##### # # Copyright (C) 2005 Herve Debar <herve dot debar at francetelecom dot com> # All Rights Reserved # # This file is part of the Prelude-LML program. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; see the file COPYING. If not, write to # the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. # ##### # anomaly messages, one resource_body followed by multione router_body # LOG: Apr 17 06:52:57 arbordos.mynetwork.net pfDoS: anomaly Protocol id 92480 status ongoing severity 5 src 0.0.0.0/0 All dst 2.2.0.0/16 Intellig_ start 2005-04-17 06:45:41 +0200 duration 360 percent 214.27 rate 5e+06 rateUnit bps protocol tcp flags nil url https://doscont/anomaly/?attack_id=92480 regex=anomaly ([a-zA-Z_-]+) id (\d+) status (\w+) severity (\d+) src ([\d\./]+) \w+ dst ([\d\./]+) \w+ start ([\d- :\+]+) duration (\d+) percent (\d+\.?\d*) rate ([\de\+\-]+) rateUnit (\w+) protocol (\w+) flags (\w+) url (\S+); \ classification.text=Arbor Anomaly $1; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=arbor_id; \ classification.reference(0).name=$2; \ classification.reference(0).url=http://www.arbornetworks.com/; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=arbor_status; \ classification.reference(1).name=$3; \ classification.reference(1).url=http://www.arbornetworks.com/; \ classification.reference(2).origin=vendor-specific; \ classification.reference(2).meaning=arbor_severity; \ classification.reference(2).name=$4; \ classification.reference(2).url=http://www.arbornetworks.com/; \ id=4300; \ revision= 1; \ analyzer(0).name=ArborDos; \ analyzer(0).manufacturer=Arbor; \ assessment.impact.type=dos; \ assessment.impact.severity=medium; \ assessment.impact.description=DDoS attack $3 detected; \ source(0).node.address(0).category=ipv4-net; \ source(0).node.address(0).address=$5; \ target(0).node.address(0).category=ipv4-net; \ target(0).node.address(0).address=$6; \ additional_data(0).type=date-time; \ additional_data(0).meaning=Attack start time; \ additional_data(0).data=$7; \ additional_data(1).type=integer; \ additional_data(1).meaning=Attack duration in seconds; \ additional_data(1).data=$8; \ additional_data(2).type=real; \ additional_data(2).meaning=arbor percent; \ additional_data(2).data=$9; \ additional_data(3).type=real; \ additional_data(3).meaning=Traffic rate in $11; \ additional_data(3).data=$10; \ additional_data(4).type=string; \ additional_data(4).meaning=Attack protocol; \ additional_data(4).data=$12; \ additional_data(5).type=string; \ additional_data(5).meaning=Protocol flags; \ additional_data(5).data=$13; \ additional_data(6).type=string; \ additional_data(6).meaning=Detailed information; \ additional_data(6).data=$14; \ last # router body # pr 17 06:52:57 arbordos.mynetwork.net pfDoS: anomaly Protocol id 92480 status ongoing severity 5 router 1.2.3.4 interface 14 incoming regex=anomaly ([a-zA-Z_-]+) id (\d+) status (\w+) severity (\d+) router ([\d\./]+) interface (\S+) (\S+); \ classification.text=Arbor Anomaly Router $1; \ classification.reference(0).origin=vendor-specific; \ classification.reference(0).meaning=arbor_id; \ classification.reference(0).name=$2; \ classification.reference(0).url=http://www.arbornetworks.com/; \ classification.reference(1).origin=vendor-specific; \ classification.reference(1).meaning=arbor_status; \ classification.reference(1).name=$3; \ classification.reference(1).url=http://www.arbornetworks.com/; \ classification.reference(2).origin=vendor-specific; \ classification.reference(2).meaning=arbor_severity; \ classification.reference(2).name=$4; \ classification.reference(2).url=http://www.arbornetworks.com/; \ id=4301; \ revision= 1; \ analyzer(0).name=ArborDos; \ analyzer(0).manufacturer=Arbor; \ assessment.impact.type=dos; \ assessment.impact.severity=medium; \ assessment.impact.description=DDoS attack $3 detected at router; \ additional_data(0).type=ipv4-net; \ additional_data(0).meaning=Router; \ additional_data(0).data=$5; \ additional_data(1).type=integer; \ additional_data(1).meaning=Interface; \ additional_data(1).data=$6; \ additional_data(2).type=string; \ additional_data(2).meaning=Direction; \ additional_data(2).data=$7; \ last # collector_body # collector_body = collector IP collector_status_type since DATE duration SECONDS # /* collector_body fields */ # collector_status_type = lost | found regex=collector (\S+) (\S+) since (.+) duration (\d+); \ classification.text=Arbor Collector; \ id=4302; \ revision=1; \ analyzer(0).name=ArborDos; \ analyzer(0).manufacturer=Arbor; \ assessment.impact.description=DDoS attack measurement; \ additional_data(0).type=string; \ additional_data(0).meaning=Collector; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Status; \ additional_data(1).data=$2; \ additional_data(2).type=date-time; \ additional_data(2).meaning=Since; \ additional_data(2).data=$3; \ additional_data(3).type=integer; \ additional_data(3).meaning=Duration; \ additional_data(3).data=$4; \ last # # netflow_body # /* netflow_body description */ # internalError location IP reason netflow_reason_type since DATE duration SECONDS # /* netflow_body fields */ # netflow_reason_type = netflowMissing | netflowMissingDone regex=internalError location (\S+) reason (\S+) since (.+) duration (\d+); \ classification.text=Arbor Netflow; \ id=4303; \ revision=1; \ analyzer(0).name=ArborDos; \ analyzer(0).manufacturer=Arbor; \ assessment.impact.description=DDoS attack measurement; \ additional_data(0).type=string; \ additional_data(0).meaning=Location; \ additional_data(0).data=$1; \ additional_data(1).type=string; \ additional_data(1).meaning=Reason; \ additional_data(1).data=$2; \ additional_data(2).type=date-time; \ additional_data(2).meaning=Since; \ additional_data(2).data=$3; \ additional_data(3).type=integer; \ additional_data(3).meaning=Duration; \ additional_data(3).data=$4; \ last # # darkip_body # # darkip_body = rtr IP rtrSampleRate INTEGER proto INTEGER src IP dst IP dstPort INTEGER firstSeen DATE lastSeen DATE bytes INTEGER pkts INTEGER flows INTEGER # Apr 17 07:31:22 arbordos.mynetwork.net pfDoS: rtr 1.2.3.4 rtrSampleRate 1000 proto 17 src 192.168.0.69 dst 1.2.3.4 dstPort 11328 firstSeen 2005-04-17 06:31:46 +0200 lastSeen 2005-04-17 06:31:46 +0200 bytes 53 pkts 1 flows 1 regex=rtr ([\d\./]+) rtrSampleRate (\d+) proto (\d+) src ([\d\./]+) dst ([\d\./]+) dstPort (\d+) firstSeen ([\d- :\+]+) lastSeen ([\d- :\+]+) bytes (\d+) pkts (\d+) flows (\d+); \ classification.text=Arbor DarkIP; \ id=4304; \ revision=1; \ analyzer(0).name=ArborDos; \ analyzer(0).manufacturer=Arbor; \ assessment.impact.description=DDoS attack measurement; \ source(0).node.address(0).category=ipv4-net; \ source(0).node.address(0).address=$4; \ target(0).node.address(0).category=ipv4-net; \ target(0).node.address(0).address=$5; \ target(0).service.port=$6; \ additional_data(0).type=string; \ additional_data(0).meaning=Router; \ additional_data(0).data=$1; \ additional_data(1).type=integer; \ additional_data(1).meaning=Router sample rate; \ additional_data(1).data=$2; \ additional_data(2).type=integer; \ additional_data(2).meaning=Protocol; \ additional_data(2).data=$3; \ additional_data(3).type=date-type; \ additional_data(3).meaning=first seen; \ additional_data(3).data=$7; \ additional_data(4).type=date-type; \ additional_data(4).meaning=last seen; \ additional_data(4).data=$8; \ additional_data(5).type=integer; \ additional_data(5).meaning=bytes; \ additional_data(5).data=$9; \ additional_data(6).type=integer; \ additional_data(6).meaning=packets; \ additional_data(6).data=$10; \ additional_data(7).type=integer; \ additional_data(7).meaning=flows; \ additional_data(7).data=$11; \ last