prelude-lml-rules 4.1.0-1 / etc / prelude-lml / ruleset / symantec-epm.rules

This file is indexed.

/etc/prelude-lml/ruleset/symantec-epm.rules is in prelude-lml-rules 4.1.0-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
#FULLNAME: Symantec EPM
#VERSION: 1.0
#DESCRIPTION: Symantec Endpoint Protection is an antivirus and personal firewall software for centrally managed corporate environments providing security for both servers and workstations.

#####
#
# Copyright (C) 2012 Seguridadx <operador@seguridadx.com>
# twitter: <www.twitter.com/seguridad_x>
# All Rights Reserved
#
# Copyright (C) 2014-2017 CS-SI <support.prelude@c-s.fr>
# All Rights Reserved.
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
#####

#DESCRIPTION:Allowed Messages
#CATEGORY:Update
#LOG:Dec  1 12:23:14 SymantecServer antivirus.example.com: Site: PLESSIS,Server: antivirus.example.com,Successfully downloaded the Virus and Spyware definitions
regex=SymantecServer \S+:; \
 classification.reference(0).origin=vendor-specific; \
 id=172000000; \
 chained; silent; \
 revision=1; \
 analyzer(0).name=Symantec Antivirus; \
 analyzer(0).manufacturer=www.symantec.com; \
 analyzer(0).class=Antivirus

#DESCRIPTION:Symantec Virus and Spyware definitions have been updated
#CATEGORY:Update
#LOG:Dec  1 12:23:14 SymantecServer antivirus.example.com: Site: PLESSIS,Server: antivirus.example.com,Successfully downloaded the Virus and Spyware definitions
regex=Site: (\S+),Server: (\S+),Successfully downloaded the Virus and Spyware definitions; \
 classification.text=Virus and Spyware definition update; \
 id=172000100; \
 revision=2; \
 assessment.impact.severity=info; \
 assessment.impact.type=other; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=Symantec Virus and Spyware definitions have been updated; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$2; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Site Name; \
 additional_data(0).data=$1; \
 goto=172000000; \
 last

#DESCRIPTION:SONAR definitions have been updated
#CATEGORY:Update
#LOG:Dec  1 12:23:14 SymantecServer antivirus.example.com: Site: PLESSIS,Server: antivirus.example.com,Successfully downloaded the SONAR
regex=Site: (\S+),Server: (\S+),Successfully downloaded the SONAR; \
 classification.text=SONAR definition update; \
 id=172000101; \
 revision=2; \
 assessment.impact.severity=info; \
 assessment.impact.type=other; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=SONAR definitions have been updated; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$2; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Site Name; \
 additional_data(0).data=$1; \
 goto=172000000; \
 last

#DESCRIPTION:Intrusion Prevention signatures definitions have been updated
#CATEGORY:Update
#LOG:Dec  1 12:23:14 SymantecServer antivirus.example.com: Site: PLESSIS,Server: antivirus.example.com,Successfully downloaded the Intrusion Prevention signatures
regex=Site: (\S+),Server: (\S+),Successfully downloaded the Intrusion Prevention signatures; \
 classification.text=Intrusion Prevention signatures definition update; \
 id=172000102; \
 revision=2; \
 assessment.impact.severity=info; \
 assessment.impact.type=other; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=Intrusion Prevention signatures definitions have been updated; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$2; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Site Name; \
 additional_data(0).data=$1; \
 goto=172000000; \
 last

#DESCRIPTION:Successfully downloaded the Revocation Data security definitions
#CATEGORY:Update
#LOG:Apr  9 10:47:33 SymantecServer antivirus.example.com: Site: PLESSIS,Server: antivirus.example.com,Successfully downloaded the Revocation Data security definitions from LiveUpdate
regex=Site: (\S+),Server: (\S+),Successfully downloaded the Revocation Data security definitions from LiveUpdate; \
 classification.text=Revocation Data security definitions; \
 id=172000103; \
 revision=2; \
 assessment.impact.severity=info; \
 assessment.impact.type=other; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=Successfully downloaded the Revocation Data security definitions; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$2; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Site Name; \
 additional_data(0).data=$1; \
 goto=172000000; \
 last

#DESCRIPTION:Virus found
#CATEGORY:Malware
#LOG:Dec 12 17:07:08 SymantecServer antivirus.example.com: Virus found,Computer name: A01LTFW21052,Source: Real Time Scan,Risk name: W32.Downadup!autorun,Occurrences: 1,E:\autorun.inf,"",Actual action: Cleaned by deletion
regex=Virus found.+Computer name: (\S+),.+,Risk name: ([^,]+),Occurrences: (\d+),.+,Actual action: ([^,]+); \
 classification.text=Virus found; \
 id=172000104; \
 revision=2; \
 assessment.impact.severity=high; \
 assessment.impact.type=file; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=Virus found, Computer name: $2; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$1; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Risk name; \
 additional_data(0).data=$2; \
 additional_data(1).type=integer; \
 additional_data(1).meaning=Occurrences; \
 additional_data(1).data=$3; \
 additional_data(2).type=string; \
 additional_data(2).meaning=Actual action; \
 additional_data(2).data=$4; \
 goto=172000000; \
 last

#DESCRIPTION:SONAR threat detected
#CATEGORY:Malware
#LOG:Dec 12 17:07:08 SymantecServer antivirus.example.com: ,Forced SONAR threat detected,Computer name: A01LTFW21052,Detection type: Heuristic,First Seen: Reputation was not used in this detection.,Application name: MAGic Screen Magnification,Application type: Trojan Worm,Application version: "11, 0, 4356, 400",Hash type: SHA-1,Application hash: 1ce39d44cc735db5788f07b25c5bb32c6ca48c09,Company name: "Freedom Scientific BLV Group, LLC",File size (bytes): 421144,Sensitivity: 0,Detection score: 0,COH Engine Version: ,Detection Submissions No,Permitted application reason: MDS,Disposition: Reputation was not used in this detection.,Download site: ,Web domain: ,Downloaded by: ,Prevalence: Reputation was not used in this detection.,Confidence: Reputation was not used in this detection.,URL Tracking Status: Off,Risk Level: N/A,Detection Source: N/A,Source: Heuristic Scan,Risk name: ,Occurrences: 1,c:\program files\freedom scientific\magic\11.0\magengnt\mag.exe,"c:\program files\freedom scientific\magic\11.0\magengnt\mag.exe",Actual action: Left alone,Requested action: Left alone,Secondary action: Forced detection using file name,Event time: 2013-01-09 12:57:51,Inserted: 2013-01-09 12:58:47,End: 2013-01-09 12:57:51,Domain: Default,Group: My Company\klient\All Laptops\LaptopsW7,Server: a01mmfw016,User: R117493,Source computer: ,Source IP:
regex=Forced SONAR threat detected,Computer name: (\S+),Detection type: (\S+),First Seen: Reputation was not used in this detection\.,Application name: ([^,]+); \
 classification.text=Forced SONAR threat detected; \
 id=172000200; \
 revision=2; \
 assessment.impact.severity=high; \
 assessment.impact.type=file; \
 assessment.impact.completion=succeeded; \
 assessment.impact.description=SONAR threat detected, Computer name: $1; \
 target(0).node.address(0).category=ipv4-addr; \
 target(0).node.address(0).address=$1; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Detection type; \
 additional_data(0).data=$2; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Application name; \
 additional_data(1).data=$3; \
 goto=172000000; \
 last

APT Browse - Built by Thomas Orozco.