Appendix D. rules.txt used in Chapter 10


ZoneAlarm,*,warn
ZoneAlarm,*,display=type#date#time#source#dest#transport
ZoneALARM,type eq fwin,icon=desktopoutbounddenied.bmp
ZoneALARM,type eq pe,icon=desktopinbounddenied.bmp
Antivirus,message eq infected,display=date#time#ip#username#virusname#infectedfile
Antivirus,message eq infected,icon=virus.bmp
Antivirus,message eq infected,alert
Antivirus,message eq cleaned,display=date#time#ip#username#virusname#infectedfile
Antivirus,message eq cleaned,icon=viruscleaned.bmp
System Event,ip eq *,display=
Security Event,*,display=
Application Event,ip eq *,display=
Snort,*,reject
SnortLite,*,display=label#classification#logdate#logtime#priority#source#destination#protocol
SnortLite,priority = 1,alert
SnortLite,priority = 2,warn
SnortLite,priority = 1,icon=idsreport.bmp
SnortLite,priority = 2,icon=ids.bmp
Running Services,*,display=message#display#servfilename#state#startup
Running Services,*,icon=sidtk.bmp
Running Services,*,alert
Open shares,*,display=message#loghost#share#usergroup#rights#path
Open shares,*,icon=sidtk.bmp
Open shares,*,alert
Startup config,*,display=loghost#message#location#item
Startup config,*,icon=sidtk.bmp
Startup config,*,alert
ADS Scanner,*,display=loghost#ads#size
ADS Scanner,*,alert
ADS Scanner,*,icon=sidtk.bmp
Integrity checker,*,display=loghost#message
Integrity checker,*,alert
Integrity checker,*,icon=sidtk.bmp
Rogue Users,*,display=loghost#message#loghost#username#script#fullname
Rogue Users,*,alert
Rogue Users,*,icon=sidtk.bmp
Running Processes,*,display=loghost#message#exename#exepath#username
Running Processes,*,alert
Running Processes,*,icon=sidtk.bmp
Scheduled Tasks,*,display=loghost#message#command#flags#jobid#schdays#schtime
Scheduled Tasks,*,alert
Scheduled Tasks,*,icon=sidtk.bmp
ComLog,line ct sam. OR line ct regedit OR line ct nmap,alert
ComLog,line ct sam. OR line ct regedit OR line ct nmap,icon=sidtk.bmp
* Note that rules concerning the Event viever are different from between the Open Source and Pro version (Pro is shown here).

Appendix C. filter.txt used in Chapter 10


Table of contents