# Copyright 2006 Tenable Network Security
# This library may only be used with the LCE server and may not
# be used with other products or open source projects
#
# NAME:
#  McAfee Event log parser
#
# DESCRIPTION:
# This library is used to process logs from McAfee Events
#
# LAST UPDATE: $Date: 2011/08/21 23:54:17 $

id=5470
name=The McAfee Anti-Virus software has blocked a virus based on standard protection behaviour rule.
match=ent
match=SWinEvent
match=le
match=AlertManager
match=an
match=lo
match=ed
match=Blocked by
match=St
match=ion
match=ing
match=ar
match=Blocked by behaviour blocking rule Anti-virus Standard Protection
match=ect
regex=IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) user
log=event:McAfee-Blocked_By_Anti_Virus_Standard_Protection srcip:$1 type:virus

NEXT

id=5471
name=The McAfee Anti-Virus software has blocked a virus based on common standard protection behaviour rule.
match=ent
match=SWinEvent
match=le
match=AlertManager
match=an
match=lo
match=ed
match=Blocked by
match=St
match=ion
match=ing
match=ar
match=Blocked by behaviour blocking rule Common Standard Protection
match=ect
match=mon
regex=IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) user
log=event:McAfee-Blocked_By_Common_Standard_Protection srcip:$1 type:virus

NEXT

id=5472
name=The McAfee Anti-Virus software has blocked a virus based on common maximum protection behaviour rule.
match=ent
match=SWinEvent
match=le
match=AlertManager
match=an
match=lo
match=ed
match=Blocked by
match=ion
match=ing
match=Blocked by behaviour blocking rule Common Maximum Protection
match=ect
match=mon
regex=IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) user
log=event:McAfee-Blocked_By_Common_Maximum_Protection srcip:$1 type:virus

NEXT

id=5473
name=The McAfee Anti-Virus software has blocked a virus based on anti-virus maximum protection behaviour rule.
match=lo
match=ion
match=ing
match=le
match=ed
match=Blocked by behaviour blocking rule Anti-virus Maximum Protection
match=ect
match=ent
match=SWinEvent
match=AlertManager
match=an
match=Blocked by
match=Blocked by behaviour blocking rule Anti-virus Maximum Protection
match=ect
regex=IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) user
log=event:McAfee-Blocked_By_Anti-Virus_Maximum_Protection srcip:$1 type:virus

NEXT

id=5474
name=The McAfee Anti-Virus software has would have blocked this, but it was in warn mode.
match=ent
match=SWinEvent
match=le
match=AlertManager
match=an
match=lo
match=ing
match=ed
match=Would be blocked by behaviour blocking rule
regex=IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) user
log=event:McAfee-Warn_Mode_Would_Be_Blocked srcip:$1 type:virus

NEXT

id=5475
name=The McAfee Anti-Virus software has cleaned an infected file.
match=ent
match=SWinEvent
match=le
match=AlertManager
match=an
match=The file
match=ed
match=was infected with
match=ect
regex=IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) user
log=event:McAfee-File_Was_Infected srcip:$1 type:virus

NEXT

id=5476
name=The McAfee Anti-Virus software has a file that is infected.
match=ent
match=SWinEvent
match=le
match=AlertManager
match=an
match=The file
match=ed
match=is infected with
match=ect
regex=IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) user
log=event:McAfee-File_Is_Infected srcip:$1 type:virus

NEXT

id=5477
name=The McAfee Anti-Virus software has blocked by port blocking rules.
match=ent
match=SWinEvent
match=le
match=AlertManager
match=an
match=lo
match=ed
match=Blocked by
match=ing
match=Blocked by port blocking rule
regex=IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) user
log=event:McAfee-Blocked_By_Port srcip:$1 type:firewall

NEXT

id=5478
name=The McAfee Anti-Virus software has blocked by buffer overflow protection.
match=ent
match=SWinEvent
match=le
match=AlertManager
match=an
match=lo
match=ed
match=Blocked by
match=Blocked by Buffer Overflow Protectio
match=ect
regex=IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) user
log=event:McAfee-Blocked_By_Buffer_Overflow srcip:$1 type:intrusion

NEXT

id=5479
name=The McAfee Anti-Virus software has recorded the scan version number.
match=ent
match=SWinEvent
match=le
match=AlertManager
match=ion
match=Scan version
match=an
regex=IP ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) user
log=event:McAfee-Scan_Version srcip:$1 type:application