##### # # Copyright (C) 2003 G Ramon Gomez <gene at gomezbrothers dot com> # Tyco Fire and Security GTS (www.tycofireandsecurity.com) # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### ##### # # The rules included here were developed using Norton Antivirus Corportate # Edition 7.60 events collected using NTSysLog. Please report any # inconsistencies on other versions to G Ramon Gomez at the address provided # above # ##### #LOG:Nov 3 17:10:28 mrfreeze.itg.sac.tfs norton antivirus[error] 5 Virus Found!Virus name: W32.Yaha.F@mm.enc in File: C:\Program Files\Exchsrvr\Mailroot\vsi 1\Queue\NTFS_6e44a57a01c3a270000282de.EML by: Realtime Protection scan. Action: Clean failed : Quarantine failed : Access denied regex=Virus Found!Virus name: (\S+) in File: (.+) by: (.+). Action: (.+); \ classification.text=Virus found: $1; \ id=1200; \ revision=2; \ analyzer(0).name=Norton Antivirus Corporate Edition; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=high; \ assessment.impact.type=file; \ assessment.impact.completion=succeeded; \ assessment.impact.description=A virus has been identified by Norton Antivirus; \ source(0).process.name=$3; \ additional_data(0).type=string; \ additional_data(0).meaning=File location; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Malware name; \ additional_data(1).data=$1; \ additional_data(2).type=string; \ additional_data(2).meaning=Action taken; \ additional_data(2).data=$4; \ last #LOG:Nov 6 00:23:51 superman.itg.sac.tfs norton antivirus[info] 16 Download of virus definition file from LiveUpdate server succeeded. regex=Download of virus definition file from LiveUpdate server succeeded; \ classification.text=Virus definition update; \ id=1201; \ revision=2; \ analyzer(0).name=Norton Antivirus Corporate Edition; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Norton Antivirus Virus definitions have been updated; \ last #LOG:Oct 23 08:46:50 smf-syslog-02 norton/smf-utility-01 antivirus[info] New virus definition file loaded. Version: 81019bn. regex=New virus definition file loaded. Version: (\S+); \ classification.text=Virus definition update; \ id=1202; \ revision=1; \ analyzer(0).name=Norton Antivirus Corporate Edition; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=info; \ assessment.impact.type=other; \ assessment.impact.completion=succeeded; \ assessment.impact.description=Norton Antivirus Virus definitions have been updated; \ additional_data(0).type=string; \ additional_data(0).meaning=Definition version; \ additional_data(0).data=$1; \ last #LOG:Oct 25 11:28:00 smf-syslog-02 norton/smf-utility-01 antivirus[info] Update to computer SMF-SLS-CBROWN2 of virus definition file 81019bn failed. Status FFFFFFFF regex=Update to computer (\S+) of virus definition file (\S+) failed. Status (\S+); \ classification.text=Virus definition update; \ id=1203; \ revision=1; \ analyzer(0).name=Norton Antivirus Corporate Edition; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=medium; \ assessment.impact.type=other; \ assessment.impact.completion=failed; \ assessment.impact.description=Norton Antivirus Virus definition update to $1 failed.; \ target(0).node.address(0).category=unknown; \ target(0).node.address(0).address=$1; \ target(0).node.name=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=Definition version; \ additional_data(0).data=$2; \ additional_data(1).type=string; \ additional_data(1).meaning=Error code; \ additional_data(1).data=$3; \ last #LOG:Oct 23 09:05:04 smf-syslog-02 norton/smf-utility-01 antivirus[info] Removed Client SMF-HR-JLEE_::_CE2C654442CBAD576E3B25A97E378EFF Last Checkin Time: Thu Oct 19 18:33:08 2006 regex=Removed Client (\S+)_::\S+ Last Checkin Time: (.+); \ classification.text=System unmanaged; \ id=1204; \ revision=1; \ analyzer(0).name=Norton Antivirus Corporate Edition; \ analyzer(0).manufacturer=Symantec; \ analyzer(0).class=Antivirus; \ assessment.impact.severity=medium; \ assessment.impact.type=other; \ assessment.impact.completion=failed; \ assessment.impact.description=$1 hasn't checked in with Norton Antivirus Virus since $2. Norton Antivirus is no longer managing it.; \ target(0).node.address(0).category=unknown; \ target(0).node.address(0).address=$1; \ target(0).node.name=$1; \ additional_data(0).type=string; \ additional_data(0).meaning=Last checkin; \ additional_data(0).data=$2; \ last