# logfile /var/log/local0.txt # paloalto PA CSV format log, THREAT, threshold by src,dst watchfor /THREAT,[^,]+,[^,]+,[^,]+,([^,]+),([^,]+),/ threshold track_by=$1:$2,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3" ## TippingPoint CEF format log, threshold by src,dst,srcport,dstport watchfor /CEF.+TippingPoint.+ (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+)/ threshold track_by=$2:$4:$6:$8,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 4" ## Lastline CEF format log, threshold by src,dst watchfor /CEF.+Lastline.+ (src|dst)=([^ ]+) .* (src|dst)=([^ ]+)/ threshold track_by=$2:$4,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 5" ## FortiGate CEF like log, threshold by srcip,dstip,srcport,dstport watchfor /FGVM.+ (srcip|dstip|srcport|dstport)=([^ ]+).* (srcip|dstip|srcport|dstport)=([^ ]+).* (srcip|dstip|srcport|dstport)=([^ ]+).* (srcip|dstip|srcport|dstport)=([^ ]+)/ threshold track_by=$2:$4:$6:$8,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 6" ## FortiWeb CEF like log, threshold by src,dst,src_port,dst_port watchfor /FVVM.+ (src|dst|src_port|dst_port)=([^ ]+).* (src|dst|src_port|dst_port)=([^ ]+).* (src|dst|src_port|dst_port)=([^ ]+).* (src|dst|src_port|dst_port)=([^ ]+)/ threshold track_by=$2:$4:$6:$8,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 7" ## TREND MICRO Deep Discovery Inspector CEF format log, threshold by src,dst,spt,dpt watchfor /Trend Micro.+Deep Discovery Inspector.+ (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+).* (src|dst|spt|dpt)=([^ ]+)/ threshold track_by=$2:$4:$6:$8,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 8" ## DefensePro SSV format log, threshold by ipsrc,portsrc,ipdst,portdst watchfor /DefensePro:\s+([^\s]+\s+){7,7}([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+([^\s]+)\s+/ threshold track_by=$2:$3:$4:$5,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 9" ## paloalto PA CSV format log, THREAT, threshold by src,dst watchfor /THREAT,[^,]+,[^,]+,[^,]+,([^,]+),([^,]+),/ threshold track_by=$1:$2,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3" ## paloalto PA CSV format log, THREAT, threshold by src,dst,threat-name,severity(info,low) watchfor /THREAT,[^,]*,[^,]*,[^,]*,([^,]+),([^,]+),([^,]*,){23,23}([^,]+),[^,]*,(informational|low),/ threshold track_by=$1:$2:$4:$5,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3" ## paloalto PA CSV format log, THREAT, no threshold for severity(medium,high,critical) watchfor /THREAT,([^,]*,){30,30}(medium|high|critical),/ pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3" ## paloalto PA CSV format log, TRAFFIC end, threshold by src,dst watchfor /TRAFFIC,end,[^,]+,[^,]+,([^,]+),([^,]+),/ threshold track_by=$1:$2,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3" ## paloalto PA CSV format log, TRAFFIC end, threshold by src,dst,srcport,dstport,protocol watchfor /TRAFFIC,end,[^,]*,[^,]*,([^,]+),([^,]+),([^,]*,){15,15}([^,]+),([^,]+),[^,]*,[^,]*,[^,]*,([^,]+),/ threshold track_by=$1:$2:$4:$5:$6,type=limit,count=1,seconds=60 pipe "/opt/momentum_client/bin/syslog_pcap_save.pl 192.168.1.145 3"