# LCE 3.0 PRM LIBRARY # Copyright 2008 Tenable Network Security # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # NetScreen IDP PRM library # # DESCRIPTION: # This library will parse and normalize SYSLOG messages generated by # a NetScreen/Juniper IDP version 4.0 # # LAST UPDATE: $Date: 2009/02/26 20:25:50 $ id=5900 name=The NetScreen IDP has detected Trojan network traffic. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="TROJAN: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-Trojan_Activity type:backdoor sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5901 name=The NetScreen IDP has detected DNS abuse. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="DNS: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-DNS_Abuse type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5902 name=The NetScreen IDP has detected SNMP abuse. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="SNMP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-SNMP_Abuse type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17 NEXT id=5903 name=The NetScreen IDP has detected HTTP abuse. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="HTTP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-HTTP_Abuse type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=5904 name=The NetScreen IDP has detected IP protocol abuse. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="IP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-IP_Protocol_Abuse type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5905 name=The NetScreen IDP has detected ICMP protocol abuse. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="ICMP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-ICMP_Protocol_Abuse type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:1 NEXT id=5906 name=The NetScreen IDP has detected network or host scanning. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="SCAN: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-Port_Scanning type:scanning sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5907 name=The NetScreen IDP has detected NetBIOS probing, attacks or scans. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="NETBIOS: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-NETBIOS_Probing type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5908 name=The NetScreen IDP has detected Windows SMB probing, attacks or scans. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="SMB:AUDIT:NT-LM-0.12 regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-SMB_Probing type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5909 name=The NetScreen IDP has detected attacks against printing protocols. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="LPR: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-Printer_Attacks type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5910 name=The NetScreen IDP has detected P2P, Chat and other types of IM activity. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="CHAT: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-P2P_Activity type:p2p-activity sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5911 name=The NetScreen IDP has detected a suspicious TCP session or protocol anomaly. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="TCP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-TCP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=5912 name=The NetScreen IDP has detected a suspicious SMTP (email) session. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="SMTP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-SMTP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=5914 name=The NetScreen IDP has detected a suspicious SNMP trap. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="SNMPTRAP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-SNMPTrap_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17 NEXT id=5915 name=The NetScreen IDP has accepted traffic that is likely from a system infected with Spyware. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="SPYWARE: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-Spyware_Activity type:pup-activity sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5916 name=The NetScreen IDP has detected MS-PRC traffic which is suspicious. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="MS-RPC: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-MS_RPC_Activity type:pup-activity sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5917 name=The NetScreen IDP has detected P2P, Chat and other types of IM activity. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="P2P: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-P2P_Activity type:p2p-activity sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5918 name=The NetScreen IDP has detected RTSP traffic which is suspicious. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="RTSP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-RTSP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5919 name=The NetScreen IDP has detected secure shell (ssh) traffic which is suspicious. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="SSH: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-SSH_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5920 name=The NetScreen IDP has detected Secure Socket Layer traffic which is suspicious. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="SSL: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-SSL_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=5921 name=The NetScreen IDP has detected application traffic which is suspicious. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="APP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-Suspicious_Application type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5922 name=The NetScreen IDP has detected LDAP traffic which is suspicious. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="LDAP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-LDAP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5923 name=The NetScreen IDP has detected DHCP traffic which is suspicious. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="DHCP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-DHCP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5924 name=The NetScreen IDP has detected network time protocol traffic which is suspicious. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="NTP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-NTP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17 NEXT id=5926 name=The NetScreen IDP has detected a denial of service attack. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="DOS: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-DOS_Activity type:dos sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5927 name=The NetScreen IDP has detected suspicious FTP activity. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="FTP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-FTP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=5928 name=The NetScreen IDP has detected suspicious WORM behavior. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="WORM: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-Worm_Activity type:virus sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5929 name=The NetScreen IDP has detected suspicious database probes, scans or attacks. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="DB: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-Database_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 NEXT id=5930 name=The NetScreen IDP has detected suspicious POP3 email probes, scans or attacks. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="POP3: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-POP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=5931 name=The NetScreen IDP has detected suspicious IMAP email probes, scans or attacks. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="IMAP: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-IMAP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6 NEXT id=5932 name=The NetScreen IDP has detected suspicious distributed denial of service scans or attacks. match=" recordId=" match=" timeRecv=" match=" cat="Predefined" attack=" match=" cat="Predefined" attack="DDOS: regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})" log= event:NetscreenIDP-DDOS_Activity type:dos sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6