ZoneAlarm,*,warn
ZoneAlarm,*,display=type#date#time#source#dest#transport
ZoneALARM,type eq fwin,icon=desktopoutbounddenied.bmp
ZoneALARM,type eq pe,icon=desktopinbounddenied.bmp
Antivirus,message eq infected,display=date#time#ip#username#virusname#infectedfile
Antivirus,message eq infected,icon=virus.bmp
Antivirus,message eq infected,alert
Antivirus,message eq cleaned,display=date#time#ip#username#virusname#infectedfile
Antivirus,message eq cleaned,icon=viruscleaned.bmp
System Event,ip eq *,display=
Security Event,*,display=
Application Event,ip eq *,display=
Snort,*,reject
SnortLite,*,display=label#classification#logdate#logtime#priority#source#destination#protocol
SnortLite,priority = 1,alert
SnortLite,priority = 2,warn
SnortLite,priority = 1,icon=idsreport.bmp
SnortLite,priority = 2,icon=ids.bmp
Running Services,*,display=message#display#servfilename#state#startup
Running Services,*,icon=sidtk.bmp
Running Services,*,alert
Open shares,*,display=message#loghost#share#usergroup#rights#path
Open shares,*,icon=sidtk.bmp
Open shares,*,alert
Startup config,*,display=loghost#message#location#item
Startup config,*,icon=sidtk.bmp
Startup config,*,alert
ADS Scanner,*,display=loghost#ads#size
ADS Scanner,*,alert
ADS Scanner,*,icon=sidtk.bmp
Integrity checker,*,display=loghost#message
Integrity checker,*,alert
Integrity checker,*,icon=sidtk.bmp
Rogue Users,*,display=loghost#message#loghost#username#script#fullname
Rogue Users,*,alert
Rogue Users,*,icon=sidtk.bmp
Running Processes,*,display=loghost#message#exename#exepath#username
Running Processes,*,alert
Running Processes,*,icon=sidtk.bmp
Scheduled Tasks,*,display=loghost#message#command#flags#jobid#schdays#schtime
Scheduled Tasks,*,alert
Scheduled Tasks,*,icon=sidtk.bmp
ComLog,line ct sam. OR line ct regedit OR line ct nmap,alert
ComLog,line ct sam. OR line ct regedit OR line ct nmap,icon=sidtk.bmp
* Note that rules concerning the Event viever are different from between the Open Source and Pro version (Pro is shown here).