# Copyright 2005 Tenable Network Security
# This library may only be used with the Thunder server and may not
# be used with other products or open source projects
#
# NAME: Symantec Event Log 
#
# DESCRIPTION:
# This library is used to parse events generated by a Symantec virus
# agent on Windows platforms. The events will be sent to the event log and
# need to be monitored with a Windows Thunder agent.
#
# LAST UPDATE: $Date$


id=3061
name=The Symantec anti-virus program has issued a warning based on extraction errors encountered. 
match=ion
match=Application
match=pp
match=,Symantec AntiVirus,
match=an
match=ar
match=arn
match=ing
match=,Warning,
match=error
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-Virus_Errors type:error sensor:$1 dstip:$2

NEXT

id=3062
name=The Symantec anti-virus program has logged an informational message. 
match=ion
match=Application
match=pp
match=,Symantec AntiVirus,
match=an
match=,Information,
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-Virus_Information type:application sensor:$1 dstip:$2

NEXT

id=3063
name=The Symantec anti-virus program has found an quarantined a virus. 
match=ion
match=Application
match=pp
match=ent
match=ar
match=,Central Quarantine,
match=an
match= VirusName:
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-Virus_Central_Quarantine type:virus sensor:$1 dstip:$2

NEXT

id=3065
name=The Symantec anti-virus program has had to shutdown the IcePack agent.
match=ion
match=Application
match=pp
match=ent
match=ar
match=,Symantec Quarantine Agent,
match=an
match=ack
match=ing
match=ce
match=IcePack shutting down
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-IcePack_ShutDown type:restart sensor:$1 dstip:$2

NEXT

id=3066
name=The Symantec anti-virus program has to start the IcePack agent.
match=ion
match=Application
match=pp
match=ent
match=ar
match=,Symantec Quarantine Agent,
match=an
match=sta
match=ser
match=ack
match=ce
match=ed
match=(IcePack) service started
match=service
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-IcePack_Started  type:restart sensor:$1 dstip:$2

NEXT

id=3067
name=The Symantec anti-virus program has run out of disk space. 
match=ize
match=ion
match=Application
match=pp
match=ent
match=ar
match=,Central Quarantine,
match=an
match=ce
match=ace
match=space
match=arn
match=ing
match=le
match=ss
match=Disk Space Warning - Disk free space less than Quarantine max size
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-Disk_Space_Warning type:error sensor:$1 dstip:$2


NEXT

id=3068
name=The Symantec anti-virus program has started the Central Quarantine service.
match=ion
match=Application
match=pp
match=an
match=ent
match=ar
match=,Central Quarantine,
match=sta
match=ed
match=Symantec Central Quarantine has started.
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-Central_Quarantine_Started type:restart sensor:$1 dstip:$2

NEXT

id=3069
name=The Symantec anti-virus program has stopped the IcePack agent
match=ion
match=Application
match=pp
match=ent
match=ar
match=,Symantec Quarantine Agent,
match=an
match=ser
match=ack
match=ce
match=ed
match=(IcePack) service stopped
match=service
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-IcePack_Stopped  type:restart sensor:$1 dstip:$2

NEXT

id=3070
name=The Symantec anti-virus program has stopped the Central Quarantine service.
match=ion
match=Application
match=pp
match=ser
match=ce
match=service
match=ent
match=ar
match=,Central Quarantine,
match=an
match=ed
match=General Attention - The Quarantine Agent service has stopped
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-Quarantine_Service_Stopped type:restart sensor:$1 dstip:$2

NEXT

id=3071
name=The Symantec anti-virus program has cleaned a virus infection by deleting it. 
match=ion
match=Application
match=pp
match=,Symantec AntiVirus,
match=an
match=Risk Found
match=Auto-Protect scan
match=ect
match=le
match=ed
match=Action: Cleaned by Deletion
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-Virus_Cleaned_By_Deletion type:virus  sensor:$1 dstip:$2

NEXT

id=3072
name=The Symantec anti-virus program has issued a warning.
match=!error
match=ion
match=Application
match=pp
match=,Symantec AntiVirus,
match=an
match=ar
match=arn
match=ing
match=,Warning,
regex=([a-zA-Z0-9.-]+),IP:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Symantec-Virus_Warning type:virus sensor:$1 dstip:$2