From 9bc527df2dbaacae51d28fcba02783e76d2330ac Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Fri, 21 Jun 2024 08:05:42 -0600 Subject: [PATCH] tests: remove tests for versions less than 6 --- tests/bug-2482-01/test.yaml | 15 - tests/bug-4953/test.yaml | 10 - tests/decode-erspan-typeI-03/README.md | 1 - tests/decode-erspan-typeI-03/test.yaml | 20 - tests/dhcp-eve-extended-pre-6/suricata.yaml | 11 - tests/dhcp-eve-extended-pre-6/test.yaml | 74 - tests/dns-json-log/expected/dns.json | 9 - tests/dns-json-log/suricata.yaml | 8 - tests/dns-json-log/test.yaml | 25 - tests/filestore-v1-stream-depth/suricata.yaml | 23 - tests/filestore-v1-stream-depth/test.rules | 1 - tests/filestore-v1-stream-depth/test.yaml | 19 - tests/ikev2-weak-dh/test.yaml | 34 - tests/nfs3-01-pre-6/test.rules | 9 - tests/nfs3-01-pre-6/test.yaml | 8507 ----------------- tests/test-bad-byte-extract-rule-3/eve.json | 40 - .../suricata.yaml | 10 - tests/test-bad-byte-extract-rule-3/test.rules | 1 - tests/test-bad-byte-extract-rule-3/test.yaml | 24 - 19 files changed, 8841 deletions(-) delete mode 100644 tests/decode-erspan-typeI-03/README.md delete mode 100644 tests/decode-erspan-typeI-03/test.yaml delete mode 100644 tests/dhcp-eve-extended-pre-6/suricata.yaml delete mode 100644 tests/dhcp-eve-extended-pre-6/test.yaml delete mode 100644 tests/dns-json-log/expected/dns.json delete mode 100644 tests/dns-json-log/suricata.yaml delete mode 100644 tests/dns-json-log/test.yaml delete mode 100644 tests/filestore-v1-stream-depth/suricata.yaml delete mode 100644 tests/filestore-v1-stream-depth/test.rules delete mode 100644 tests/filestore-v1-stream-depth/test.yaml delete mode 100644 tests/nfs3-01-pre-6/test.rules delete mode 100644 tests/nfs3-01-pre-6/test.yaml delete mode 100644 tests/test-bad-byte-extract-rule-3/eve.json delete mode 100644 tests/test-bad-byte-extract-rule-3/suricata.yaml delete mode 100644 tests/test-bad-byte-extract-rule-3/test.rules delete mode 100644 tests/test-bad-byte-extract-rule-3/test.yaml diff --git a/tests/bug-2482-01/test.yaml b/tests/bug-2482-01/test.yaml index 1b85839ed..043409fda 100644 --- a/tests/bug-2482-01/test.yaml +++ b/tests/bug-2482-01/test.yaml @@ -1,8 +1,3 @@ -requires: - features: - - HAVE_LIBJANSSON - min-version: 4.1.0 - args: - -k none - --set vars.address-groups.EXTERNAL_NET=any @@ -14,16 +9,6 @@ checks: event_type: alert alert.signature_id: 2013933 http.http_method: "CONNECT" - - filter: - version: 4.1 - count: 172 - match: - event_type: tls - - filter: - version: 5 - count: 170 - match: - event_type: tls - filter: version: 6 count: 172 diff --git a/tests/bug-4953/test.yaml b/tests/bug-4953/test.yaml index 9e4577edc..761f6cea8 100644 --- a/tests/bug-4953/test.yaml +++ b/tests/bug-4953/test.yaml @@ -16,16 +16,6 @@ checks: fileinfo.gaps: true fileinfo.state: TRUNCATED fileinfo.size: 137708 - - filter: - requires: - lt-version: 6 - count: 1 - match: - event_type: fileinfo - fileinfo.filename: "/IEyF/EN3GUkgHakZ3iVe/YBqssWlF8iWaHTr/" - fileinfo.gaps: false - fileinfo.state: TRUNCATED - fileinfo.size: 1176 - filter: count: 1 match: diff --git a/tests/decode-erspan-typeI-03/README.md b/tests/decode-erspan-typeI-03/README.md deleted file mode 100644 index 18aaf211d..000000000 --- a/tests/decode-erspan-typeI-03/README.md +++ /dev/null @@ -1 +0,0 @@ -Ensure ERSPAN Type I packets are decoded when configured diff --git a/tests/decode-erspan-typeI-03/test.yaml b/tests/decode-erspan-typeI-03/test.yaml deleted file mode 100644 index 17aee506c..000000000 --- a/tests/decode-erspan-typeI-03/test.yaml +++ /dev/null @@ -1,20 +0,0 @@ -pcap: ../decode-erspan-typeI-02/input.pcap - -requires: - - min-version: 5 - lt-version: 6 - - -args: - - --set decoder.erspan.typeI.enabled=false - -checks: - - - filter: - count: 0 - match: - event_type: flow - - - stats: - decoder.erspan: 0 diff --git a/tests/dhcp-eve-extended-pre-6/suricata.yaml b/tests/dhcp-eve-extended-pre-6/suricata.yaml deleted file mode 100644 index 7f2fafa63..000000000 --- a/tests/dhcp-eve-extended-pre-6/suricata.yaml +++ /dev/null @@ -1,11 +0,0 @@ -%YAML 1.1 ---- - -outputs: - - eve-log: - enabled: true - filename: eve.json - types: - - dhcp: - extended: true - - flow diff --git a/tests/dhcp-eve-extended-pre-6/test.yaml b/tests/dhcp-eve-extended-pre-6/test.yaml deleted file mode 100644 index 0220ccba3..000000000 --- a/tests/dhcp-eve-extended-pre-6/test.yaml +++ /dev/null @@ -1,74 +0,0 @@ -pcap: ../dhcp-eve-extended/input.pcap - -requires: - lt-version: 6.0.0 - features: - - HAVE_LIBJANSSON - - RUST - -checks: -- filter: - count: 1 - match: - dest_ip: 10.16.1.1 - dest_port: 67 - dhcp.assigned_ip: 0.0.0.0 - dhcp.client_id: 00:11:32:17:49:f0 - dhcp.client_ip: 10.16.1.4 - dhcp.client_mac: 00:11:32:17:49:f0 - dhcp.dhcp_type: request - dhcp.hostname: nas1\x00 - dhcp.id: 4016330564 - dhcp.params[0]: subnet_mask - dhcp.params[1]: router - dhcp.params[2]: domain - dhcp.params[3]: dns_server - dhcp.type: request - event_type: dhcp - pcap_cnt: 1 - proto: UDP - src_ip: 10.16.1.4 - src_port: 68 -- filter: - count: 1 - match: - dest_ip: 10.16.1.4 - dest_port: 68 - dhcp.assigned_ip: 10.16.1.4 - dhcp.client_ip: 10.16.1.4 - dhcp.client_mac: 00:11:32:17:49:f0 - dhcp.dhcp_type: ack - dhcp.dns_servers[0]: 10.16.1.1 - dhcp.hostname: nas1\x00 - dhcp.id: 4016330564 - dhcp.lease_time: 3600 - dhcp.next_server_ip: 10.16.1.1 - dhcp.rebinding_time: 3031 - dhcp.relay_ip: 0.0.0.0 - dhcp.renewal_time: 1681 - dhcp.routers[0]: 10.16.1.1 - dhcp.subnet_mask: 255.255.0.0 - dhcp.type: reply - event_type: dhcp - pcap_cnt: 2 - proto: UDP - src_ip: 10.16.1.1 - src_port: 67 -- filter: - count: 1 - match: - app_proto: dhcp - dest_ip: 10.16.1.1 - dest_port: 67 - event_type: flow - flow.age: 0 - flow.alerted: false - flow.bytes_toclient: 350 - flow.bytes_toserver: 342 - flow.pkts_toclient: 1 - flow.pkts_toserver: 1 - flow.reason: shutdown - flow.state: established - proto: UDP - src_ip: 10.16.1.4 - src_port: 68 diff --git a/tests/dns-json-log/expected/dns.json b/tests/dns-json-log/expected/dns.json deleted file mode 100644 index afec32e8f..000000000 --- a/tests/dns-json-log/expected/dns.json +++ /dev/null @@ -1,9 +0,0 @@ -{"timestamp":"2016-05-24T23:27:01.960780+0000","flow_id":15684738590988,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":53679,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39339,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:02.333141+0000","flow_id":15684738590988,"pcap_cnt":2,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":53679,"proto":"UDP","dns":{"type":"answer","id":39339,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":47,"rdata":"52.85.112.21"}} -{"timestamp":"2016-05-24T23:27:02.832606+0000","flow_id":542660046009438,"pcap_cnt":3,"event_type":"dns","src_ip":"10.16.1.11","src_port":49697,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3407,"rrname":"block.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:03.085375+0000","flow_id":1585332076629375,"pcap_cnt":4,"event_type":"dns","src_ip":"10.16.1.11","src_port":33458,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44779,"rrname":"codemonkey.net","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.dropbox.com","rrtype":"CNAME","ttl":9,"rdata":"block.g1.dropbox.com"}} -{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.g1.dropbox.com","rrtype":"A","ttl":8,"rdata":"45.58.70.33"}} -{"timestamp":"2016-05-24T23:27:03.493333+0000","flow_id":1585332076629375,"pcap_cnt":6,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":33458,"proto":"UDP","dns":{"type":"answer","id":44779,"rcode":"NOERROR","rrname":"codemonkey.net","rrtype":"A","ttl":435,"rdata":"104.131.202.103"}} -{"timestamp":"2016-05-24T23:27:04.653864+0000","flow_id":848126710184488,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":57634,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14681,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}} -{"timestamp":"2016-05-24T23:27:04.654238+0000","flow_id":848126710184488,"pcap_cnt":8,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":57634,"proto":"UDP","dns":{"type":"answer","id":14681,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":45,"rdata":"52.85.112.21"}} diff --git a/tests/dns-json-log/suricata.yaml b/tests/dns-json-log/suricata.yaml deleted file mode 100644 index 4daa2b75f..000000000 --- a/tests/dns-json-log/suricata.yaml +++ /dev/null @@ -1,8 +0,0 @@ -%YAML 1.1 ---- - -outputs: - - dns-json-log: - version: 1 - enabled: yes - filename: dns.json diff --git a/tests/dns-json-log/test.yaml b/tests/dns-json-log/test.yaml deleted file mode 100644 index bfafe7446..000000000 --- a/tests/dns-json-log/test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -pcap: ../dns-eve/input.pcap - -requires: - lt-version: 6 - features: - - HAVE_LIBJANSSON - -checks: - - filter: - count: 9 - filename: dns.json - match: - event_type: dns - - filter: - count: 4 - filename: dns.json - match: - event_type: dns - dns.type: query - - filter: - count: 5 - filename: dns.json - match: - event_type: dns - dns.type: answer diff --git a/tests/filestore-v1-stream-depth/suricata.yaml b/tests/filestore-v1-stream-depth/suricata.yaml deleted file mode 100644 index 7e3cc1577..000000000 --- a/tests/filestore-v1-stream-depth/suricata.yaml +++ /dev/null @@ -1,23 +0,0 @@ -%YAML 1.1 ---- - -outputs: - - eve-log: - enabled: yes - types: - - files - - stats - - file-store: - version: 1 - enabled: yes - force-filestore: yes - stream-depth: 0 - -app-layer: - protocols: - http: - enabled: yes - libhtp: - default-config: - personality: IDS - response-body-limit: 100kb diff --git a/tests/filestore-v1-stream-depth/test.rules b/tests/filestore-v1-stream-depth/test.rules deleted file mode 100644 index 582397ffc..000000000 --- a/tests/filestore-v1-stream-depth/test.rules +++ /dev/null @@ -1 +0,0 @@ -alert http any any -> any any (filestore; sid:1; rev:1;) diff --git a/tests/filestore-v1-stream-depth/test.yaml b/tests/filestore-v1-stream-depth/test.yaml deleted file mode 100644 index 3fe361b0e..000000000 --- a/tests/filestore-v1-stream-depth/test.yaml +++ /dev/null @@ -1,19 +0,0 @@ -requires: - features: - - HAVE_LIBJANSSON - min-version: 5.0.0 - lt-version: 6 - -args: - - -k none - -pcap: ../filestore-v2.1-forced/suricata-update-pdf.pcap - -checks: - - - filter: - count: 1 - match: - event_type: fileinfo - fileinfo.state: "CLOSED" - fileinfo.stored: true diff --git a/tests/ikev2-weak-dh/test.yaml b/tests/ikev2-weak-dh/test.yaml index a80403815..35e9cce46 100644 --- a/tests/ikev2-weak-dh/test.yaml +++ b/tests/ikev2-weak-dh/test.yaml @@ -16,40 +16,6 @@ checks: alert.signature_id: 1 alert.signature: "SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)" - - filter: - count: 1 - version: 4 - match: - event_type: ikev2 - ikev2.version_major: 2 - ikev2.exchange_type: 34 - ikev2.message_id: 0 - ikev2.init_spi: "61d3693ce12af528" - ikev2.resp_spi: "0000000000000000" - ikev2.role: initiator - ikev2.errors: 0 - ikev2.payload[0]: Nonce - ikev2.payload[1]: KeyExchange - ikev2.payload[2]: SecurityAssociation - ikev2.payload[3]: NoNextPayload - - - filter: - count: 1 - version: 5 - match: - event_type: ikev2 - ikev2.version_major: 2 - ikev2.exchange_type: 34 - ikev2.message_id: 0 - ikev2.init_spi: "61d3693ce12af528" - ikev2.resp_spi: "0000000000000000" - ikev2.role: initiator - ikev2.errors: 0 - ikev2.payload[0]: Nonce - ikev2.payload[1]: KeyExchange - ikev2.payload[2]: SecurityAssociation - ikev2.payload[3]: NoNextPayload - # from suricata version >=7 the event_type for ikev2 is ike - filter: count: 1 diff --git a/tests/nfs3-01-pre-6/test.rules b/tests/nfs3-01-pre-6/test.rules deleted file mode 100644 index f62d2e1f7..000000000 --- a/tests/nfs3-01-pre-6/test.rules +++ /dev/null @@ -1,9 +0,0 @@ -alert nfs any any -> any any (nfs_version:<3; sid:1;) -alert nfs any any -> any any (nfs_version:>3; sid:2;) -alert nfs any any -> any any (nfs_version:3; sid:3;) -alert nfs any any -> any any (nfs_version:2<>4; sid:6;) - -alert nfs any any -> any any (nfs_procedure:<3; sid:10;) -alert nfs any any -> any any (nfs_procedure:>3; sid:11;) -alert nfs any any -> any any (nfs_procedure:3; sid:12;) -alert nfs any any -> any any (nfs_procedure:2<>4; sid:15;) diff --git a/tests/nfs3-01-pre-6/test.yaml b/tests/nfs3-01-pre-6/test.yaml deleted file mode 100644 index 83390926c..000000000 --- a/tests/nfs3-01-pre-6/test.yaml +++ /dev/null @@ -1,8507 +0,0 @@ -pcap: ../detect-itype-prefilter/icmpv4-ping.pcap - -requires: - version: 5 - -args: -- -k none - -checks: -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 0 - flow.bytes_toserver: 170 - flow.pkts_toclient: 0 - flow.pkts_toserver: 1 - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: 38a4e9f6 - nfs.id: 1 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 11 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961884 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 0 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 0 - flow.bytes_toserver: 170 - flow.pkts_toclient: 0 - flow.pkts_toserver: 1 - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: 38a4e9f6 - nfs.id: 1 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 11 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961884 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 0 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 10 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 0 - flow.bytes_toserver: 170 - flow.pkts_toclient: 0 - flow.pkts_toserver: 1 - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: 38a4e9f6 - nfs.id: 1 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 11 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961884 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 0 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 154 - flow.bytes_toserver: 340 - flow.pkts_toclient: 1 - flow.pkts_toserver: 2 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 2 - nfs.procedure: FSINFO - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 13 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961885 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 1 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 154 - flow.bytes_toserver: 340 - flow.pkts_toclient: 1 - flow.pkts_toserver: 2 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 2 - nfs.procedure: FSINFO - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 13 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961885 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 1 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 154 - flow.bytes_toserver: 340 - flow.pkts_toclient: 1 - flow.pkts_toserver: 2 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 2 - nfs.procedure: FSINFO - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 13 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961885 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 1 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.id: 2 - nfs.procedure: FSINFO - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 14 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961885 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 360 - flow.bytes_toserver: 510 - flow.pkts_toclient: 2 - flow.pkts_toserver: 3 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 3 - nfs.procedure: FSSTAT - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 15 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961886 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 2 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 360 - flow.bytes_toserver: 510 - flow.pkts_toclient: 2 - flow.pkts_toserver: 3 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 3 - nfs.procedure: FSSTAT - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 15 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961886 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 2 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 360 - flow.bytes_toserver: 510 - flow.pkts_toclient: 2 - flow.pkts_toserver: 3 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 3 - nfs.procedure: FSSTAT - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 15 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961886 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 2 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.id: 3 - nfs.procedure: FSSTAT - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 16 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961886 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 570 - flow.bytes_toserver: 680 - flow.pkts_toclient: 3 - flow.pkts_toserver: 4 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 4 - nfs.procedure: PATHCONF - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 17 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961887 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 3 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 570 - flow.bytes_toserver: 680 - flow.pkts_toclient: 3 - flow.pkts_toserver: 4 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 4 - nfs.procedure: PATHCONF - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 17 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961887 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 3 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 570 - flow.bytes_toserver: 680 - flow.pkts_toclient: 3 - flow.pkts_toserver: 4 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 4 - nfs.procedure: PATHCONF - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 17 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961887 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 3 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.id: 4 - nfs.procedure: PATHCONF - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 18 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961887 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 752 - flow.bytes_toserver: 858 - flow.pkts_toclient: 4 - flow.pkts_toserver: 5 - nfs.file_tx: false - nfs.filename: a - nfs.id: 5 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 19 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961888 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 4 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 752 - flow.bytes_toserver: 858 - flow.pkts_toclient: 4 - flow.pkts_toserver: 5 - nfs.file_tx: false - nfs.filename: a - nfs.id: 5 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 19 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961888 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 4 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 752 - flow.bytes_toserver: 858 - flow.pkts_toclient: 4 - flow.pkts_toserver: 5 - nfs.file_tx: false - nfs.filename: a - nfs.id: 5 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 19 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961888 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 4 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 752 - flow.bytes_toserver: 858 - flow.pkts_toclient: 4 - flow.pkts_toserver: 5 - nfs.file_tx: false - nfs.filename: a - nfs.id: 5 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 19 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961888 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 4 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: a - nfs.id: 5 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 20 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961888 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 826 - flow.bytes_toserver: 1036 - flow.pkts_toclient: 5 - flow.pkts_toserver: 6 - nfs.file_tx: false - nfs.filename: a - nfs.id: 6 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 21 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961889 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 5 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 826 - flow.bytes_toserver: 1036 - flow.pkts_toclient: 5 - flow.pkts_toserver: 6 - nfs.file_tx: false - nfs.filename: a - nfs.id: 6 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 21 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961889 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 5 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 826 - flow.bytes_toserver: 1036 - flow.pkts_toclient: 5 - flow.pkts_toserver: 6 - nfs.file_tx: false - nfs.filename: a - nfs.id: 6 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 21 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961889 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 5 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 826 - flow.bytes_toserver: 1036 - flow.pkts_toclient: 5 - flow.pkts_toserver: 6 - nfs.file_tx: false - nfs.filename: a - nfs.id: 6 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 21 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961889 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 5 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: a - nfs.id: 6 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 22 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961889 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 900 - flow.bytes_toserver: 1262 - flow.pkts_toclient: 6 - flow.pkts_toserver: 7 - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 38a4e9f6 - nfs.id: 7 - nfs.procedure: CREATE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 23 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961890 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 6 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 900 - flow.bytes_toserver: 1262 - flow.pkts_toclient: 6 - flow.pkts_toserver: 7 - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 38a4e9f6 - nfs.id: 7 - nfs.procedure: CREATE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 23 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961890 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 6 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 900 - flow.bytes_toserver: 1262 - flow.pkts_toclient: 6 - flow.pkts_toserver: 7 - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 38a4e9f6 - nfs.id: 7 - nfs.procedure: CREATE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 23 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961890 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 6 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 38a4e9f6 - nfs.id: 7 - nfs.procedure: CREATE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 24 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961890 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1214 - flow.bytes_toserver: 1432 - flow.pkts_toclient: 7 - flow.pkts_toserver: 8 - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 131299c5 - nfs.id: 8 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 25 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961891 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 7 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1214 - flow.bytes_toserver: 1432 - flow.pkts_toclient: 7 - flow.pkts_toserver: 8 - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 131299c5 - nfs.id: 8 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 25 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961891 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 7 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 10 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1214 - flow.bytes_toserver: 1432 - flow.pkts_toclient: 7 - flow.pkts_toserver: 8 - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 131299c5 - nfs.id: 8 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 25 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961891 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 7 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1368 - flow.bytes_toserver: 1638 - flow.pkts_toclient: 8 - flow.pkts_toserver: 9 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 9 - nfs.procedure: SETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 27 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961892 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 8 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1368 - flow.bytes_toserver: 1638 - flow.pkts_toclient: 8 - flow.pkts_toserver: 9 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 9 - nfs.procedure: SETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 27 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961892 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 8 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 10 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1368 - flow.bytes_toserver: 1638 - flow.pkts_toclient: 8 - flow.pkts_toserver: 9 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 9 - nfs.procedure: SETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 27 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961892 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 8 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1368 - flow.bytes_toserver: 1638 - flow.pkts_toclient: 8 - flow.pkts_toserver: 9 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 9 - nfs.procedure: SETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 27 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961892 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 8 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.id: 9 - nfs.procedure: SETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 28 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961892 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1554 - flow.bytes_toserver: 1816 - flow.pkts_toclient: 9 - flow.pkts_toserver: 10 - nfs.file_tx: false - nfs.filename: am - nfs.id: 10 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 29 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961893 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 9 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1554 - flow.bytes_toserver: 1816 - flow.pkts_toclient: 9 - flow.pkts_toserver: 10 - nfs.file_tx: false - nfs.filename: am - nfs.id: 10 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 29 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961893 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 9 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1554 - flow.bytes_toserver: 1816 - flow.pkts_toclient: 9 - flow.pkts_toserver: 10 - nfs.file_tx: false - nfs.filename: am - nfs.id: 10 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 29 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961893 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 9 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1554 - flow.bytes_toserver: 1816 - flow.pkts_toclient: 9 - flow.pkts_toserver: 10 - nfs.file_tx: false - nfs.filename: am - nfs.id: 10 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 29 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961893 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 9 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: am - nfs.id: 10 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 30 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961893 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1628 - flow.bytes_toserver: 1994 - flow.pkts_toclient: 10 - flow.pkts_toserver: 11 - nfs.file_tx: false - nfs.filename: am - nfs.id: 11 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 31 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961894 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 10 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1628 - flow.bytes_toserver: 1994 - flow.pkts_toclient: 10 - flow.pkts_toserver: 11 - nfs.file_tx: false - nfs.filename: am - nfs.id: 11 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 31 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961894 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 10 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1628 - flow.bytes_toserver: 1994 - flow.pkts_toclient: 10 - flow.pkts_toserver: 11 - nfs.file_tx: false - nfs.filename: am - nfs.id: 11 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 31 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961894 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 10 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1628 - flow.bytes_toserver: 1994 - flow.pkts_toclient: 10 - flow.pkts_toserver: 11 - nfs.file_tx: false - nfs.filename: am - nfs.id: 11 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 31 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961894 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 10 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: am - nfs.id: 11 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 32 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961894 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1702 - flow.bytes_toserver: 2172 - flow.pkts_toclient: 11 - flow.pkts_toserver: 12 - nfs.file_tx: false - nfs.filename: a - nfs.id: 12 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 33 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961895 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 11 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1702 - flow.bytes_toserver: 2172 - flow.pkts_toclient: 11 - flow.pkts_toserver: 12 - nfs.file_tx: false - nfs.filename: a - nfs.id: 12 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 33 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961895 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 11 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1702 - flow.bytes_toserver: 2172 - flow.pkts_toclient: 11 - flow.pkts_toserver: 12 - nfs.file_tx: false - nfs.filename: a - nfs.id: 12 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 33 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961895 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 11 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1702 - flow.bytes_toserver: 2172 - flow.pkts_toclient: 11 - flow.pkts_toserver: 12 - nfs.file_tx: false - nfs.filename: a - nfs.id: 12 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 33 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961895 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 11 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 131299c5 - nfs.id: 12 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 34 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961895 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1984 - flow.bytes_toserver: 2350 - flow.pkts_toclient: 12 - flow.pkts_toserver: 13 - nfs.file_tx: false - nfs.filename: am - nfs.id: 13 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 35 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961896 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 12 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1984 - flow.bytes_toserver: 2350 - flow.pkts_toclient: 12 - flow.pkts_toserver: 13 - nfs.file_tx: false - nfs.filename: am - nfs.id: 13 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 35 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961896 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 12 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1984 - flow.bytes_toserver: 2350 - flow.pkts_toclient: 12 - flow.pkts_toserver: 13 - nfs.file_tx: false - nfs.filename: am - nfs.id: 13 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 35 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961896 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 12 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 1984 - flow.bytes_toserver: 2350 - flow.pkts_toclient: 12 - flow.pkts_toserver: 13 - nfs.file_tx: false - nfs.filename: am - nfs.id: 13 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 35 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961896 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 12 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: am - nfs.id: 13 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 36 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961896 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2058 - flow.bytes_toserver: 2572 - flow.pkts_toclient: 13 - flow.pkts_toserver: 14 - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 38a4e9f6 - nfs.id: 14 - nfs.procedure: RENAME - nfs.rename.from: a - nfs.rename.to: am - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 37 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961897 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 13 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2058 - flow.bytes_toserver: 2572 - flow.pkts_toclient: 13 - flow.pkts_toserver: 14 - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 38a4e9f6 - nfs.id: 14 - nfs.procedure: RENAME - nfs.rename.from: a - nfs.rename.to: am - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 37 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961897 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 13 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2058 - flow.bytes_toserver: 2572 - flow.pkts_toclient: 13 - flow.pkts_toserver: 14 - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 38a4e9f6 - nfs.id: 14 - nfs.procedure: RENAME - nfs.rename.from: a - nfs.rename.to: am - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 37 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961897 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 13 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: a - nfs.hhash: 38a4e9f6 - nfs.id: 14 - nfs.procedure: RENAME - nfs.rename.from: a - nfs.rename.to: am - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 38 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961897 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2360 - flow.bytes_toserver: 2750 - flow.pkts_toclient: 14 - flow.pkts_toserver: 15 - nfs.file_tx: false - nfs.filename: b - nfs.id: 15 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 39 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961898 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 14 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2360 - flow.bytes_toserver: 2750 - flow.pkts_toclient: 14 - flow.pkts_toserver: 15 - nfs.file_tx: false - nfs.filename: b - nfs.id: 15 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 39 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961898 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 14 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2360 - flow.bytes_toserver: 2750 - flow.pkts_toclient: 14 - flow.pkts_toserver: 15 - nfs.file_tx: false - nfs.filename: b - nfs.id: 15 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 39 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961898 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 14 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2360 - flow.bytes_toserver: 2750 - flow.pkts_toclient: 14 - flow.pkts_toserver: 15 - nfs.file_tx: false - nfs.filename: b - nfs.id: 15 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 39 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961898 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 14 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: b - nfs.hhash: a5fcf973 - nfs.id: 15 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 40 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961898 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2642 - flow.bytes_toserver: 2928 - flow.pkts_toclient: 15 - flow.pkts_toserver: 16 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 16 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 41 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 1869440256 - rpc.status: ACCEPTED - rpc.xid: 1578961899 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 15 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2642 - flow.bytes_toserver: 2928 - flow.pkts_toclient: 15 - flow.pkts_toserver: 16 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 16 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 41 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 1869440256 - rpc.status: ACCEPTED - rpc.xid: 1578961899 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 15 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2642 - flow.bytes_toserver: 2928 - flow.pkts_toclient: 15 - flow.pkts_toserver: 16 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 16 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 41 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 1869440256 - rpc.status: ACCEPTED - rpc.xid: 1578961899 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 15 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2642 - flow.bytes_toserver: 2928 - flow.pkts_toclient: 15 - flow.pkts_toserver: 16 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 16 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 41 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 1869440256 - rpc.status: ACCEPTED - rpc.xid: 1578961899 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 15 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: bln - nfs.id: 16 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 42 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 1869440256 - rpc.status: ACCEPTED - rpc.xid: 1578961899 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2716 - flow.bytes_toserver: 3106 - flow.pkts_toclient: 16 - flow.pkts_toserver: 17 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 17 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 43 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961900 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 16 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2716 - flow.bytes_toserver: 3106 - flow.pkts_toclient: 16 - flow.pkts_toserver: 17 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 17 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 43 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961900 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 16 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2716 - flow.bytes_toserver: 3106 - flow.pkts_toclient: 16 - flow.pkts_toserver: 17 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 17 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 43 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961900 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 16 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2716 - flow.bytes_toserver: 3106 - flow.pkts_toclient: 16 - flow.pkts_toserver: 17 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 17 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 43 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961900 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 16 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: bln - nfs.id: 17 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 44 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961900 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2790 - flow.bytes_toserver: 3320 - flow.pkts_toclient: 17 - flow.pkts_toserver: 18 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 18 - nfs.procedure: LINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 45 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 1869440256 - rpc.status: ACCEPTED - rpc.xid: 1578961901 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 17 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2790 - flow.bytes_toserver: 3320 - flow.pkts_toclient: 17 - flow.pkts_toserver: 18 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 18 - nfs.procedure: LINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 45 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 1869440256 - rpc.status: ACCEPTED - rpc.xid: 1578961901 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 17 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 2790 - flow.bytes_toserver: 3320 - flow.pkts_toclient: 17 - flow.pkts_toserver: 18 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 18 - nfs.procedure: LINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 45 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 1869440256 - rpc.status: ACCEPTED - rpc.xid: 1578961901 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 17 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.id: 18 - nfs.procedure: LINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 46 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 1869440256 - rpc.status: ACCEPTED - rpc.xid: 1578961901 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3064 - flow.bytes_toserver: 3498 - flow.pkts_toclient: 18 - flow.pkts_toserver: 19 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 19 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 47 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961902 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 18 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3064 - flow.bytes_toserver: 3498 - flow.pkts_toclient: 18 - flow.pkts_toserver: 19 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 19 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 47 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961902 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 18 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3064 - flow.bytes_toserver: 3498 - flow.pkts_toclient: 18 - flow.pkts_toserver: 19 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 19 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 47 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961902 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 18 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3064 - flow.bytes_toserver: 3498 - flow.pkts_toclient: 18 - flow.pkts_toserver: 19 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 19 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 47 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961902 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 18 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: blns - nfs.id: 19 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 48 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961902 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3138 - flow.bytes_toserver: 3676 - flow.pkts_toclient: 19 - flow.pkts_toserver: 20 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 20 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 49 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961903 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 19 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3138 - flow.bytes_toserver: 3676 - flow.pkts_toclient: 19 - flow.pkts_toserver: 20 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 20 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 49 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961903 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 19 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3138 - flow.bytes_toserver: 3676 - flow.pkts_toclient: 19 - flow.pkts_toserver: 20 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 20 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 49 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961903 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 19 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3138 - flow.bytes_toserver: 3676 - flow.pkts_toclient: 19 - flow.pkts_toserver: 20 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 20 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 49 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961903 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 19 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: blns - nfs.id: 20 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 50 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961903 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3212 - flow.bytes_toserver: 3898 - flow.pkts_toclient: 20 - flow.pkts_toserver: 21 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 21 - nfs.procedure: SYMLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 51 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961904 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 20 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3212 - flow.bytes_toserver: 3898 - flow.pkts_toclient: 20 - flow.pkts_toserver: 21 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 21 - nfs.procedure: SYMLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 51 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961904 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 20 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3212 - flow.bytes_toserver: 3898 - flow.pkts_toclient: 20 - flow.pkts_toserver: 21 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 21 - nfs.procedure: SYMLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 51 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961904 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 20 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.id: 21 - nfs.procedure: SYMLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 52 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961904 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3502 - flow.bytes_toserver: 4076 - flow.pkts_toclient: 21 - flow.pkts_toserver: 22 - nfs.file_tx: false - nfs.filename: . - nfs.id: 22 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 53 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961905 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 21 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3502 - flow.bytes_toserver: 4076 - flow.pkts_toclient: 21 - flow.pkts_toserver: 22 - nfs.file_tx: false - nfs.filename: . - nfs.id: 22 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 53 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961905 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 21 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3502 - flow.bytes_toserver: 4076 - flow.pkts_toclient: 21 - flow.pkts_toserver: 22 - nfs.file_tx: false - nfs.filename: . - nfs.id: 22 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 53 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961905 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 21 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3502 - flow.bytes_toserver: 4076 - flow.pkts_toclient: 21 - flow.pkts_toserver: 22 - nfs.file_tx: false - nfs.filename: . - nfs.id: 22 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 53 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961905 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 21 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: . - nfs.hhash: 38a4e9f6 - nfs.id: 22 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 54 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961905 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3784 - flow.bytes_toserver: 4250 - flow.pkts_toclient: 22 - flow.pkts_toserver: 23 - nfs.file_tx: false - nfs.filename: . - nfs.hhash: 38a4e9f6 - nfs.id: 23 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 55 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961906 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 22 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3784 - flow.bytes_toserver: 4250 - flow.pkts_toclient: 22 - flow.pkts_toserver: 23 - nfs.file_tx: false - nfs.filename: . - nfs.hhash: 38a4e9f6 - nfs.id: 23 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 55 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961906 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 22 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3784 - flow.bytes_toserver: 4250 - flow.pkts_toclient: 22 - flow.pkts_toserver: 23 - nfs.file_tx: false - nfs.filename: . - nfs.hhash: 38a4e9f6 - nfs.id: 23 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 55 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961906 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 22 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3784 - flow.bytes_toserver: 4250 - flow.pkts_toclient: 22 - flow.pkts_toserver: 23 - nfs.file_tx: false - nfs.filename: . - nfs.hhash: 38a4e9f6 - nfs.id: 23 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 55 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961906 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 22 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: . - nfs.hhash: 38a4e9f6 - nfs.id: 23 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 56 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961906 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3946 - flow.bytes_toserver: 4420 - flow.pkts_toclient: 23 - flow.pkts_toserver: 24 - nfs.file_tx: false - nfs.filename: . - nfs.hhash: 38a4e9f6 - nfs.id: 24 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 57 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961907 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 23 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3946 - flow.bytes_toserver: 4420 - flow.pkts_toclient: 23 - flow.pkts_toserver: 24 - nfs.file_tx: false - nfs.filename: . - nfs.hhash: 38a4e9f6 - nfs.id: 24 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 57 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961907 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 23 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 10 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 3946 - flow.bytes_toserver: 4420 - flow.pkts_toclient: 23 - flow.pkts_toserver: 24 - nfs.file_tx: false - nfs.filename: . - nfs.hhash: 38a4e9f6 - nfs.id: 24 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 57 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961907 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 23 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4100 - flow.bytes_toserver: 4610 - flow.pkts_toclient: 24 - flow.pkts_toserver: 25 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 25 - nfs.procedure: READDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 59 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961908 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 24 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4100 - flow.bytes_toserver: 4610 - flow.pkts_toclient: 24 - flow.pkts_toserver: 25 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 25 - nfs.procedure: READDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 59 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961908 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 24 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4100 - flow.bytes_toserver: 4610 - flow.pkts_toclient: 24 - flow.pkts_toserver: 25 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 25 - nfs.procedure: READDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 59 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961908 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 24 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.id: 25 - nfs.procedure: READDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 60 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961908 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4442 - flow.bytes_toserver: 4788 - flow.pkts_toclient: 25 - flow.pkts_toserver: 26 - nfs.file_tx: false - nfs.filename: am - nfs.id: 26 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 61 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961909 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 25 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4442 - flow.bytes_toserver: 4788 - flow.pkts_toclient: 25 - flow.pkts_toserver: 26 - nfs.file_tx: false - nfs.filename: am - nfs.id: 26 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 61 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961909 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 25 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4442 - flow.bytes_toserver: 4788 - flow.pkts_toclient: 25 - flow.pkts_toserver: 26 - nfs.file_tx: false - nfs.filename: am - nfs.id: 26 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 61 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961909 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 25 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4442 - flow.bytes_toserver: 4788 - flow.pkts_toclient: 25 - flow.pkts_toserver: 26 - nfs.file_tx: false - nfs.filename: am - nfs.id: 26 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 61 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961909 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 25 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: am - nfs.hhash: 131299c5 - nfs.id: 26 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 62 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961909 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4724 - flow.bytes_toserver: 4966 - flow.pkts_toclient: 26 - flow.pkts_toserver: 27 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 27 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 63 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961910 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 26 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4724 - flow.bytes_toserver: 4966 - flow.pkts_toclient: 26 - flow.pkts_toserver: 27 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 27 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 63 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961910 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 26 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4724 - flow.bytes_toserver: 4966 - flow.pkts_toclient: 26 - flow.pkts_toserver: 27 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 27 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 63 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961910 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 26 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 4724 - flow.bytes_toserver: 4966 - flow.pkts_toclient: 26 - flow.pkts_toserver: 27 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 27 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 63 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961910 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 26 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 27 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 64 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961910 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5006 - flow.bytes_toserver: 5136 - flow.pkts_toclient: 27 - flow.pkts_toserver: 28 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 28 - nfs.procedure: READLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 65 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961911 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 27 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5006 - flow.bytes_toserver: 5136 - flow.pkts_toclient: 27 - flow.pkts_toserver: 28 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 28 - nfs.procedure: READLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 65 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961911 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 27 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5006 - flow.bytes_toserver: 5136 - flow.pkts_toclient: 27 - flow.pkts_toserver: 28 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 28 - nfs.procedure: READLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 65 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961911 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 27 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.id: 28 - nfs.procedure: READLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 66 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961911 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5172 - flow.bytes_toserver: 5314 - flow.pkts_toclient: 28 - flow.pkts_toserver: 29 - nfs.file_tx: false - nfs.filename: d - nfs.id: 29 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 67 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961912 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 28 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5172 - flow.bytes_toserver: 5314 - flow.pkts_toclient: 28 - flow.pkts_toserver: 29 - nfs.file_tx: false - nfs.filename: d - nfs.id: 29 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 67 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961912 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 28 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5172 - flow.bytes_toserver: 5314 - flow.pkts_toclient: 28 - flow.pkts_toserver: 29 - nfs.file_tx: false - nfs.filename: d - nfs.id: 29 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 67 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961912 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 28 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5172 - flow.bytes_toserver: 5314 - flow.pkts_toclient: 28 - flow.pkts_toserver: 29 - nfs.file_tx: false - nfs.filename: d - nfs.id: 29 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 67 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961912 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 28 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: d - nfs.id: 29 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 68 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961912 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5246 - flow.bytes_toserver: 5528 - flow.pkts_toclient: 29 - flow.pkts_toserver: 30 - nfs.file_tx: false - nfs.filename: d - nfs.hhash: 38a4e9f6 - nfs.id: 30 - nfs.procedure: MKDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 69 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961913 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 29 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5246 - flow.bytes_toserver: 5528 - flow.pkts_toclient: 29 - flow.pkts_toserver: 30 - nfs.file_tx: false - nfs.filename: d - nfs.hhash: 38a4e9f6 - nfs.id: 30 - nfs.procedure: MKDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 69 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961913 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 29 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5246 - flow.bytes_toserver: 5528 - flow.pkts_toclient: 29 - flow.pkts_toserver: 30 - nfs.file_tx: false - nfs.filename: d - nfs.hhash: 38a4e9f6 - nfs.id: 30 - nfs.procedure: MKDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 69 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961913 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 29 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: d - nfs.hhash: 38a4e9f6 - nfs.id: 30 - nfs.procedure: MKDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 70 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961913 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5560 - flow.bytes_toserver: 5706 - flow.pkts_toclient: 30 - flow.pkts_toserver: 31 - nfs.file_tx: false - nfs.filename: h - nfs.id: 31 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 71 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961914 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 30 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5560 - flow.bytes_toserver: 5706 - flow.pkts_toclient: 30 - flow.pkts_toserver: 31 - nfs.file_tx: false - nfs.filename: h - nfs.id: 31 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 71 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961914 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 30 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5560 - flow.bytes_toserver: 5706 - flow.pkts_toclient: 30 - flow.pkts_toserver: 31 - nfs.file_tx: false - nfs.filename: h - nfs.id: 31 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 71 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961914 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 30 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5560 - flow.bytes_toserver: 5706 - flow.pkts_toclient: 30 - flow.pkts_toserver: 31 - nfs.file_tx: false - nfs.filename: h - nfs.id: 31 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 71 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961914 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 30 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: h - nfs.id: 31 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 72 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961914 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5634 - flow.bytes_toserver: 5932 - flow.pkts_toclient: 31 - flow.pkts_toserver: 32 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: e87927b5 - nfs.id: 32 - nfs.procedure: CREATE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 73 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961915 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 31 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5634 - flow.bytes_toserver: 5932 - flow.pkts_toclient: 31 - flow.pkts_toserver: 32 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: e87927b5 - nfs.id: 32 - nfs.procedure: CREATE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 73 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961915 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 31 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5634 - flow.bytes_toserver: 5932 - flow.pkts_toclient: 31 - flow.pkts_toserver: 32 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: e87927b5 - nfs.id: 32 - nfs.procedure: CREATE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 73 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961915 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 31 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: h - nfs.hhash: e87927b5 - nfs.id: 32 - nfs.procedure: CREATE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 74 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961915 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5948 - flow.bytes_toserver: 6102 - flow.pkts_toclient: 32 - flow.pkts_toserver: 33 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 33 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 75 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961916 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 32 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5948 - flow.bytes_toserver: 6102 - flow.pkts_toclient: 32 - flow.pkts_toserver: 33 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 33 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 75 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961916 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 32 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 10 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 5948 - flow.bytes_toserver: 6102 - flow.pkts_toclient: 32 - flow.pkts_toserver: 33 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 33 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 75 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961916 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 32 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6102 - flow.bytes_toserver: 6300 - flow.pkts_toclient: 33 - flow.pkts_toserver: 34 - nfs.file_tx: true - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 34 - nfs.procedure: WRITE - nfs.status: OK - nfs.type: response - nfs.version: 3 - nfs.write.chunks: 0 - nfs.write.first: true - nfs.write.last: false - nfs.write.last_xid: 0 - pcap_cnt: 77 - proto: UDP - rpc.auth_type: 'NULL' - rpc.status: ACCEPTED - rpc.xid: 1578961917 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 33 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6102 - flow.bytes_toserver: 6300 - flow.pkts_toclient: 33 - flow.pkts_toserver: 34 - nfs.file_tx: true - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 34 - nfs.procedure: WRITE - nfs.status: OK - nfs.type: response - nfs.version: 3 - nfs.write.chunks: 0 - nfs.write.first: true - nfs.write.last: false - nfs.write.last_xid: 0 - pcap_cnt: 77 - proto: UDP - rpc.auth_type: 'NULL' - rpc.status: ACCEPTED - rpc.xid: 1578961917 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 33 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6102 - flow.bytes_toserver: 6300 - flow.pkts_toclient: 33 - flow.pkts_toserver: 34 - nfs.file_tx: true - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 34 - nfs.procedure: WRITE - nfs.status: OK - nfs.type: response - nfs.version: 3 - nfs.write.chunks: 0 - nfs.write.first: true - nfs.write.last: false - nfs.write.last_xid: 0 - pcap_cnt: 77 - proto: UDP - rpc.auth_type: 'NULL' - rpc.status: ACCEPTED - rpc.xid: 1578961917 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 33 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6304 - flow.bytes_toserver: 6474 - flow.pkts_toclient: 34 - flow.pkts_toserver: 35 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 35 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 79 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961918 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 34 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6304 - flow.bytes_toserver: 6474 - flow.pkts_toclient: 34 - flow.pkts_toserver: 35 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 35 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 79 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961918 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 34 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6304 - flow.bytes_toserver: 6474 - flow.pkts_toclient: 34 - flow.pkts_toserver: 35 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 35 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 79 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961918 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 34 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6304 - flow.bytes_toserver: 6474 - flow.pkts_toclient: 34 - flow.pkts_toserver: 35 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 35 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 79 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961918 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 34 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 35 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 80 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961918 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6466 - flow.bytes_toserver: 6644 - flow.pkts_toclient: 35 - flow.pkts_toserver: 36 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 36 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 81 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961919 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 35 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6466 - flow.bytes_toserver: 6644 - flow.pkts_toclient: 35 - flow.pkts_toserver: 36 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 36 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 81 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961919 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 35 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 10 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6466 - flow.bytes_toserver: 6644 - flow.pkts_toclient: 35 - flow.pkts_toserver: 36 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: 3baec21a - nfs.id: 36 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 81 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961919 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 35 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6620 - flow.bytes_toserver: 6818 - flow.pkts_toclient: 36 - flow.pkts_toserver: 37 - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 37 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 83 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961920 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 36 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6620 - flow.bytes_toserver: 6818 - flow.pkts_toclient: 36 - flow.pkts_toserver: 37 - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 37 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 83 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961920 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 36 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6620 - flow.bytes_toserver: 6818 - flow.pkts_toclient: 36 - flow.pkts_toserver: 37 - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 37 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 83 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961920 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 36 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6620 - flow.bytes_toserver: 6818 - flow.pkts_toclient: 36 - flow.pkts_toserver: 37 - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 37 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 83 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961920 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 36 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 37 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 84 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961920 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6782 - flow.bytes_toserver: 6988 - flow.pkts_toclient: 37 - flow.pkts_toserver: 38 - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 38 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 85 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961921 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 37 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6782 - flow.bytes_toserver: 6988 - flow.pkts_toclient: 37 - flow.pkts_toserver: 38 - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 38 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 85 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961921 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 37 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 10 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6782 - flow.bytes_toserver: 6988 - flow.pkts_toclient: 37 - flow.pkts_toserver: 38 - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 38 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 85 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961921 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 37 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6936 - flow.bytes_toserver: 7170 - flow.pkts_toclient: 38 - flow.pkts_toserver: 39 - nfs.file_tx: true - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 39 - nfs.procedure: READ - nfs.read.chunks: 0 - nfs.read.first: true - nfs.read.last: false - nfs.read.last_xid: 0 - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 87 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961922 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 38 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6936 - flow.bytes_toserver: 7170 - flow.pkts_toclient: 38 - flow.pkts_toserver: 39 - nfs.file_tx: true - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 39 - nfs.procedure: READ - nfs.read.chunks: 0 - nfs.read.first: true - nfs.read.last: false - nfs.read.last_xid: 0 - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 87 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961922 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 38 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 6936 - flow.bytes_toserver: 7170 - flow.pkts_toclient: 38 - flow.pkts_toserver: 39 - nfs.file_tx: true - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 39 - nfs.procedure: READ - nfs.read.chunks: 0 - nfs.read.first: true - nfs.read.last: false - nfs.read.last_xid: 0 - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 87 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961922 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 38 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: true - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 39 - nfs.procedure: READ - nfs.read.chunks: 1 - nfs.read.first: true - nfs.read.last: true - nfs.read.last_xid: 1578961922 - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 88 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961922 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - app_proto: nfs - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: fileinfo - fileinfo.filename: bln - fileinfo.gaps: false - fileinfo.size: 11 - fileinfo.state: CLOSED - fileinfo.stored: false - fileinfo.tx_id: 38 - nfs.file_tx: true - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 39 - nfs.procedure: READ - nfs.read.chunks: 1 - nfs.read.first: true - nfs.read.last: true - nfs.read.last_xid: 1578961922 - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 88 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961922 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7320 - flow.bytes_toserver: 7554 - flow.pkts_toclient: 40 - flow.pkts_toserver: 41 - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: e87927b5 - nfs.id: 40 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 91 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961924 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 39 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7320 - flow.bytes_toserver: 7554 - flow.pkts_toclient: 40 - flow.pkts_toserver: 41 - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: e87927b5 - nfs.id: 40 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 91 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961924 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 39 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7320 - flow.bytes_toserver: 7554 - flow.pkts_toclient: 40 - flow.pkts_toserver: 41 - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: e87927b5 - nfs.id: 40 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 91 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961924 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 39 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7320 - flow.bytes_toserver: 7554 - flow.pkts_toclient: 40 - flow.pkts_toserver: 41 - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: e87927b5 - nfs.id: 40 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 91 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961924 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 39 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: e87927b5 - nfs.id: 40 - nfs.procedure: ACCESS - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 92 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961924 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7482 - flow.bytes_toserver: 7724 - flow.pkts_toclient: 41 - flow.pkts_toserver: 42 - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: e87927b5 - nfs.id: 41 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 93 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961925 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 40 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7482 - flow.bytes_toserver: 7724 - flow.pkts_toclient: 41 - flow.pkts_toserver: 42 - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: e87927b5 - nfs.id: 41 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 93 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961925 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 40 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 10 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7482 - flow.bytes_toserver: 7724 - flow.pkts_toclient: 41 - flow.pkts_toserver: 42 - nfs.file_tx: false - nfs.filename: '' - nfs.hhash: e87927b5 - nfs.id: 41 - nfs.procedure: GETATTR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 93 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961925 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 40 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7636 - flow.bytes_toserver: 7914 - flow.pkts_toclient: 42 - flow.pkts_toserver: 43 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 42 - nfs.procedure: READDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 95 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961926 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 41 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7636 - flow.bytes_toserver: 7914 - flow.pkts_toclient: 42 - flow.pkts_toserver: 43 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 42 - nfs.procedure: READDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 95 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961926 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 41 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7636 - flow.bytes_toserver: 7914 - flow.pkts_toclient: 42 - flow.pkts_toserver: 43 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 42 - nfs.procedure: READDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 95 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961926 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 41 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.id: 42 - nfs.procedure: READDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 96 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961926 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7894 - flow.bytes_toserver: 8092 - flow.pkts_toclient: 43 - flow.pkts_toserver: 44 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: e87927b5 - nfs.id: 43 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 97 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961927 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 42 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7894 - flow.bytes_toserver: 8092 - flow.pkts_toclient: 43 - flow.pkts_toserver: 44 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: e87927b5 - nfs.id: 43 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 97 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961927 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 42 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 7894 - flow.bytes_toserver: 8092 - flow.pkts_toclient: 43 - flow.pkts_toserver: 44 - nfs.file_tx: false - nfs.filename: h - nfs.hhash: e87927b5 - nfs.id: 43 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 97 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961927 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 42 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: h - nfs.hhash: e87927b5 - nfs.id: 43 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 98 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961927 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8080 - flow.bytes_toserver: 8270 - flow.pkts_toclient: 44 - flow.pkts_toserver: 45 - nfs.file_tx: false - nfs.filename: d - nfs.hhash: 38a4e9f6 - nfs.id: 44 - nfs.procedure: RMDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 99 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961928 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 43 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8080 - flow.bytes_toserver: 8270 - flow.pkts_toclient: 44 - flow.pkts_toserver: 45 - nfs.file_tx: false - nfs.filename: d - nfs.hhash: 38a4e9f6 - nfs.id: 44 - nfs.procedure: RMDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 99 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961928 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 43 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8080 - flow.bytes_toserver: 8270 - flow.pkts_toclient: 44 - flow.pkts_toserver: 45 - nfs.file_tx: false - nfs.filename: d - nfs.hhash: 38a4e9f6 - nfs.id: 44 - nfs.procedure: RMDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 99 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961928 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 43 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: d - nfs.hhash: 38a4e9f6 - nfs.id: 44 - nfs.procedure: RMDIR - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 100 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961928 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8266 - flow.bytes_toserver: 8448 - flow.pkts_toclient: 45 - flow.pkts_toserver: 46 - nfs.file_tx: false - nfs.filename: am - nfs.id: 45 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 101 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961929 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 44 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8266 - flow.bytes_toserver: 8448 - flow.pkts_toclient: 45 - flow.pkts_toserver: 46 - nfs.file_tx: false - nfs.filename: am - nfs.id: 45 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 101 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961929 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 44 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8266 - flow.bytes_toserver: 8448 - flow.pkts_toclient: 45 - flow.pkts_toserver: 46 - nfs.file_tx: false - nfs.filename: am - nfs.id: 45 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 101 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961929 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 44 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8266 - flow.bytes_toserver: 8448 - flow.pkts_toclient: 45 - flow.pkts_toserver: 46 - nfs.file_tx: false - nfs.filename: am - nfs.id: 45 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 101 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961929 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 44 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: am - nfs.hhash: 131299c5 - nfs.id: 45 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 102 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961929 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8548 - flow.bytes_toserver: 8626 - flow.pkts_toclient: 46 - flow.pkts_toserver: 47 - nfs.file_tx: false - nfs.filename: am - nfs.id: 46 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 103 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961930 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 45 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8548 - flow.bytes_toserver: 8626 - flow.pkts_toclient: 46 - flow.pkts_toserver: 47 - nfs.file_tx: false - nfs.filename: am - nfs.id: 46 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 103 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961930 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 45 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8548 - flow.bytes_toserver: 8626 - flow.pkts_toclient: 46 - flow.pkts_toserver: 47 - nfs.file_tx: false - nfs.filename: am - nfs.id: 46 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 103 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961930 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 45 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8548 - flow.bytes_toserver: 8626 - flow.pkts_toclient: 46 - flow.pkts_toserver: 47 - nfs.file_tx: false - nfs.filename: am - nfs.id: 46 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 103 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961930 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 45 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: am - nfs.hhash: 131299c5 - nfs.id: 46 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 104 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961930 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8830 - flow.bytes_toserver: 8804 - flow.pkts_toclient: 47 - flow.pkts_toserver: 48 - nfs.file_tx: false - nfs.filename: am - nfs.hhash: 38a4e9f6 - nfs.id: 47 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 105 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961931 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 46 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8830 - flow.bytes_toserver: 8804 - flow.pkts_toclient: 47 - flow.pkts_toserver: 48 - nfs.file_tx: false - nfs.filename: am - nfs.hhash: 38a4e9f6 - nfs.id: 47 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 105 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961931 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 46 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 8830 - flow.bytes_toserver: 8804 - flow.pkts_toclient: 47 - flow.pkts_toserver: 48 - nfs.file_tx: false - nfs.filename: am - nfs.hhash: 38a4e9f6 - nfs.id: 47 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 105 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961931 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 46 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: am - nfs.hhash: 38a4e9f6 - nfs.id: 47 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 106 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961931 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9016 - flow.bytes_toserver: 8982 - flow.pkts_toclient: 48 - flow.pkts_toserver: 49 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 48 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 107 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961932 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 47 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9016 - flow.bytes_toserver: 8982 - flow.pkts_toclient: 48 - flow.pkts_toserver: 49 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 48 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 107 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961932 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 47 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9016 - flow.bytes_toserver: 8982 - flow.pkts_toclient: 48 - flow.pkts_toserver: 49 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 48 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 107 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961932 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 47 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9016 - flow.bytes_toserver: 8982 - flow.pkts_toclient: 48 - flow.pkts_toserver: 49 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 48 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 107 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961932 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 47 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 48 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 108 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961932 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9298 - flow.bytes_toserver: 9160 - flow.pkts_toclient: 49 - flow.pkts_toserver: 50 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 49 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 109 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961933 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 48 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9298 - flow.bytes_toserver: 9160 - flow.pkts_toclient: 49 - flow.pkts_toserver: 50 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 49 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 109 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961933 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 48 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9298 - flow.bytes_toserver: 9160 - flow.pkts_toclient: 49 - flow.pkts_toserver: 50 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 49 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 109 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961933 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 48 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9298 - flow.bytes_toserver: 9160 - flow.pkts_toclient: 49 - flow.pkts_toserver: 50 - nfs.file_tx: false - nfs.filename: bln - nfs.id: 49 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 109 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961933 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 48 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: a5fcf973 - nfs.id: 49 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 110 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961933 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9580 - flow.bytes_toserver: 9338 - flow.pkts_toclient: 50 - flow.pkts_toserver: 51 - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: 38a4e9f6 - nfs.id: 50 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 111 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961934 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 49 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9580 - flow.bytes_toserver: 9338 - flow.pkts_toclient: 50 - flow.pkts_toserver: 51 - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: 38a4e9f6 - nfs.id: 50 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 111 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961934 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 49 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9580 - flow.bytes_toserver: 9338 - flow.pkts_toclient: 50 - flow.pkts_toserver: 51 - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: 38a4e9f6 - nfs.id: 50 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 111 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961934 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 49 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: bln - nfs.hhash: 38a4e9f6 - nfs.id: 50 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 112 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961934 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9766 - flow.bytes_toserver: 9516 - flow.pkts_toclient: 51 - flow.pkts_toserver: 52 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 51 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 113 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961935 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 50 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9766 - flow.bytes_toserver: 9516 - flow.pkts_toclient: 51 - flow.pkts_toserver: 52 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 51 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 113 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961935 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 50 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9766 - flow.bytes_toserver: 9516 - flow.pkts_toclient: 51 - flow.pkts_toserver: 52 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 51 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 113 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961935 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 50 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 9766 - flow.bytes_toserver: 9516 - flow.pkts_toclient: 51 - flow.pkts_toserver: 52 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 51 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 113 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961935 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 50 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: blns - nfs.hhash: 94b45286 - nfs.id: 51 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 114 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961935 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10048 - flow.bytes_toserver: 9694 - flow.pkts_toclient: 52 - flow.pkts_toserver: 53 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 52 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 115 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961936 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 51 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10048 - flow.bytes_toserver: 9694 - flow.pkts_toclient: 52 - flow.pkts_toserver: 53 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 52 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 115 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961936 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 51 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10048 - flow.bytes_toserver: 9694 - flow.pkts_toclient: 52 - flow.pkts_toserver: 53 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 52 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 115 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961936 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 51 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10048 - flow.bytes_toserver: 9694 - flow.pkts_toclient: 52 - flow.pkts_toserver: 53 - nfs.file_tx: false - nfs.filename: blns - nfs.id: 52 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 115 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961936 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 51 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: blns - nfs.hhash: 94b45286 - nfs.id: 52 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 116 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961936 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10330 - flow.bytes_toserver: 9864 - flow.pkts_toclient: 53 - flow.pkts_toserver: 54 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 53 - nfs.procedure: READLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 117 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961937 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 52 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10330 - flow.bytes_toserver: 9864 - flow.pkts_toclient: 53 - flow.pkts_toserver: 54 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 53 - nfs.procedure: READLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 117 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961937 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 52 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10330 - flow.bytes_toserver: 9864 - flow.pkts_toclient: 53 - flow.pkts_toserver: 54 - nfs.file_tx: false - nfs.filename: '' - nfs.id: 53 - nfs.procedure: READLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 117 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961937 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 52 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: '' - nfs.id: 53 - nfs.procedure: READLINK - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 118 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961937 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10496 - flow.bytes_toserver: 10042 - flow.pkts_toclient: 54 - flow.pkts_toserver: 55 - nfs.file_tx: false - nfs.filename: b - nfs.id: 54 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 119 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961938 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 53 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10496 - flow.bytes_toserver: 10042 - flow.pkts_toclient: 54 - flow.pkts_toserver: 55 - nfs.file_tx: false - nfs.filename: b - nfs.id: 54 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 119 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961938 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 53 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10496 - flow.bytes_toserver: 10042 - flow.pkts_toclient: 54 - flow.pkts_toserver: 55 - nfs.file_tx: false - nfs.filename: b - nfs.id: 54 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 119 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961938 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 53 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10496 - flow.bytes_toserver: 10042 - flow.pkts_toclient: 54 - flow.pkts_toserver: 55 - nfs.file_tx: false - nfs.filename: b - nfs.id: 54 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 119 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961938 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 53 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: b - nfs.hhash: a5fcf973 - nfs.id: 54 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 120 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961938 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10778 - flow.bytes_toserver: 10220 - flow.pkts_toclient: 55 - flow.pkts_toserver: 56 - nfs.file_tx: false - nfs.filename: blns - nfs.hhash: 38a4e9f6 - nfs.id: 55 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 121 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961939 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 54 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10778 - flow.bytes_toserver: 10220 - flow.pkts_toclient: 55 - flow.pkts_toserver: 56 - nfs.file_tx: false - nfs.filename: blns - nfs.hhash: 38a4e9f6 - nfs.id: 55 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 121 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961939 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 54 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 11 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10778 - flow.bytes_toserver: 10220 - flow.pkts_toclient: 55 - flow.pkts_toserver: 56 - nfs.file_tx: false - nfs.filename: blns - nfs.hhash: 38a4e9f6 - nfs.id: 55 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 121 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961939 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 54 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: blns - nfs.hhash: 38a4e9f6 - nfs.id: 55 - nfs.procedure: REMOVE - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 122 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961939 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 3 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10964 - flow.bytes_toserver: 10398 - flow.pkts_toclient: 56 - flow.pkts_toserver: 57 - nfs.file_tx: false - nfs.filename: am - nfs.id: 56 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 123 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961940 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 55 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 6 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10964 - flow.bytes_toserver: 10398 - flow.pkts_toclient: 56 - flow.pkts_toserver: 57 - nfs.file_tx: false - nfs.filename: am - nfs.id: 56 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 123 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961940 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 55 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 12 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10964 - flow.bytes_toserver: 10398 - flow.pkts_toclient: 56 - flow.pkts_toserver: 57 - nfs.file_tx: false - nfs.filename: am - nfs.id: 56 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 123 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961940 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 55 -- filter: - count: 1 - match: - alert.action: allowed - alert.category: '' - alert.gid: 1 - alert.rev: 0 - alert.severity: 3 - alert.signature: '' - alert.signature_id: 15 - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: alert - flow.bytes_toclient: 10964 - flow.bytes_toserver: 10398 - flow.pkts_toclient: 56 - flow.pkts_toserver: 57 - nfs.file_tx: false - nfs.filename: am - nfs.id: 56 - nfs.procedure: LOOKUP - nfs.status: OK - nfs.type: response - nfs.version: 3 - pcap_cnt: 123 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961940 - src_ip: 139.25.22.2 - src_port: 1022 - tx_id: 55 -- filter: - count: 1 - match: - dest_ip: 139.25.22.2 - dest_port: 1022 - event_type: nfs - nfs.file_tx: false - nfs.filename: am - nfs.id: 56 - nfs.procedure: LOOKUP - nfs.status: ERR_NOENT - nfs.type: response - nfs.version: 3 - pcap_cnt: 124 - proto: UDP - rpc.auth_type: UNIX - rpc.creds.gid: 0 - rpc.creds.machine_name: werrmsche - rpc.creds.uid: 0 - rpc.status: ACCEPTED - rpc.xid: 1578961940 - src_ip: 139.25.22.102 - src_port: 2049 -- filter: - count: 1 - match: - app_proto: failed - dest_ip: 139.25.22.102 - dest_port: 1048 - event_type: flow - flow.age: 0 - flow.alerted: false - flow.bytes_toclient: 66 - flow.bytes_toserver: 158 - flow.pkts_toclient: 1 - flow.pkts_toserver: 1 - flow.reason: shutdown - flow.state: established - proto: UDP - src_ip: 139.25.22.2 - src_port: 722 -- filter: - count: 1 - match: - app_proto: failed - dest_ip: 139.25.22.102 - dest_port: 111 - event_type: flow - flow.age: 0 - flow.alerted: false - flow.bytes_toclient: 90 - flow.bytes_toserver: 106 - flow.pkts_toclient: 1 - flow.pkts_toserver: 1 - flow.reason: shutdown - flow.state: established - proto: UDP - src_ip: 139.25.22.2 - src_port: 3299 -- filter: - count: 1 - match: - app_proto: nfs - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: flow - flow.age: 0 - flow.alerted: true - flow.bytes_toclient: 11038 - flow.bytes_toserver: 10398 - flow.pkts_toclient: 57 - flow.pkts_toserver: 57 - flow.reason: shutdown - flow.state: established - proto: UDP - src_ip: 139.25.22.2 - src_port: 1022 -- filter: - count: 1 - match: - app_proto: failed - dest_ip: 139.25.22.102 - dest_port: 1048 - event_type: flow - flow.age: 0 - flow.alerted: false - flow.bytes_toclient: 66 - flow.bytes_toserver: 82 - flow.pkts_toclient: 1 - flow.pkts_toserver: 1 - flow.reason: shutdown - flow.state: established - proto: UDP - src_ip: 139.25.22.2 - src_port: 3296 -- filter: - count: 1 - match: - app_proto: failed - dest_ip: 139.25.22.102 - dest_port: 111 - event_type: flow - flow.age: 0 - flow.alerted: false - flow.bytes_toclient: 90 - flow.bytes_toserver: 106 - flow.pkts_toclient: 1 - flow.pkts_toserver: 1 - flow.reason: shutdown - flow.state: established - proto: UDP - src_ip: 139.25.22.2 - src_port: 3295 -- filter: - count: 1 - match: - app_proto: failed - dest_ip: 139.25.22.102 - dest_port: 111 - event_type: flow - flow.age: 0 - flow.alerted: false - flow.bytes_toclient: 90 - flow.bytes_toserver: 106 - flow.pkts_toclient: 1 - flow.pkts_toserver: 1 - flow.reason: shutdown - flow.state: established - proto: UDP - src_ip: 139.25.22.2 - src_port: 3297 -- filter: - count: 1 - match: - app_proto: failed - dest_ip: 139.25.22.102 - dest_port: 1048 - event_type: flow - flow.age: 0 - flow.alerted: false - flow.bytes_toclient: 114 - flow.bytes_toserver: 158 - flow.pkts_toclient: 1 - flow.pkts_toserver: 1 - flow.reason: shutdown - flow.state: established - proto: UDP - src_ip: 139.25.22.2 - src_port: 706 -- filter: - count: 1 - match: - app_proto: failed - dest_ip: 139.25.22.102 - dest_port: 2049 - event_type: flow - flow.age: 0 - flow.alerted: false - flow.bytes_toclient: 66 - flow.bytes_toserver: 82 - flow.pkts_toclient: 1 - flow.pkts_toserver: 1 - flow.reason: shutdown - flow.state: established - proto: UDP - src_ip: 139.25.22.2 - src_port: 3298 diff --git a/tests/test-bad-byte-extract-rule-3/eve.json b/tests/test-bad-byte-extract-rule-3/eve.json deleted file mode 100644 index aa71d9143..000000000 --- a/tests/test-bad-byte-extract-rule-3/eve.json +++ /dev/null @@ -1,40 +0,0 @@ -{"timestamp":"2020-06-07T21:15:31.170962+0000","log_level":"Notice","event_type":"engine","engine":{"message":"This is Suricata version 4.1.0-dev (rev 32990c9ad)"}} -{"timestamp":"2020-06-07T21:15:31.171398+0000","log_level":"Info","event_type":"engine","engine":{"message":"CPUs\/cores online: 2"}} -{"timestamp":"2020-06-07T21:15:31.179917+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":307,"error":"SC_ERR_SMB_CONFIG","message":"no SMB TCP config found, enabling SMB detection on port 445."}} -{"timestamp":"2020-06-07T21:15:31.183113+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":240,"error":"SC_ERR_DNS_CONFIG","message":"no DNS UDP config found, enabling DNS detection on port 53."}} -{"timestamp":"2020-06-07T21:15:31.183282+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":240,"error":"SC_ERR_DNS_CONFIG","message":"no DNS TCP config found, enabling DNS detection on port 53."}} -{"timestamp":"2020-06-07T21:15:31.197576+0000","log_level":"Info","event_type":"engine","engine":{"message":"No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'"}} -{"timestamp":"2020-06-07T21:15:31.219781+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":261,"error":"SC_WARN_NO_STATS_LOGGERS","message":"stats are enabled but no loggers are active"}} -{"timestamp":"2020-06-07T21:15:31.220772+0000","log_level":"Info","event_type":"engine","engine":{"message":"Added \"42\" classification types from the classification file"}} -{"timestamp":"2020-06-07T21:15:31.220967+0000","log_level":"Info","event_type":"engine","engine":{"message":"Added \"19\" reference types from the reference.config file"}} -{"timestamp":"2020-06-07T21:15:31.221365+0000","log_level":"Error","event_type":"engine","engine":{"error_code":39,"error":"SC_ERR_INVALID_SIGNATURE","message":"unknown byte_extract var seen in depth - d\n"}} -{"timestamp":"2020-06-07T21:15:31.221461+0000","log_level":"Error","event_type":"engine","engine":{"error_code":39,"error":"SC_ERR_INVALID_SIGNATURE","message":"error parsing signature \"alert tcp any any -> any any (msg:\"Byte_Extract Example Using depth\"; content:\"Alice\"; depth:d; byte_extract:2,1,size; content:\"Bob\"; sid:1111;)\" from file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/test.rules at line 1"}} -{"timestamp":"2020-06-07T21:15:31.221578+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"1 rule files specified, but no rule was loaded at all!"}} -{"timestamp":"2020-06-07T21:15:31.221749+0000","log_level":"Info","event_type":"engine","engine":{"message":"Threshold config parsed: 0 rule(s) found"}} -{"timestamp":"2020-06-07T21:15:31.222071+0000","log_level":"Info","event_type":"engine","engine":{"message":"0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only"}} -{"timestamp":"2020-06-07T21:15:31.227159+0000","log_level":"Info","event_type":"engine","engine":{"message":"Checking file or directory \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/"}} -{"timestamp":"2020-06-07T21:15:31.227479+0000","log_level":"Info","event_type":"engine","engine":{"message":"Argument \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/ was a directory"}} -{"timestamp":"2020-06-07T21:15:31.253874+0000","log_level":"Notice","event_type":"engine","engine":{"message":"all 3 packet processing threads, 2 management threads initialized, engine started."}} -{"timestamp":"2020-06-07T21:15:31.254027+0000","log_level":"Info","event_type":"engine","engine":{"message":"Starting directory run for \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/"}} -{"timestamp":"2020-06-07T21:15:31.254116+0000","log_level":"Info","event_type":"engine","engine":{"message":"Processing pcaps directory \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/, files must be newer than 0 and older than 18446744073709550616"}} -{"timestamp":"2020-06-07T21:15:31.254266+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/eve.json\" at 1591564531251"}} -{"timestamp":"2020-06-07T21:15:31.254327+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.yaml\" at 1591564527947"}} -{"timestamp":"2020-06-07T21:15:31.254369+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/.test.yaml.swp\" at 1591564527951"}} -{"timestamp":"2020-06-07T21:15:31.254426+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/suricata.yaml\" at 1562592701002"}} -{"timestamp":"2020-06-07T21:15:31.254468+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.rules\" at 1562592701002"}} -{"timestamp":"2020-06-07T21:15:31.254636+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}} -{"timestamp":"2020-06-07T21:15:31.254687+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/suricata.yaml, skipping"}} -{"timestamp":"2020-06-07T21:15:31.254779+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}} -{"timestamp":"2020-06-07T21:15:31.254807+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.rules, skipping"}} -{"timestamp":"2020-06-07T21:15:31.254869+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}} -{"timestamp":"2020-06-07T21:15:31.254896+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.yaml, skipping"}} -{"timestamp":"2020-06-07T21:15:31.254956+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}} -{"timestamp":"2020-06-07T21:15:31.254984+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/.test.yaml.swp, skipping"}} -{"timestamp":"2020-06-07T21:15:31.255056+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}} -{"timestamp":"2020-06-07T21:15:31.255096+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/eve.json, skipping"}} -{"timestamp":"2020-06-07T21:15:31.255127+0000","log_level":"Info","event_type":"engine","engine":{"message":"Directory run mode complete"}} -{"timestamp":"2020-06-07T21:15:31.264063+0000","log_level":"Notice","event_type":"engine","engine":{"message":"Signal Received. Stopping engine."}} -{"timestamp":"2020-06-07T21:15:31.279036+0000","log_level":"Info","event_type":"engine","engine":{"message":"time elapsed 0.056s"}} -{"timestamp":"2020-06-07T21:15:31.286147+0000","log_level":"Notice","event_type":"engine","engine":{"message":"Pcap-file module read 0 files, 0 packets, 0 bytes"}} -{"timestamp":"2020-06-07T21:15:31.288407+0000","log_level":"Info","event_type":"engine","engine":{"message":"Alerts: 0"}} -{"timestamp":"2020-06-07T21:15:31.302139+0000","log_level":"Info","event_type":"engine","engine":{"message":"cleaning up signature grouping structure... complete"}} diff --git a/tests/test-bad-byte-extract-rule-3/suricata.yaml b/tests/test-bad-byte-extract-rule-3/suricata.yaml deleted file mode 100644 index dcaae57fe..000000000 --- a/tests/test-bad-byte-extract-rule-3/suricata.yaml +++ /dev/null @@ -1,10 +0,0 @@ -%YAML 1.1 ---- - -logging: - default-log-level: info - outputs: - - file: - enabled: yes - filename: eve.json - type: json diff --git a/tests/test-bad-byte-extract-rule-3/test.rules b/tests/test-bad-byte-extract-rule-3/test.rules deleted file mode 100644 index ede658126..000000000 --- a/tests/test-bad-byte-extract-rule-3/test.rules +++ /dev/null @@ -1 +0,0 @@ -alert tcp any any -> any any (msg:"Byte_Extract Example Using depth"; content:"Alice"; depth:d; byte_extract:2,1,size; content:"Bob"; sid:1111;) diff --git a/tests/test-bad-byte-extract-rule-3/test.yaml b/tests/test-bad-byte-extract-rule-3/test.yaml deleted file mode 100644 index b432da4c4..000000000 --- a/tests/test-bad-byte-extract-rule-3/test.yaml +++ /dev/null @@ -1,24 +0,0 @@ -requires: - version: 5 - lt-version: 6 - - features: - - HAVE_LIBJANSSON - -command: | - ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules - -checks: - # check that we have the following entries in eve.json - # match 1 specific rule load failure reason - - filter: - count: 1 - match: - event_type: engine - engine.message: "unknown byte_extract var seen in depth - d." - - - filter: - count: 1 - match: - event_type: engine - engine.error: "SC_ERR_NO_RULES_LOADED"