# Associate user with address (1 of 4)
# Looks for target addresses that have a corresponding target user, and 
# records that for 600 seconds.  
type=Single
ptype=IDMEF
pattern=messageid: (\d+); \
        target(0).node.address(0).address: (.+); \
        target(0).user.user_id(0).name: (.+)
context=!HAS_TARGET_USER_$1
continue=TakeNext
desc=target(0).user.user_id(0).name: $3
action=create HAS_TARGET_USER_$1 60; \
       create HOST_USER_$2 600; \
       add HOST_USER_$2 %s

# Associate user with address (2 of 4)
# Looks for source addresses that have a corresponding source user, and
# records that for 600 seconds
type=Single
ptype=IDMEF
pattern=messageid: (\d+); \
        source(0).node.address(0).address: (.+); \
        source(0).user.user_id(0).name: (.+)
context=!HAS_SOURCE_USER_$1
continue=TakeNext
desc=source(0).user.user_id(0).name: $3
action=create HAS_SOURCE_USER_$1 60; \
       create HOST_USER_$2 600; \
       add HOST_USER_$2 %s

# *** THE NEXT TWO RULES ARE BROKEN!  FIX THEM!
# Associate user with address (3 of 4)
# Looks for source addresses with no corresponding source user, but for which
# a source user has previously been observed.  It recreates the event,
# appending the source user to the end
#type=Single
#ptype=IDMEF
#pattern=messageid: (\d+); \
#        source(0).node.address(0).address: (.+); 
#context=(!HAS_SOURCE_USER_$1) && HOST_USER_$2
#desc=$0
#action=add NEW_EVENT %s; \
#       copy HOST_USER_$2 %USERNAME; \
#       add NEW_EVENT %USERNAME; \
#       copy NEW_EVENT %NEW_EVENT; \
#       delete NEW_EVENT; \
#       create HAS_SOURCE_USER_$1 60; \
#       event %NEW_EVENT

# Associate user with address (4 of 4)
# Looks for target addresses with no corresponding target user, but for which
# a target user has previously been observed.  It recreates the event,
# appending the target user to the end
#type=Single
#ptype=IDMEF
#pattern=messageid: (\d+); \
#        target(0).node.address(0).address: (.+); 
#context=(!HAS_TARGET_USER_$1) && HOST_USER_$2
#desc=$0
#action=add NEW_EVENT %s; \
#       copy HOST_USER_$2 %USERNAME; \
#       add NEW_EVENT %USERNAME; \
#       copy NEW_EVENT %NEW_EVENT; \
#       delete NEW_EVENT; \
#       create HAS_TARGET_USER_$1 60; \
#       event %NEW_EVENT

# Suppress info and low events
type=Suppress
ptype=IDMEF
pattern=assessment.impact.severity: (info|low)

# Previously unknown worm-like activity (1 of 3)
# This rule looks for events against a host, records the messageid, then sets
# a timer of 600 seconds. Future events against the same host of the same type
# extend this timer.
type=Single
ptype=IDMEF
pattern=messageid: (\d+); \
	analyzer(-1).analyzerid: (.*); \
	analyzer(-2).analyzerid: (.*); \
	classification.text: (.+); \
	target(0).node.address(0).address: (.+)
continue=TakeNext
desc=correlation_alert.alertident(>>).alertident=$1; \
     correlation_alert.alertident(-1).analyzerid=%analyzerid;
action=eval %analyzerid ("$2" || "$3"); \
       add WORM_HOST_IDENT_$5_$4 %s; \
       set WORM_HOST_IDENT_$5_$4 600

# Previously unknown worm-like activity (2 of 3)
# This rule records events being played from a host against other hosts, but
# only if that same event has been seen played against that host within the
# timer period, and records the messageid.  It doesn't interact with the timer
# otherwise.
type=Single
ptype=IDMEF
pattern=messageid: (\d+); \
	analyzer(-1).analyzerid: (.*); \
	analyzer(-2).analyzerid: (.*); \
        classification.text: (.+); \
        source(0).node.address(0).address: (.+)
context=WORM_HOST_$5_$4
continue=TakeNext
desc=correlation_alert.alertident(>>).alertident=$1; \
     correlation_alert.alertident(-1).analyzerid=%analyzerid
action=eval %analyzerid ("$2" || "$3"); \
       add WORM_HOST_IDENT_$5_$4 %s

# Previously unknown worm-like activity (3 of 3)
# This rule looks for 5 matches of an event being played by a host against 
# other hosts, but only if that same event was played against the host within
# the timer period above.
type=SingleWithThreshold
ptype=IDMEF
pattern=classification.text: (.+); \
        source(0).node.address(0).address: (.+)
context=WORM_HOST_$2_$1
continue=TakeNext
desc=assessment.impact.severity=high; \
     assessment.impact.description=$2 has repeated actions taken against it recently at least 5 times.  It may have been infected with a worm.; \
     correlation_alert.name=Possible Worm Activity
action=copy WORM_HOST_IDENT_$2_$1 %ALERT_IDENTS; \
       delete WORM_HOST_IDENT_$2_$1; \
       add IDMEF_MESSAGE %s; \
       add IDMEF_MESSAGE %ALERT_IDENTS; \
       copy IDMEF_MESSAGE %IDMEF_MESSAGE; \
       delete IDMEF_MESSAGE; \
       prelude %IDMEF_MESSAGE
thresh=5
window=600

# Repeated activity against a particular user (1 of 2)
type=Single
ptype=IDMEF
pattern=messageid: (\d+); \
	analyzer(-1).analyzerid: (.*); \
	analyzer(-2).analyzerid: (.*); \
        classification.text: (.+); \
        target(0).user.user_id(0).name: (.+)
continue=TakeNext
desc=correlation_alert.alertident(>>).alertident=$1; \
     correlation_alert.alertident(-1).analyzerid=%analyzerid
action=eval %analyzerid ("$2" || "$3"); \
       add USER_$5_$4 %s; \
       set USER_$5_$4 3600

# Repeated activity against a particular user (2 of 2)
type=SingleWithThreshold
ptype=IDMEF
pattern=classification.text: (.+); \
        target(0).user.user_id(0).name: (.+)
continue=TakeNext
desc=classification.text=$1; \
     assessment.impact.severity=high; \
     assessment.impact.description=5 alerts have been recorded against $2.  Someone may be attacking this account; \
     correlation_alert.name=User Threshold Exceeded; additional_data(>>).data = ignore_atomic_event;
action=copy USER_$2_$1 %ALERT_IDENTS; \
       delete USER_$2_$1; \
       add IDMEF_MESSAGE %s; \
       add IDMEF_MESSAGE %ALERT_IDENTS; \
       copy IDMEF_MESSAGE %IDMEF_MESSAGE; \
       delete IDMEF_MESSAGE; \
       prelude %IDMEF_MESSAGE
thresh=5
window=3600

# Particular users who may be generating excess traffic (1 of 2)
type=Single
ptype=IDMEF
pattern=messageid: (\d+); \
	analyzer(-1).analyzerid: (.*); \
	analyzer(-2).analyzerid: (.*); \
        source(0).user.user_id(0).name: (.+)
continue=TakeNext
desc=correlation_alert.alertident(>>).alertident=$1; \
     correlation_alert.alertident(-1).analyzerid=%analyzerid
action=eval %analyzerid ("$2" || "$3"); \
       add NOISY_USER_$4 %s; \
       set NOISY_USER_$4 3600

# Particular users who may be generating excess traffic (2 of 2)
type=SingleWithThreshold
ptype=IDMEF
pattern=source(0).user.user_id(0).name: (.+)
continue=TakeNext
desc=classification.text=Correlated Alert Composite; \
     assessment.impact.severity=high; \
     assessment.impact.description=25 alerts have been recorded from $1.  This account may be launching attacks; \
     correlation_alert.name=User Threshold Exceeded; additional_data(>>).data = ignore_atomic_event; 
action=copy NOISY_USER_$1 %ALERT_IDENTS; \
       delete NOISY_USER_$1; \
       add IDMEF_MESSAGE %s; \
       add IDMEF_MESSAGE %ALERT_IDENTS; \
       copy IDMEF_MESSAGE %IDMEF_MESSAGE; \
       delete IDMEF_MESSAGE; \
       prelude %IDMEF_MESSAGE
thresh=25
window=3600

# Repeated activity from one host to one target matching a particular type (1 of 2)
type=Single
ptype=IDMEF
pattern=messageid: (\d+); \
        analyzer(-1).analyzerid: (.*); \
        analyzer(-2).analyzerid: (.*); \
	source(0).node.address(0).address: (.+); \
	target(0).node.address(0).address: (.+)
continue=TakeNext
desc=correlation_alert.alertident(>>).alertident=$1; \
     correlation_alert.alertident(-1).analyzerid=%analyzerid;
action=eval %analyzerid ("$2" || "$3"); \
       add EVENTSCAN_SOURCE_TARGET_IDENT_$4_$5 %s; \
       set EVENTSCAN_SOURCE_TARGET_IDENT_$4_$5 3600

# Repeated activity from one host to one target matching a particular type (2 of 2)
type=SingleWithThreshold
ptype=IDMEF
pattern=source(0).node.address(0).address: (.+); \
        target(0).node.address(0).address: (.+)
continue=TakeNext
desc=classification.text=Correlated Alert Composite; \
     assessment.impact.severity=high; \
     assessment.impact.description=30 alerts have been recorded from $1 to $2.  The source may be scanning the target host.; \
     correlation_alert.name=Event Scan Detected
action=copy EVENTSCAN_SOURCE_TARGET_IDENT_$1_$2 %ALERT_IDENTS; \
       delete EVENTSCAN_SOURCE_TARGET_IDENT_$1_$2; \
       add IDMEF_MESSAGE %s; \
       add IDMEF_MESSAGE %ALERT_IDENTS; \
       copy IDMEF_MESSAGE %IDMEF_MESSAGE; \
       delete IDMEF_MESSAGE; \
       prelude %IDMEF_MESSAGE
thresh=30
window=3600

# Excessive traffic from one particular host (1 of 2)
type=Single
ptype=IDMEF
pattern=messageid: (\d+); \
        analyzer(-1).analyzerid: (.*); \
        analyzer(-2).analyzerid: (.*); \
        source(0).node.address(0).address: (.+)
continue=TakeNext
desc=correlation_alert.alertident(>>).alertident=$1; \
     correlation_alert.alertident(-1).analyzerid=%analyzerid;
action=eval %analyzerid ("$2" || "$3"); \
       add EVENTSWEEP_SOURCE_IDENT_$4 %s; \
       set EVENTSWEEP_SOURCE_IDENT_$4 3600

# Excessive traffic from one particular host (2 of 2)
type=SingleWithThreshold
ptype=IDMEF
pattern=source(0).node.address(0).address: (.+)
continue=TakeNext
desc=classification.text=Correlated Alert Composite; \
     assessment.impact.severity=high; \
     assessment.impact.description=150 alerts have been recorded from $1.  The source may be scanning your network.; \
     correlation_alert.name=Event Sweep Detected
action=copy EVENTSWEEP_SOURCE_IDENT_$1 %ALERT_IDENTS; \
       delete EVENTSWEEP_SOURCE_IDENT_$1; \
       add IDMEF_MESSAGE %s; \
       add IDMEF_MESSAGE %ALERT_IDENTS; \
       copy IDMEF_MESSAGE %IDMEF_MESSAGE; \
       delete IDMEF_MESSAGE; \
       prelude %IDMEF_MESSAGE
thresh=150
window=3600