|
# logfile /var/log/local0.txt
|
|
|
|
# paloalto PA CSV format log, THREAT, threshold by src,dst
|
|
watchfor /THREAT,[^,]+,[^,]+,[^,]+,([^,]+),([^,]+),/
|
|
threshold track_by=$1:$2,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3"
|
|
|
|
## TippingPoint CEF format log, threshold by src,dst,srcport,dstport
|
|
watchfor /CEF.+TippingPoint.+ (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+)/
|
|
threshold track_by=$2:$4:$6:$8,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 4"
|
|
|
|
## Lastline CEF format log, threshold by src,dst
|
|
watchfor /CEF.+Lastline.+ (src|dst)=([^ ]+) .* (src|dst)=([^ ]+)/
|
|
threshold track_by=$2:$4,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 5"
|
|
|
|
## FortiGate CEF like log, threshold by srcip,dstip,srcport,dstport
|
|
watchfor /FGVM.+ (srcip|dstip|srcport|dstport)=([^ ]+).* (srcip|dstip|srcport|dstport)=([^ ]+).* (srcip|dstip|srcport|dstport)=([^ ]+).* (srcip|dstip|srcport|dstport)=([^ ]+)/
|
|
threshold track_by=$2:$4:$6:$8,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 6"
|
|
|
|
## FortiWeb CEF like log, threshold by src,dst,src_port,dst_port
|
|
watchfor /FVVM.+ (src|dst|src_port|dst_port)=([^ ]+).* (src|dst|src_port|dst_port)=([^ ]+).* (src|dst|src_port|dst_port)=([^ ]+).* (src|dst|src_port|dst_port)=([^ ]+)/
|
|
threshold track_by=$2:$4:$6:$8,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 7"
|
|
|
|
## TREND MICRO Deep Discovery Inspector CEF format log, threshold by src,dst,spt,dpt
|
|
watchfor /Trend Micro.+Deep Discovery Inspector.+ (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+)/
|
|
threshold track_by=$2:$4:$6:$8,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 8"
|
|
|
|
## DefensePro SSV format log, threshold by ipsrc,portsrc,ipdst,portdst
|
|
watchfor /DefensePro:\s+([^\s]+\s+){7,7}([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+/
|
|
threshold track_by=$2:$3:$4:$5,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 9"
|
|
|
|
## paloalto PA CSV format log, THREAT, threshold by src,dst
|
|
watchfor /THREAT,[^,]+,[^,]+,[^,]+,([^,]+),([^,]+),/
|
|
threshold track_by=$1:$2,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3"
|
|
|
|
## paloalto PA CSV format log, THREAT, threshold by src,dst,threat-name,severity(info,low)
|
|
watchfor /THREAT,[^,]*,[^,]*,[^,]*,([^,]+),([^,]+),([^,]*,){23,23}([^,]+),[^,]*,(informational|low),/
|
|
threshold track_by=$1:$2:$4:$5,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3"
|
|
|
|
## paloalto PA CSV format log, THREAT, no threshold for severity(medium,high,critical)
|
|
watchfor /THREAT,([^,]*,){30,30}(medium|high|critical),/
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3"
|
|
|
|
## paloalto PA CSV format log, TRAFFIC end, threshold by src,dst
|
|
watchfor /TRAFFIC,end,[^,]+,[^,]+,([^,]+),([^,]+),/
|
|
threshold track_by=$1:$2,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3"
|
|
|
|
## paloalto PA CSV format log, TRAFFIC end, threshold by src,dst,srcport,dstport,protocol
|
|
watchfor /TRAFFIC,end,[^,]*,[^,]*,([^,]+),([^,]+),([^,]*,){15,15}([^,]+),([^,]+),[^,]*,[^,]*,[^,]*,([^,]+),/
|
|
threshold track_by=$1:$2:$4:$5:$6,type=limit,count=1,seconds=60
|
|
pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3"
|