-server-trust-connection log=event:PVS-Internal_Server_Trust_Connection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:connection NEXT id=4999 name=The Passive Vulnerability Scanner detected a Credit Card number being leaked. Passed Luhn validation. match=TRUE match=pvs match=|70 match=|6| match=ect match=ion match=etection match=Data match=ent match=|7064|Client Data Leakage match=ar match=ed match=pp match=ss match=Credit Card Number regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}).* IP :([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:PVS-Credit_Card_Client_Data_Leakage_Detected_Luhn srcip:$1 srcport:$2 dstip:$3 proto:6 type:data-leak NEXT id=15000 name=The PVS has detected a Microsoft Executable being served. Possibly the remote server is a file server. The remote server appears to offer Microsoft Windows executables for download. match=Microsoft match=Micro match=able match=ing match=|4670| match=pvs match=Ser match=ed match=erv regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.*Microsoft Executable Being Served log=event:PVS-Microsoft_Executable_Being_Served srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15001 name=The Passive Vulnerability Scanner has found a system with an outbout external connection. match=pvs match=|6| match=ion match=onnection match=onnect match=out match=outbound match=tion match=|6|16|outbound-external-connection| regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|6\|16\| log=event:PVS-Outbound_External_Connections srcip:$1 srcport:$2 dstip:$1 dstport:$2 proto:6 type:detected-change NEXT id=15002 name=The PVS has observed a user using Hulu. # note - this is the same as #4957 but the "hulu_uname=" string is not in the post and the user name is not attempted to be extracted match=pvs match=|6| match=Detection match=ect match=User match=name match=Username match=|5944|Hulu Username Detection| match=ion match=!hulu_uname regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Hulu_Username_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=15003 name=The PVS has observed a user posting an image to Instagram. match=pvs match=|6| match=Instagram Upload Activity Detected match=Upload match=A match=lo match=In match=ag match=Inst match=Up match=|6 match=ty match=te match=sta match=Act match=ed match=etected match=ti match=oad match=6 match=it match=ect match=ad match=Detect regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-Instagram_Upload_Detected type:web-access srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=15004 name=The Passive Vulnerability Scanner detected a new IPv6 address. match=pvs match=host match=le match=:: match=|13|new-host-alert| log=event:PVS-New_IPv6_Host_Alert type:detected-change NEXT id=15005 name=The Passive Vulnerability Scanner detected an SSL session which was indicative of a jalbroken iPhone, ipad or ipod. match=Apple Jailbroken Device Detection via HTTPS match=conn match=rem match=o match=HT match=70 match=PS match=pvs match=mo match=ll match= destination match=at match=6 match=dev match=7063 match=ja match=ok match=ect match=pp match=st match=remote match=ion regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Apple_Jailbroken_Device_Detection_via_HTTPS srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15006 name=The Passive Vulnerability Scanner detected a Yahoo search. match=Yahoo search string match=pvs match=|6771| match=sea match=rch match=search match=ing match=str match=string match=oo match=hoo match=Yahoo match=71| regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Yahoo_Search srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=15007 name=The Passive Vulnerability Scanner detected a Google search. match=Google search string match=pvs match=|6772| match=sea match=rch match=search match=ing match=str match=string match=oo match=Goo match=Google match=72| regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Google_Search srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=15008 name=The Passive Vulnerability Scanner detected a Bing search. match=Bing search string match=pvs match=|6770| match=sea match=rch match=search match=ing match=str match=string match=Bi match=Bing match=70| regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Bing_Search srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=15009 name=The Passive Vulnerability Scanner detected the Microsoft metadata service. A remote has requested new metadata. match=Microsoft metadata service match=pvs match=|7080| match=ice match=ser match=service match=meta match=data match=Micro match=soft match=80| regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-Microsoft_Metadata_Service srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:web-access NEXT id=15010 name=The Passive Vulnerability Scanner detected an SNMP query list of running processes. match=pvs match=|7081| match=running match=lo match=SNMP match=un match=cli match=ent match=tion match=te match=client match=re match=ng match=ch match=ine match=Detection of running processes regex=([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SNMP_Client_Processes srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:process NEXT id=15011 name=The PVS has logged an SSL session initiated from a client to a service used for processing credit card transactions. match=sess match=id match=|70 match=Se match=nformation match=associated match=comp match=with match=form match=eas match=ea match=up match=le match=es match=he match=for match=certificate match=connection match=cli match=ent match=|6| match=7062|SSL client session starting match=is match=identified as match=onnection match=ng match=following match=nn match=pvs match= remote match= destination match=ssl match=SSL match=This connection should regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|.* at destination\: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\. log=event:PVS-SSL_ECom_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15012 name=The PVS has logged a Flickr image view. match=|69 match=pvs match=|6971|Flickr Image View Detection match=ion match=age match=ect match=ew match=Flickr regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-Flickr_Image_View_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks NEXT id=15013 name=The PVS has logged a Flickr search. match=pvs match=|69 match=6968|Flickr Search Detection match=ion match=rch match=Search match=Detect match=Flickr regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-Flickr_Search_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:social-networks NEXT id=15014 name=The PVS has logged that Schneider Electric Accutech Manager RF Failed Authentication. match=pvs match=|8038 match=Schneider Electric Accutech Manager RF Failed Authentication match=ion match=RF match=age match=Man match=ech match=Fail regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-Schneider_Electric_Accutech_Failed_Authentication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:access-denied NEXT id=15015 name=The PVS has logged a Schneider Electric Accutech Manager RF successful authentication. match=pvs match=|8037 match=Schneider Electric Accutech Manager RF Successful Authentication match=ion match=RF match=age match=Man match=ech match=ss match=cc match=ful regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-Schneider_Electric_Accutech_Successful_Authentication srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:login NEXT id=15016 name=The PVS has detected an ISAKMP client. match=pvs match=|8042 match=17 match=ISAKMP Client Detection match=ion match=Det match=ct match=ISAKMP match=MP match=ent match=Cl match=Client regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-ISAKMP_Client_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:network NEXT id=15017 name=The PVS has detected an ISAKMP server. match=pvs match=|8043 match=17 match=ISAKMP Server Detection match=ion match=Det match=ct match=ISAKMP match=MP match=er match=ver match=Server regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-ISAKMP_Server_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:network NEXT id=15018 name=The PVS has detected an encapsulating security payload (ESP) setup. match=pvs match=|8041 match=50 match=|Encapsulating Security Payload (ESP) Session Setup match=ion match=ing match=ity match=Pay match=ad match=ss match=up match=Session regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-Encapsulating_Security_Payload_Setup srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:50 type:network NEXT id=15019 name=The PVS has detected a Magnet link. match=pvs match=|8069 match=69 match=|Magnet Link Detection match=ion match=Mag match=et match=net match=Li match=nk match=Det match=ect regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-Magnet_Link_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15020 name=The PVS has detected a non-SSL protocol over port 443 match=|7085 match=pvs match=SSL match=wa match=ai match=mo match=pr regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-Non_SSL_Traffic_Over_Port_443 srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15021 name=The PVS has detected a non-SSH protocol over port 22 match=|7086 match=pvs match=No match=-SSH match=ov match=er match=po match=rt match=22 match=Non-SSH over port 22 regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-Non_SSH_Over_Port_22 srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15022 name=The PVS has detected a non-FTP protocol over port 21 match=|7087 match=pvs match=No match=-FTP match=ov match=er match=po match=rt match=21 match=Non-FTP over port 21 regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-Non_FTP_Over_Port_21 srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15023 name=The PVS has detected a MSN UserID Enumeration. match=|7011 match=pvs match=MSN match=Us match=er match=ID match=En match=um match=|6| match=ion match=MSN UserID Enumeration regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-MSN_UserID_Enumeration srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15024 name=The PVS has detected a DNP3 TCP cold restart command. match=|7094 match=pvs match=DNP3 match=TCP match=Co match=ld match=Re match=st match=|70 match=rt match=Cold Restart regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-DNP3_TCP_Cold_Restart srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15025 name=The PVS has detected a DNP3 TCP disable unsolicited messages command. match=|7097 match=pvs match=DNP3 match=TCP match=Di match=le match=Un match=ed match=|70 match=ss match=Me match=es match=mm match=nd match=Disable Unsolicited Messages regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-DNP3_TCP_Disable_Unsolicited_Messages srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15026 name=The PVS has detected a DNP3 TCP stop application command. match=|7096 match=pvs match=DNP3 match=TCP match=St match=op match=Ap match=pp match=|70 match=ca match=ti match=on match=Stop Application regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-DNP3_TCP_Stop_Application srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15027 name=The PVS has detected a DNP3 TCP warm restart command. match=|7095 match=pvs match=DNP3 match=TCP match=Wa match=rm match=Re match=st match=|70 match=ar match=rt match=Warm Restart regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5}) log=event:PVS-DNP3_TCP_Warm_Restart srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15028 name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems has returned query data. match=pvs match=7099 match=MOD match=MODBUS/TCP match=Re match=tu match=rn match=Qu match=ry match=Da match=ta match=Return Query Data match=SCADA regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_MODBUS_Return_Query_Data srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15029 name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems has restarted communications. match=pvs match=7100 match=MOD match=MODBUS/TCP match=Re match=st match=art match=Co match=mm match=un match=ion match=Restart Communications match=SCADA regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_MODBUS_Restart_Communications srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15030 name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems is in force listen mode. match=pvs match=7101 match=MOD match=MODBUS/TCP match=Fo match=ce match=Li match=st match=en match=Mo match=de match=Force Listen Mode match=SCADA regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_MODBUS_Force_Listen_Mode srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15031 name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems has cleared counters and diagnostic registers match=pvs match=6259 match=MOD match=MODBUS Client match=Cl match=ar match=Co match=ters match=nd match=Di match=tic match=Reg match=Clear Counters and Diagnostic Registers match=SCADA regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_MODBUS_Clear_Counters_Diagnostic_Registers srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15032 name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems has sent a report server ID request. match=pvs match=7103 match=MOD match=MODBUS/TCP match=Re match=po match=rt match=Se match=ver match=ID match=Report Server ID match=SCADA regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_MODBUS_Report_Server_ID srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15033 name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems CANopen protocol request. match=pvs match=7104 match=MOD match=MODBUS/TCP match=CANopen match=CA match=AN match=op match=en match=SCADA regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_MODBUS_CANopen_Protocol srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15034 name=The Passive Vulnerability Scanner detected MODBUS protocol activity commonly associated with SCADA control systems issued a device identification request. match=pvs match=7105 match=MOD match=MODBUS/TCP match=De match=vi match=ce match=Id match=en match=fi match=ion match=SCADA match=Device Identification regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SCADA_MODBUS_Device_Identification srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15035 name=The Passive Vulnerability Scanner has detected a DNS query from a remote client match=pvs match=7106 match=ve match=rm match=ob match=DNS match=DNSSEC regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-DNSSEC_Client_Query srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:dns NEXT id=15036 name=The Passive Vulnerability Scanner has logged the SSL Certificate information from a session. match=pvs match=|70 match=SSL match=ion match=iz match=rv match=rk match=client match=|7046|SSL Certificate information regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SSL_Certificate_Info srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15037 name=The Passive Vulnerability Scanner has detected a RDP session. match=pvs match=7107 match=RDP match=ut match=rv match=yb match=|RDP session start regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-RDP_Session_Started srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:network NEXT id=15038 name=The Passive Vulnerability Scanner has detected an SSL error code, the client has responded with an SSL error message. match=pvs match=7117 match=SSL match=Error match=rr match=Co match=|SSL Error Code|The client has match=The match=cl match=nt regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SSL_Error_Code_Client srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:error NEXT id=15039 name=The Passive Vulnerability Scanner has detected an SSL error code, the server has responded with an SSL error message. match=pvs match=7116 match=SSL match=Error match=rr match=Co match=|SSL Error Code|The server has match=The match=se match=er regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5}) log=event:PVS-SSL_Error_Code_Server srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:$7 type:error NEXT id=15040 name=The Passive Vulnerability Scanner has detected a (Gateway Control Protocol) H.248.1 User Detection. match=H.248.1 match=User Detection match=8269 match=H. match=.248. match=pvs match=Us match=ser match=Detection match=User match=tion match=etection match= User match=De match=ct match=Detect match=ion match=|17| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+) log=event:PVS-H248_1_User_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:web-access NEXT id=15041 name=The Passive Vulnerability Scanner has detected a passed in plaintext UserID and password. match=7137 match=UserID match=ID match=pvs: match=And match=Password match=ss match=ser match=Us match=Pa match=ed match=In match=Pl match=xt match=UserID And Password Passed In Plaintext match=|6| match=!user= regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*login=([A-Za-z0-9._-]+) log=event:PVS-UserID_And_Password_Passed_In_Plaintext srcip:$1 srcport:$3 dstip:$4 dstport:$6 user:$8 proto:6 type:login NEXT id=15042 name=PVS has observed a TCP session. match=pvs: match=|17| match=TCP match=end match=do match=nd match=wn match=up match=down match=TCP Session| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,3})\| log=event:PVS-TCP_Session srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15043 name=The Passive Vulnerability Scanner has detected a passed in plaintext UserID and password. match=7137 match=UserID match=ID match=pvs: match=And match=Password match=ss match=ser match=Us match=Pa match=ed match=In match=Pl match=xt match=UserID And Password Passed In Plaintext match=|6| regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+).*user=([A-Za-z0-9._-]+) log=event:PVS-UserID_And_Password_Passed_In_Plaintext srcip:$1 srcport:$3 dstip:$4 dstport:$6 user:$8 proto:6 type:login NEXT id=15044 name=The PVS has detected activex control. match=pvs match=|6| match=|4669|ActiveX Control Detection match=Act match=ive match=ActiveX match=Co match=ol match=De match=on regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]{1,5}) log=event:PVS-ActiveX_Control_Detection type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=15045 name=The PVS has detected an NTP client connection. match=pvs match=|17| match=|7171|NTP Client Connection Detection match=NTP match=Client match=Connection match=Detection match=Cl match=Co match=De regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]{1,5}) log=event:PVS-NTP_Client_Connection_Detection type:connection srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:17 NEXT id=15046 name=The PVS has detected that the remote host has Apple software installed. match=pvs match=|6| match=|7084|Apple Software Listing match=Apple match=Software match=Li match=tin match=ing match=Ap match=So regex=pvs: ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]{1,5})\|([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+):([0-9]{1,5}) log=event:PVS-Apple_Software_Listing type:network srcip:$1 srcport:$2 dstip:$3 dstport:$4 proto:6 NEXT id=15047 name=The Passive Vulnerability Scanner has reported Non-DNS traffic over port 53, the remote host has sent data over port 53 which does not seem to be valid DNS traffic. match=pvs match=|7172|Non-DNS Traffic Over Port 53| match=|71 match=Non match=DNS match=Tr match=ic match=Ov match=er match=53 match=Po match=6 regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})\| log=event:PVS-Non_DNS_Traffic_Over_Port_53 srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network NEXT id=15048 name=The Passive Vulnerability Scanner has reported a DNS text type record, the remote host has sent a large DNS response which contained a text record. match=pvs match=|7173|DNS TEXT Type Record Detection| match=|71 match=DNS match=TE match=Re match=rd match=De match=on match=17 regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})\| log=event:PVS-DNS_Text_Type_Record_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:17 type:network NEXT id=15049 name=The Passive Vulnerability Scanner has reported a DNS TCP connection detection, the remote host is a DNS client utilizing TCP. This can be an indicator of malicious activity. match=pvs match=|7174|DNS TCP Connection Detection| match=|71 match=DNS match=TCP match=Co match=nn match=De match=on match=6 regex=pvs: ([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]+(\.[0-9]+){3}):([0-9]{1,5})\|([0-9]{1,5})\| log=event:PVS-DNS_TCP_Connection_Detection srcip:$1 srcport:$3 dstip:$4 dstport:$6 proto:6 type:network