# THUNDER PRM LIBRARY # Copyright 2008 Tenable Network Security # This library may only be used with the Thunder server and may not # be used with other products or open source projects # # NAME: # TopLayer library # # DESCRIPTION: # # These signatures look for a variety of events occuring in the # TopLayer event logging For more information about TopLayer, please # visit http:www.toplayer.com # # LAST UPDATE: $Date: 2011/09/16 15:53:44 $ # ################################################################## # # # System Events # # # ################################################################## id=12100 name=TopLayer system events including time changes, restarts, cold starts etc. match=id=01 match=pt match= pt= regex= pt=([a-zA-Z0-9.-]+) log=event:TopLayer-System_Events sensor:$1 type:system NEXT ################################################################## # # # Flow Events # # # ################################################################## id=12101 name=TopLayer flow events produced by the originating device. match=id=020000 match=pt match= pt= regex= pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Flow_Events sensor:$1 type:system NEXT id=12102 name=TopLayer flow events summary of a TCP network session. match=id=02000 match=pt match= pt= match= cip= match= sip= match= sprt= match=cp match= cprt= match= prot=tcp match=tcp regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) cprt=([0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) sprt=([0-9]+) log=event:TopLayer-Flow_TCP_Network_Session_Events sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:connection NEXT id=12103 name=TopLayer flow events summary of a UDP network session. match=id=02000 match=pt match= pt= match= cip= match= sip= match= sprt= match=cp match= cprt= match= prot=udp match=udp regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) cprt=([0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) sprt=([0-9]+) log=event:TopLayer-Flow_UDP_Network_Session_Events sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:connection NEXT id=12104 name=TopLayer flow events summary of an ICMP network session. match=id=02000 match=pt match= pt= match= cip= match= sip= match= prot=icmp match=icmp regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Flow_ICMP_Network_Session_Events sensor:$1 srcip:$2 dstip:$3 type:connection NEXT id=12105 name=TopLayer flow events summary of an IP network session. match=id=02000 match=pt match= pt= match= cip= match= sip= match= prot=ip regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Flow_IP_Network_Session_Events sensor:$1 srcip:$2 dstip:$3 type:connection NEXT id=12106 name=TopLayer flow events summary of other than IP network sessions. match=id=02 match=pt match=pt= match=!cip match=!sip match= cmac= match= smac= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Flow_Non_IP_Network_Session_Events type:connection NEXT id=12107 name=TopLayer flow events count of lost flow detail records. match=id=020011 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Flow_Lost_Detail_Events type:system NEXT id=12108 name=TopLayer flow events that are MIB threshold records. match=id=0201 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Flow_MIB_Threshold_Events type:system NEXT ################################################################## # # # IP Forwarding Events # # # ################################################################## id=12109 name=TopLayer IP forwarding events including MIB threshold records. match=id=03 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-IP_Forwarding_Events sensor:$1 type:system NEXT ################################################################## # # # Bridge Forwarding Events # # # ################################################################## id=12110 name=TopLayer bridge forwarding events including MIB threshold records. match=id=04 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Bridge_Forwarding_Events sensor:$1 type:system NEXT ################################################################## # # # Interface Events # # # ################################################################## id=12111 name=TopLayer interface events including current state of circuit and MIB threshold records. match=id=05 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Interface_Events sensor:$1 type:system NEXT ################################################################## # # # Atttack Mitigator Filter Events # # # ################################################################## id=12112 name=TopLayer attack mitigator filter events produced by the originating device. match=id=060000 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Attack_Mitigator_Events sensor:$1 type:intrusion NEXT id=12113 name=TopLayer attack mitigator filter events associated with a TCP network session. match=id=060001 match=pt match= pt= match= cip= match= sip= match= sprt= match=cp match= cprt= match= prot=TCP match=TCP regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) cprt=([0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) sprt=([0-9]+) log=event:TopLayer-Attack_Mitigator_TCP_Session_Events sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:intrusion NEXT id=12114 name=TopLayer attack mitigator filter events associated with UDP network session. match=id=060002 match=pt match= pt= match= cip= match= sip= match= sprt= match=cp match= cprt= match= prot=UDP match=UDP regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) cprt=([0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) sprt=([0-9]+) log=event:TopLayer-Attack_Mitigator_UDP_Session_Events sensor:$1 srcip:$2 srcport:$3 dstip:$4 dstport:$5 type:intrusion NEXT id=12115 name=TopLayer attack mitigator filter events associated with ICMP network session. match=id=060003 match=pt match= pt= match= cip= match= sip= match= prot=ICMP match=ICMP match=MP regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Attack_Mitigator_ICMP_Session_Events sensor:$1 srcip:$2 dstip:$3 type:intrusion NEXT id=12116 name=TopLayer attack mitigator filter events associated with IP network session. match=id=060004 match=pt match= pt= match= cip= match= sip= match= prot=8 regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Attack_Mitigator_IP_Session_Events sensor:$1 srcip:$2 dstip:$3 type:intrusion NEXT id=12117 name=TopLayer attack mitigator filter events associated with the state of the client host. match=id=060005 match=pt match= pt= match= cip= match=!sip= match= prot=TCP match=TCP regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Attack_Mitigator_State_Of_Client_Events sensor:$1 srcip:$2 type:intrusion NEXT id=12118 name=TopLayer attack mitigator filter events associated with the state of the server host. match=id=060006 match=pt match= pt= match= sip= match=!cip= match= prot=TCP match=TCP regex=pt=([a-zA-Z0-9.-]+) .* sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Attack_Mitigator_State_Of_Server_Events sensor:$1 srcip:$2 type:intrusion NEXT id=12119 name=TopLayer attack mitigator filter events associated with the transition from first level to second level suppression. match=id=060007 match=pt match= pt= match=!sip= match= cip= regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Attack_Mitigator_Transition_Record_To_Second_Level sensor:$1 srcip:$2 type:firewall NEXT id=12120 name=TopLayer attack mitigator filter events associated with the transition from second level to first level suppression. match=id=060008 match=pt match= pt= match=!sip= match=!cip= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Attack_Mitigator_Transition_Record_To_First_Level sensor:$1 type:firewall NEXT id=12121 name=TopLayer attack mitigator filter events associated with IP fragment. match=id=060009 match=pt match= pt= match= sip= match= cip= regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Attack_Mitigator_IP_Fragment sensor:$1 srcip:$2 dstip:$3 type:dos NEXT id=12122 name=TopLayer attack mitigator filter events that detects address spoof by secure controller. match=id=060010 match=pt match= pt= match= sip= match= cip= regex=pt=([a-zA-Z0-9.-]+) .* cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Attack_Mitigator_Detected_Address_Spoof sensor:$1 srcip:$2 dstip:$3 type:intrusion NEXT id=12123 name=TopLayer attack mitigator filter events associated with recurring spoof attempts involving an ip address. match=id=060011 match=pt match= pt= match={cip= regex=pt=([a-zA-Z0-9.-]+) .*cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Attack_Mitigator_Event_Recurring_Spoof sensor:$1 srcip:$2 type:intrusion NEXT id=12124 name=TopLayer attack mitigator filter events that mark the end of an involvement with a continuing spoof. match=id=060012 match=pt match= pt= match={cip= regex=pt=([a-zA-Z0-9.-]+) .*cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Attack_Mitigator_Event_Ending_Spoof sensor:$1 srcip:$2 type:intrusion NEXT id=12125 name=TopLayer attack mitigator filter events MIB thresholds. match=id=06010 match=pt match= pt= match= msg= match= prev= match=rr match= curr= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Attack_Mitigator_MIB_Threshold sensor:$1 type:system NEXT ################################################################## # # # Classification Events # # # ################################################################## id=12126 name=TopLayer classification events produced by the originating device and MIB thresholds. match=id=07 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Classification_Events sensor:$1 type:system NEXT ################################################################## # # # Remote Access Events # # # ################################################################## id=12127 name=TopLayer remote access events produced by the originating device. match=id=080000 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Remote_Access_Events sensor:$1 type:login NEXT id=12128 name=TopLayer remote access events summary of management and user sessions. match=id=08000 match=pt match= pt= match=ser match= user= match=user regex=pt=([a-zA-Z0-9.-]+) .*cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-Remote_Access_Session_Events sensor:$1 srcip:$2 type:login NEXT id=12129 name=TopLayer remote access events MIB threholds. match=id=08010 match=pt match= pt= match= msg= match=rr match= curr= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Remote_Access_MIB_Threshold_Events sensor:$1 type:system NEXT ################################################################## # # # Policy Events # # # ################################################################## id=12130 name=TopLayer policy events produced by the originating device, including MIB thresholds. match=id=09 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Policy_Events sensor:$1 type:system NEXT ################################################################## # # # Configuration Events # # # ################################################################## id=12131 name=TopLayer configuration events produced by the originating device, also including Certificate updates, redirection and MIB thresholds. match=id=10 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Configuration_Events sensor:$1 type:system NEXT ################################################################## # # # Statistic Events # # # ################################################################## id=12132 name=TopLayer statistic events produced by the originating device, including MIB thresholds. match=id=11 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-Statistic_Events sensor:$1 type:intrusion NEXT ################################################################## # # # ROE Events # # # ################################################################## id=12133 name=TopLayer ROE events produced by the originating device. match=id=120000 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-ROE_Events sensor:$1 type:error NEXT id=12134 name=TopLayer ROE events IP fragment errors. match=!id=120000 match=id=12000 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) .*cip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*sip=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:TopLayer-ROE_Events_IP_Fragement_Errors sensor:$1 srcip:$2 dstip:$3 type:error NEXT id=12135 name=TopLayer ROE events MIB thresholds match=id=12010 match=pt match= pt= regex=pt=([a-zA-Z0-9.-]+) log=event:TopLayer-ROE_Events_MIB_Thresholds sensor:$1 type:error