# LCE 3.0 PRM LIBRARY
# Copyright 2008 Tenable Network Security
# This library may only be used with the LCE  server and may not
# be used with other products or open source projects
#
# NAME:
# NetScreen IDP PRM library
#
# DESCRIPTION:
# This library will parse and normalize SYSLOG messages generated by
# a NetScreen/Juniper IDP version 4.0
#
# LAST UPDATE: $Date: 2011/08/21 23:54:16 $

id=5900
name=The Juniper IDP has detected Trojan network traffic.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="TROJAN:
match=TR
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-Trojan_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5901
name=The Juniper IDP has detected DNS abuse.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="DNS:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-DNS_Abuse type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5902
name=The Juniper IDP has detected SNMP abuse.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="SNMP:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-SNMP_Abuse type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17

NEXT 

id=5903
name=The Juniper IDP has detected HTTP abuse.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=TP
match=" cat="Predefined" attack="HTTP:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-HTTP_Abuse type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT 

id=5904
name=The Juniper IDP has detected IP protocol abuse.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="IP:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-IP_Protocol_Abuse type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5905
name=The Juniper IDP has detected ICMP protocol abuse.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="ICMP:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-ICMP_Protocol_Abuse type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:1

NEXT 

id=5906
name=The Juniper IDP has detected network or host scanning.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="SCAN:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-Port_Scanning type:scanning sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5907
name=The Juniper IDP has detected NetBIOS probing, attacks or scans. 
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="NETBIOS:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-NETBIOS_Probing type:scanning sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5908
name=The Juniper IDP has detected Windows SMB probing, attacks or scans. 
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="SMB:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-SMB_Probing type:scanning sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5909
name=The Juniper IDP has detected attacks against printing protocols. 
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="LPR:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-Printer_Attacks type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5910
name=The Juniper IDP has detected P2P, Chat and other types of IM activity. 
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=AT
match=" cat="Predefined" attack="CHAT:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-P2P_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5911
name=The Juniper IDP has detected a suspicious TCP session or protocol anomaly.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="TCP:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-TCP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT 

id=5912
name=The Juniper IDP has detected a suspicious SMTP (email) session.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=TP
match=" cat="Predefined" attack="SMTP:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-SMTP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT 

id=5914
name=The Juniper IDP has detected a suspicious SNMP trap.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=RA
match=" cat="Predefined" attack="SNMPTRAP:
match=TR
match=SNMP
match=AP
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-SNMPTrap_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17

NEXT 

id=5915
name=The Juniper IDP has accepted traffic that is likely from a system infected with Spyware.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="SPYWARE:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-Spyware_Activity type:virus sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5916
name=The Juniper IDP has detected MS-PRC traffic which is suspicious. 
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="MS-RPC:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-MS_RPC_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5917
name=The Juniper IDP has detected P2P, Chat and other types of IM activity. 
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="P2P:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-P2P_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5918
name=The Juniper IDP has detected RTSP traffic which is suspicious.  
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="RTSP:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-RTSP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5919
name=The Juniper IDP has detected secure shell (ssh) traffic which is suspicious.  
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="SSH:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-SSH_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5920
name=The Juniper IDP has detected Secure Socket Layer traffic which is suspicious.  
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="SSL:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-SSL_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT 

id=5921
name=The Juniper IDP has detected application traffic which is suspicious.  
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="APP:
match=AP
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-Suspicious_Application type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5922
name=The Juniper IDP has detected LDAP traffic which is suspicious.  
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="LDAP:
match=AP
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-LDAP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5923
name=The Juniper IDP has detected DHCP traffic which is suspicious.  
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="DHCP:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-DHCP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5924
name=The Juniper IDP has detected network time protocol traffic which is suspicious.  
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=TP
match=" cat="Predefined" attack="NTP:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-NTP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:17

NEXT 

id=5926
name=The Juniper IDP has detected a denial of service attack.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="DOS:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-DOS_Activity type:dos sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5927
name=The Juniper IDP has detected suspicious FTP activity.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=TP
match=" cat="Predefined" attack="FTP:
match=FTP
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-FTP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT 

id=5928
name=The Juniper IDP has detected suspicious WORM behavior.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="WORM:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-Worm_Activity type:virus sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5929
name=The Juniper IDP has detected suspicious database probes, scans or attacks.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="DB:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-Database_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 

NEXT 

id=5930
name=The Juniper IDP has detected suspicious POP3 email probes, scans or attacks.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="POP3:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-POP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT 

id=5931
name=The Juniper IDP has detected suspicious IMAP email probes, scans or attacks.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="IMAP:
match=AP
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-IMAP_Activity type:intrusion sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6

NEXT 

id=5932
name=The Juniper IDP has detected suspicious distributed denial of service scans or attacks.
match=ack
match=ttack
match=" recordId="
match=" timeRecv="
match=ed
match=" cat="Predefined" attack="
match=" cat="Predefined" attack="DDOS:
regex=.* device_ip="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)".*srcAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" srcPort="([0-9]{1,6})" .*dstAddr="([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" dstPort="([0-9]{1,6})"
log= event:NetscreenIDP-DDOS_Activity type:dos sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 proto:6