Sophie

Sophie

distrib > Mageia > 4 > x86_64 > by-pkgid > b1ec5baa9373391a50c6029874bd2a23 > files > 40

prelude-lml-1.0.1-4.mga4.x86_64.rpm

#####
#
# Copyright (C) 2003 Vincent Glaume
# Currently supported by G Ramon Gomez <gene at gomezbrothers dot com>
# All Rights Reserved
#
# This file is part of the Prelude-LML program.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2, or (at your option)
# any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; see the file COPYING.  If not, write to
# the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
#
#####

#############################################################################
#
# This ruleset aims at analyzing the logs returned by the ntsyslog
# application, which converts NT events to syslog.
# English logs only.
# TODO:
# *  Add all log entries not currently present
#
#############################################################################


###
# I. Security events
###

# 1. Success events
# 1.a 515
#LOG:Jul 11 09:33:18 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 515 NT AUTHORITY\SYSTEM  A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.     Logon Process Name:KSecDD
regex=security\[success\] 515 (.*)  A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.     Logon Process Name:([\w\\]+); \
 classification.text=Authentication system started; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=515; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com183.html; \
 id=1400; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=$2 has registered as a trusted logon process; \
 source(0).process.name=$2; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 last

# 1.b 528
#LOG:Jul 11 13:44:11 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 528 SACRAMENTO\ggomez  Successful Logon:  User Name:ggomez  Domain:SACRAMENTO  Logon ID:(0x0,0x16AC1854)  Logon Type:7  Logon Process:User32    Authentication Package:Negotiate  Workstation Name:SMF-ENG-GGOMEZ  Logon GUID: {621924db-649e-3b17-b41a-215e55680eb3}
regex=security\[success\] 528 (.*) Successful Logon:  User Name:([\w ]+)  Domain:(.+)  Logon ID:\(.*\)  Logon Type:(\d+)  Logon Process:(\w+) .* Workstation Name:(\S+); \
 classification.text=Login; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=528; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com189.html; \
 id=1401; \
 revision=3; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=user; \
 assessment.impact.description=$2 successfully logged on on $6 ($3 domain) via $5; \
 source(0).process.name=$5; \
 source(0).node.address(0).category=unknown; \
 source(0).node.address(0).address=$6; \
 source(0).node.name=$6; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 target(0).user.user_id(0).type=current-user; \
 target(0).user.user_id(0).name=$2; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Logon type; \
 additional_data(0).data=$4; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Authentication domain; \
 additional_data(1).data=$3; \
 last

# 1.c 538
#LOG:Jun 24 15:22:39 bigipnet security[success] 538 NT AUTHORITY\ANONYMOUS LOGON User Logoff: User Name:ANONYMOUS LOGON Domain:NT AUTHORITY Logon ID:(0x0,0x938205) Logon Type:3
regex=security\[success\] 538 .* User Logoff:\s+User Name:([\w ]+) Domain:([\w ]+) Logon ID:\S+ Logon Type:(\d+); \
 classification.text=Logoff; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=538; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com199.html; \
 id=1402; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=user; \
 assessment.impact.description=$1 logged off; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Logon type; \
 additional_data(0).data=$3; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Authentication domain; \
 additional_data(1).data=$2; \
 last

# 1.d 560
# Currently broken on Windows 2003; verify against older Windows
#LOG:Jul 11 08:55:16 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 560 NT AUTHORITY\SYSTEM  Object Open:  Object Server:Security Account Manager  Object Type:SAM_DOMAIN  Object Name:SMF-ENG-GGOMEZ  Handle ID:1290248  Operation ID:{0,378510053}  Process ID:944  Image File Name: C:\WINDOWS\system32\lsass.exe  Primary User Name:SMF-ENG-GGOMEZ$  Primary Domain:RES  Primary Logon ID:(0x0,0x3E7)  Client User Name:SMF-ENG-GGOMEZ$  Client Domain:RES  Client Logon ID:(0x0,0x3E7)  Accesses: %%1537 %%1538 %%1539 %%1540 %%5392 %%5393 %%5394 %%5395 %%5396 %%5398 %%5399 %%5400 %%5401 %%5402   Privileges:-  Restricted Sid Count: 0
regex=security\[success\] 560 (.*) Object Open:\s* Object Server:[\w\s]+ Object Type:[\w\_]+\s* Object Name:([\w-]+)\s* Handle ID:\d+\s* Operation ID:.*\s* Process ID:(\d+) [\S ]+ Primary User Name:(\S*)\s* Primary Domain:\S+\s* Primary Logon ID:\S*\s* Client User Name:(\S+)\s* Client Domain; \
 classification.text=Object opened; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=560; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com202.html; \
 id=1403; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=$3 opened an object $2; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$4; \
 source(0).user.user_id(2).type=current-user; \
 source(0).user.user_id(2).name=$5; \
 source(0).process.pid=$3; \
 last

# 1.e 562
#LOG:Jul 11 08:55:16 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 562 NT AUTHORITY\SYSTEM  Handle Closed:  Object Server:Security Account Manager  Handle ID:1093856  Process ID:944  Image File Name: C:\WINDOWS\system32\lsass.exe
regex=security\[success\] 562 (.*) Handle Closed:  Object Server:[\w\s]+  Handle ID:(\d+)  Process ID:(\d+)  Image File Name: (.+); \
 classification.text=Object closed; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=562; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com204.html; \
 id=1404; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Object Handle $2 closed; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 target(0).process.pid=$3; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Handle ID; \
 additional_data(0).data=$2; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Image; \
 additional_data(1).data=$4; \
 last

# 1.g 577
#LOG:Jul 11 15:09:21 somehost.ragingwire.net smf-eng-srobins/smf-eng-srobins security[success] 577 NT AUTHORITY\SYSTEM  Privileged Service Called:  Server: NT Local Security Authority / Authentication Service  Service:LsaRegisterLogonProcess()  Primary User Name:SMF-ENG-GGOMEZ$  Primary Domain:RES  Primary Logon ID:(0x0,0x3E7)  Client User Name:SMF-ENG-GGOMEZ$  Client Domain:RES  Client Logon ID:(0x0,0x3E7)  Privileges:SeTcbPrivilege
regex= security\[success\] 577 (.*)  Privileged Service Called:  Server:.+  Service:(.*)  Primary User Name:(.+)  Primary Domain:.+  Primary Logon ID:\(.*\)  Client User Name:(.+)  Client Domain:.+  Client Logon ID:.+  Privileges:(.+); \
 classification.text=User privilege exercised; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=577; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com213.html; \
 id=1406; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Service $2 called with the following privileges: $5; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$3; \
 source(0).user.user_id(2).type=current-user; \
 source(0).user.user_id(2).name=$4; \
 target(0).node.address(0).category=unknown; \
 target(0).node.address(0).address=$2; \
 target(0).node.name=$2; \
 last

# 1.h
# No log sample; please submit
regex= security\[success\] 643 (.*)  Domain Policy Changed: Password Policy  modified  Domain:(.+)  Domain ID: .+  Caller User Name:(.+); \
 classification.text=Password policy modified; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=643; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com263.html; \
 id=1407; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=User $3 modified the password policy for the $2 domain; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$3; \
 last

# 1.i 680
#LOG:Oct 22 20:57:03 smf-syslog-02 smf-dc-01/smf-dc-01 security[success] Account Used for Logon by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Account Name:  DRankin  Workstation:   SMF-HLP-16
regex= security\[success\].*Account Used for Logon by: (.+)  Account Name: (.+)  Workstation: (.+); \
 classification.text=Login; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=680; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com304.html; \
 id=1408; \
 revision=3; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=user; \
 assessment.impact.description=Logon attempt on $3 using the $2 account; \
 source(0).node.address(0).category=unknown; \
 source(0).node.address(0).address=$3; \
 source(0).node.name=$3; \
 source(0).process.name=$1; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$2; \
 last

# 1.j 682
# No log sample; please submit
regex= security\[success\] 682 (.*)  Session reconnected to winstation:  User Name:([\w ]+)  Domain:.+  Logon ID:\(.+\)  Session Name:.+  Client Name:(.+)  Client Address:([\d\.]+); \
 classification.text=Remote control user reconnected; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=682; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com306.html; \
 id=1409; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Session reconnection from $5; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).node.address(1).category=unknown; \
 source(0).node.address(1).address=$3; \
 source(0).node.name=$3; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$2; \
 last

# 1.k 683
# No log sample; please submit
regex= security\[success\] 683 (.*)  Session disconnected from winstation:  User Name:([\w ]+)  Domain:.+  Logon ID:\(.+\)  Session Name:.+  Client Name:(.+)  Client Address:([\d\.]+); \
 classification.text=Remote control user disconnected; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=683; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com307.html; \
 id=1410; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=low; \
 assessment.impact.completion=succeeded; \
 assessment.impact.type=other; \
 assessment.impact.description=Session reconnection from $4; \
 source(0).node.address(0).category=ipv4-addr; \
 source(0).node.address(0).address=$4; \
 source(0).node.address(1).category=unknown; \
 source(0).node.address(1).address=$3; \
 source(0).node.name=$3; \
 source(0).user.user_id(0).type=target-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$2; \
 last

# 1.l other
# No log sample; please submit
#regex= security\[success\] (\d+); \
# classification.text=Windows Event ID [$1]; \
# id=1411; \
# revision=1; \
# analyzer(0).name=NTsyslog; \
# analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
# analyzer(0).class=Logging; \
# assessment.impact.severity=low; \
# assessment.impact.type=other; \
# assessment.impact.description=Security Success message with identifier #$1; \
# last


# 2. Failure events
# 2.a 529 or 534
#LOG:Dec 10 00:23:37 webbrain.itg.sac.tfs security[failure] 529 NT AUTHORITY\SYSTEM  Logon Failure:  Reason:Unknown user name or bad password  User Name:administrator  Domain:ITG  Logon Type:2  Logon Process:Advapi    Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Workstation Name:WEBBRAIN
regex=security\[failure\] (529|534) .+ Logon Failure:  Reason:(.+)  User Name:([\w ]+)  Domain:(.+)  Logon Type:(\d+)  Logon Process:(\w+)    Authentication Package:.+  Workstation Name:(.+); \
 classification.text=Login; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=$1; \
 id=1412; \
 revision=3; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=medium; \
 assessment.impact.completion=failed; \
 assessment.impact.type=user; \
 assessment.impact.description=Logon as $3 failed: $2; \
 source(0).process.name=$6; \
 target(0).node.address(0).category=unknown; \
 target(0).node.address(0).address=$7; \
 target(0).node.name=$7; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$3; \
 additional_data(0).type=integer; \
 additional_data(0).meaning=Logon type; \
 additional_data(0).data=$5; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Authentication domain; \
 additional_data(1).data=$4; \
 last

# 2.b 578
#LOG:Dec  9 17:42:49 testdb.itg.sac.tfs security[failure] 578 ITG\mzirion  Privileged object operation:  Object Server:Security  Object Handle:4294967295  Process ID:3540  Primary User Name:TESTDB$  Primary Domain:ITG  Primary Logon ID:(0x0,0x3E7)  Client User Name:mzirion  Client Domain:ITG  Client Logon ID:(0x2,0x5E829351)  Privileges:SeIncreaseBasePriorityPrivilege
regex=security\[failure\] 578 .+ Privileged object operation:  Object Server:Security  Object Handle:\d+  Process ID:(\d+)  Primary User Name:(.+)  Primary Domain:(.+)  Primary Logon ID:\(.*\)  Client User Name:([\w ]+)  Client.+Privileges:(\S+); \
 classification.text=User privilege exercised; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=578; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com214.html; \
 id=1413; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=medium; \
 assessment.impact.type=user; \
 target(0).process.pid=$1; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$2; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$4; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Authentication domain; \
 additional_data(0).data=$3; \
 additional_data(1).type=string; \
 additional_data(1).meaning=Privileges; \
 additional_data(1).data=$5; \
 last

# 2.c 627
# LOG:Dec  7 20:07:49 testdb.itg.sac.tfs security[failure] 627 NT AUTHORITY\SYSTEM  Change Password Attempt:  Target Account Name:TsInternetUser  Target Domain:TESTDB  Target Account ID: %{S-1-5-21-854245398-413027322-725345543-1000}  Caller User Name:TESTDB$  Caller Domain:ITG  Caller Logon ID:(0x0,0x3E7)  Privileges:-
regex= security\[failure\] 627 (.+)  Change Password Attempt:  Target Account Name:(.+)  Target Domain:(.+)  Target Account ID:.+  Caller User Name:(.+); \
 classification.text=Password change; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=627; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com247.html; \
 id=1414; \
 revision=2; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=medium; \
 assessment.impact.type=user; \
 assessment.impact.description=$4 attempted to change the password for $2 on the $3 domain; \
 source(0).user.category=os-device; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).user.user_id(1).type=current-user; \
 source(0).user.user_id(1).name=$4; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$2; \
 additional_data(0).type=string; \
 additional_data(0).meaning=Authentication domain; \
 additional_data(0).data=$3; \
 last

# 2.d 681
# LOG:Dec 10 08:20:07 mrfreeze.itg.sac.tfs security[failure] 681 NT AUTHORITY\SYSTEM  The logon to account: tfslegalask@itg.sac.tfs  by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  from workstation: MRFREEZE  failed. The error code was: 3221225572
regex=security\[failure\] 681 (.+)  The logon to account: (\S+)  by:.+  from workstation: (\w+); \
 classification.text=Login; \
 classification.reference(0).origin=vendor-specific; \
 classification.reference(0).meaning=Windows Event ID; \
 classification.reference(0).name=681; \
 classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com326.html; \
 id=1415; \
 revision=3; \
 analyzer(0).name=NTsyslog; \
 analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
 analyzer(0).class=Logging; \
 assessment.impact.severity=medium; \
 assessment.impact.completion=failed; \
 assessment.impact.type=user; \
 assessment.impact.description=Logon as $2 from $3 failed; \
 source(0).user.user_id(0).type=current-user; \
 source(0).user.user_id(0).name=$1; \
 source(0).node.address(0).category=unknown; \
 source(0).node.address(0).address=$3; \
 source(0).node.name=$3; \
 target(0).user.category=os-device; \
 target(0).user.user_id(0).type=target-user; \
 target(0).user.user_id(0).name=$2; \
 last

# 2.e other
# No log sample; please submit
#regex= security\[failure\] (\d+); \
# classification.text=Windows Event ID [$1]; \
# id=1416; \
# revision=1; \
# analyzer(0).name=NTsyslog; \
# analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
# analyzer(0).class=Logging; \
# assessment.impact.severity=medium; \
# assessment.impact.type=other; \
# assessment.impact.description=Security Failure message with identifier #$1; \
# last

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional