]> git.ipfire.org Git - thirdparty/suricata-verify.git/commitdiff
projects / thirdparty / suricata-verify.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 68adc81)
tests: remove tests for versions less than 6
authorJason Ish <jason.ish@oisf.net>
Fri, 21 Jun 2024 14:05:42 +0000 (08:05 -0600)
committerVictor Julien <victor@inliniac.net>
Thu, 4 Jul 2024 14:23:01 +0000 (16:23 +0200)
19 files changed:
tests/bug-2482-01/test.yaml patch | blob | blame | history
tests/bug-4953/test.yaml patch | blob | blame | history
tests/decode-erspan-typeI-03/README.md [deleted file] patch | blob | blame | history
tests/decode-erspan-typeI-03/test.yaml [deleted file] patch | blob | blame | history
tests/dhcp-eve-extended-pre-6/suricata.yaml [deleted file] patch | blob | blame | history
tests/dhcp-eve-extended-pre-6/test.yaml [deleted file] patch | blob | blame | history
tests/dns-json-log/expected/dns.json [deleted file] patch | blob | blame | history
tests/dns-json-log/suricata.yaml [deleted file] patch | blob | blame | history
tests/dns-json-log/test.yaml [deleted file] patch | blob | blame | history
tests/filestore-v1-stream-depth/suricata.yaml [deleted file] patch | blob | blame | history
tests/filestore-v1-stream-depth/test.rules [deleted file] patch | blob | blame | history
tests/filestore-v1-stream-depth/test.yaml [deleted file] patch | blob | blame | history
tests/ikev2-weak-dh/test.yaml patch | blob | blame | history
tests/nfs3-01-pre-6/test.rules [deleted file] patch | blob | blame | history
tests/nfs3-01-pre-6/test.yaml [deleted file] patch | blob | blame | history
tests/test-bad-byte-extract-rule-3/eve.json [deleted file] patch | blob | blame | history
tests/test-bad-byte-extract-rule-3/suricata.yaml [deleted file] patch | blob | blame | history
tests/test-bad-byte-extract-rule-3/test.rules [deleted file] patch | blob | blame | history
tests/test-bad-byte-extract-rule-3/test.yaml [deleted file] patch | blob | blame | history

diff --git a/tests/bug-2482-01/test.yaml b/tests/bug-2482-01/test.yaml
index 1b85839ed8b1a2002f9806e181355baa1ccabd02..043409fdade92858e14f2f74adbd4217385dee04 100644 (file)
--- a/tests/bug-2482-01/test.yaml
+++ b/tests/bug-2482-01/test.yaml
@@ -1,8 +1,3 @@
-requires:
-  features:
-    - HAVE_LIBJANSSON
-  min-version: 4.1.0
-
 args:
 - -k none
 - --set vars.address-groups.EXTERNAL_NET=any
@@ -14,16 +9,6 @@ checks:
         event_type: alert
         alert.signature_id: 2013933
         http.http_method: "CONNECT"
-  - filter:
-      version: 4.1
-      count: 172
-      match:
-        event_type: tls
-  - filter:
-      version: 5
-      count: 170
-      match:
-        event_type: tls
   - filter:
       version: 6
       count: 172
diff --git a/tests/bug-4953/test.yaml b/tests/bug-4953/test.yaml
index 9e4577edc94c025e48d9ba391034c8d0f6d266c9..761f6cea83b4e5743f3e31dede57fa5a3dc5c85b 100644 (file)
--- a/tests/bug-4953/test.yaml
+++ b/tests/bug-4953/test.yaml
@@ -16,16 +16,6 @@ checks:
         fileinfo.gaps: true
         fileinfo.state: TRUNCATED
         fileinfo.size: 137708
-  - filter:
-      requires:
-        lt-version: 6
-      count: 1
-      match:
-        event_type: fileinfo
-        fileinfo.filename: "/IEyF/EN3GUkgHakZ3iVe/YBqssWlF8iWaHTr/"
-        fileinfo.gaps: false
-        fileinfo.state: TRUNCATED
-        fileinfo.size: 1176
   - filter:
       count: 1
       match:
diff --git a/tests/decode-erspan-typeI-03/README.md b/tests/decode-erspan-typeI-03/README.md
deleted file mode 100644 (file)
index 18aaf21..0000000
--- a/tests/decode-erspan-typeI-03/README.md
+++ /dev/null
@@ -1 +0,0 @@
-Ensure ERSPAN Type I packets are decoded when configured
diff --git a/tests/decode-erspan-typeI-03/test.yaml b/tests/decode-erspan-typeI-03/test.yaml
deleted file mode 100644 (file)
index 17aee50..0000000
--- a/tests/decode-erspan-typeI-03/test.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-pcap: ../decode-erspan-typeI-02/input.pcap
-
-requires:
-
-  min-version: 5
-  lt-version: 6
-
-
-args:
-    - --set decoder.erspan.typeI.enabled=false
-
-checks:
-
-    - filter:
-        count: 0
-        match:
-            event_type: flow
-
-    - stats:
-        decoder.erspan: 0
diff --git a/tests/dhcp-eve-extended-pre-6/suricata.yaml b/tests/dhcp-eve-extended-pre-6/suricata.yaml
deleted file mode 100644 (file)
index 7f2fafa..0000000
--- a/tests/dhcp-eve-extended-pre-6/suricata.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-%YAML 1.1
----
-
-outputs:
-  - eve-log:
-      enabled: true
-      filename: eve.json
-      types:
-        - dhcp:
-            extended: true
-        - flow
diff --git a/tests/dhcp-eve-extended-pre-6/test.yaml b/tests/dhcp-eve-extended-pre-6/test.yaml
deleted file mode 100644 (file)
index 0220ccb..0000000
--- a/tests/dhcp-eve-extended-pre-6/test.yaml
+++ /dev/null
@@ -1,74 +0,0 @@
-pcap: ../dhcp-eve-extended/input.pcap
-
-requires:
-  lt-version: 6.0.0
-  features:
-    - HAVE_LIBJANSSON
-    - RUST
-
-checks:
-- filter:
-    count: 1
-    match:
-      dest_ip: 10.16.1.1
-      dest_port: 67
-      dhcp.assigned_ip: 0.0.0.0
-      dhcp.client_id: 00:11:32:17:49:f0
-      dhcp.client_ip: 10.16.1.4
-      dhcp.client_mac: 00:11:32:17:49:f0
-      dhcp.dhcp_type: request
-      dhcp.hostname: nas1\x00
-      dhcp.id: 4016330564
-      dhcp.params[0]: subnet_mask
-      dhcp.params[1]: router
-      dhcp.params[2]: domain
-      dhcp.params[3]: dns_server
-      dhcp.type: request
-      event_type: dhcp
-      pcap_cnt: 1
-      proto: UDP
-      src_ip: 10.16.1.4
-      src_port: 68
-- filter:
-    count: 1
-    match:
-      dest_ip: 10.16.1.4
-      dest_port: 68
-      dhcp.assigned_ip: 10.16.1.4
-      dhcp.client_ip: 10.16.1.4
-      dhcp.client_mac: 00:11:32:17:49:f0
-      dhcp.dhcp_type: ack
-      dhcp.dns_servers[0]: 10.16.1.1
-      dhcp.hostname: nas1\x00
-      dhcp.id: 4016330564
-      dhcp.lease_time: 3600
-      dhcp.next_server_ip: 10.16.1.1
-      dhcp.rebinding_time: 3031
-      dhcp.relay_ip: 0.0.0.0
-      dhcp.renewal_time: 1681
-      dhcp.routers[0]: 10.16.1.1
-      dhcp.subnet_mask: 255.255.0.0
-      dhcp.type: reply
-      event_type: dhcp
-      pcap_cnt: 2
-      proto: UDP
-      src_ip: 10.16.1.1
-      src_port: 67
-- filter:
-    count: 1
-    match:
-      app_proto: dhcp
-      dest_ip: 10.16.1.1
-      dest_port: 67
-      event_type: flow
-      flow.age: 0
-      flow.alerted: false
-      flow.bytes_toclient: 350
-      flow.bytes_toserver: 342
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 1
-      flow.reason: shutdown
-      flow.state: established
-      proto: UDP
-      src_ip: 10.16.1.4
-      src_port: 68
diff --git a/tests/dns-json-log/expected/dns.json b/tests/dns-json-log/expected/dns.json
deleted file mode 100644 (file)
index afec32e..0000000
--- a/tests/dns-json-log/expected/dns.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{"timestamp":"2016-05-24T23:27:01.960780+0000","flow_id":15684738590988,"pcap_cnt":1,"event_type":"dns","src_ip":"10.16.1.11","src_port":53679,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":39339,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}}
-{"timestamp":"2016-05-24T23:27:02.333141+0000","flow_id":15684738590988,"pcap_cnt":2,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":53679,"proto":"UDP","dns":{"type":"answer","id":39339,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":47,"rdata":"52.85.112.21"}}
-{"timestamp":"2016-05-24T23:27:02.832606+0000","flow_id":542660046009438,"pcap_cnt":3,"event_type":"dns","src_ip":"10.16.1.11","src_port":49697,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":3407,"rrname":"block.dropbox.com","rrtype":"A","tx_id":0}}
-{"timestamp":"2016-05-24T23:27:03.085375+0000","flow_id":1585332076629375,"pcap_cnt":4,"event_type":"dns","src_ip":"10.16.1.11","src_port":33458,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":44779,"rrname":"codemonkey.net","rrtype":"A","tx_id":0}}
-{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.dropbox.com","rrtype":"CNAME","ttl":9,"rdata":"block.g1.dropbox.com"}}
-{"timestamp":"2016-05-24T23:27:03.213624+0000","flow_id":542660046009438,"pcap_cnt":5,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":49697,"proto":"UDP","dns":{"type":"answer","id":3407,"rcode":"NOERROR","rrname":"block.g1.dropbox.com","rrtype":"A","ttl":8,"rdata":"45.58.70.33"}}
-{"timestamp":"2016-05-24T23:27:03.493333+0000","flow_id":1585332076629375,"pcap_cnt":6,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":33458,"proto":"UDP","dns":{"type":"answer","id":44779,"rcode":"NOERROR","rrname":"codemonkey.net","rrtype":"A","ttl":435,"rdata":"104.131.202.103"}}
-{"timestamp":"2016-05-24T23:27:04.653864+0000","flow_id":848126710184488,"pcap_cnt":7,"event_type":"dns","src_ip":"10.16.1.11","src_port":57634,"dest_ip":"10.16.1.1","dest_port":53,"proto":"UDP","dns":{"type":"query","id":14681,"rrname":"client-cf.dropbox.com","rrtype":"A","tx_id":0}}
-{"timestamp":"2016-05-24T23:27:04.654238+0000","flow_id":848126710184488,"pcap_cnt":8,"event_type":"dns","src_ip":"10.16.1.1","src_port":53,"dest_ip":"10.16.1.11","dest_port":57634,"proto":"UDP","dns":{"type":"answer","id":14681,"rcode":"NOERROR","rrname":"client-cf.dropbox.com","rrtype":"A","ttl":45,"rdata":"52.85.112.21"}}
diff --git a/tests/dns-json-log/suricata.yaml b/tests/dns-json-log/suricata.yaml
deleted file mode 100644 (file)
index 4daa2b7..0000000
--- a/tests/dns-json-log/suricata.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-%YAML 1.1
----
-
-outputs:
-  - dns-json-log:
-      version: 1
-      enabled: yes
-      filename: dns.json
diff --git a/tests/dns-json-log/test.yaml b/tests/dns-json-log/test.yaml
deleted file mode 100644 (file)
index bfafe74..0000000
--- a/tests/dns-json-log/test.yaml
+++ /dev/null
@@ -1,25 +0,0 @@
-pcap: ../dns-eve/input.pcap
-
-requires:
-  lt-version: 6
-  features:
-    - HAVE_LIBJANSSON
-
-checks:
-  - filter:
-      count: 9
-      filename: dns.json
-      match:
-        event_type: dns
-  - filter:
-      count: 4
-      filename: dns.json
-      match:
-        event_type: dns
-        dns.type: query
-  - filter:
-      count: 5
-      filename: dns.json
-      match:
-        event_type: dns
-        dns.type: answer
diff --git a/tests/filestore-v1-stream-depth/suricata.yaml b/tests/filestore-v1-stream-depth/suricata.yaml
deleted file mode 100644 (file)
index 7e3cc15..0000000
--- a/tests/filestore-v1-stream-depth/suricata.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-%YAML 1.1
----
-
-outputs:
-  - eve-log:
-      enabled: yes
-      types:
-        - files
-        - stats
-  - file-store:
-      version: 1
-      enabled: yes
-      force-filestore: yes
-      stream-depth: 0
-
-app-layer:
-  protocols:
-    http:
-      enabled: yes
-      libhtp:
-        default-config:
-          personality: IDS
-          response-body-limit: 100kb
diff --git a/tests/filestore-v1-stream-depth/test.rules b/tests/filestore-v1-stream-depth/test.rules
deleted file mode 100644 (file)
index 582397f..0000000
--- a/tests/filestore-v1-stream-depth/test.rules
+++ /dev/null
@@ -1 +0,0 @@
-alert http any any -> any any (filestore; sid:1; rev:1;)
diff --git a/tests/filestore-v1-stream-depth/test.yaml b/tests/filestore-v1-stream-depth/test.yaml
deleted file mode 100644 (file)
index 3fe361b..0000000
--- a/tests/filestore-v1-stream-depth/test.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-requires:
-  features:
-    - HAVE_LIBJANSSON
-  min-version: 5.0.0
-  lt-version: 6
-
-args:
-  - -k none
-
-pcap: ../filestore-v2.1-forced/suricata-update-pdf.pcap
-
-checks:
-
-  - filter:
-      count: 1
-      match:
-        event_type: fileinfo
-        fileinfo.state: "CLOSED"
-        fileinfo.stored: true
diff --git a/tests/ikev2-weak-dh/test.yaml b/tests/ikev2-weak-dh/test.yaml
index a80403815fee7002412a6b1beec2708ff8fa908a..35e9cce469a2f3cca2ef43b7896cb496614a6cdb 100644 (file)
--- a/tests/ikev2-weak-dh/test.yaml
+++ b/tests/ikev2-weak-dh/test.yaml
@@ -16,40 +16,6 @@ checks:
         alert.signature_id: 1
         alert.signature: "SURICATA IKEv2 weak cryptographic parameters (Diffie-Hellman)"
 
-  - filter:
-      count: 1
-      version: 4
-      match:
-        event_type: ikev2
-        ikev2.version_major: 2
-        ikev2.exchange_type: 34
-        ikev2.message_id: 0
-        ikev2.init_spi: "61d3693ce12af528"
-        ikev2.resp_spi: "0000000000000000"
-        ikev2.role: initiator
-        ikev2.errors: 0
-        ikev2.payload[0]: Nonce
-        ikev2.payload[1]: KeyExchange
-        ikev2.payload[2]: SecurityAssociation
-        ikev2.payload[3]: NoNextPayload
-
-  - filter:
-      count: 1
-      version: 5
-      match:
-        event_type: ikev2
-        ikev2.version_major: 2
-        ikev2.exchange_type: 34
-        ikev2.message_id: 0
-        ikev2.init_spi: "61d3693ce12af528"
-        ikev2.resp_spi: "0000000000000000"
-        ikev2.role: initiator
-        ikev2.errors: 0
-        ikev2.payload[0]: Nonce
-        ikev2.payload[1]: KeyExchange
-        ikev2.payload[2]: SecurityAssociation
-        ikev2.payload[3]: NoNextPayload
-
   # from suricata version >=7 the event_type for ikev2 is ike
   - filter:
       count: 1
diff --git a/tests/nfs3-01-pre-6/test.rules b/tests/nfs3-01-pre-6/test.rules
deleted file mode 100644 (file)
index f62d2e1..0000000
--- a/tests/nfs3-01-pre-6/test.rules
+++ /dev/null
@@ -1,9 +0,0 @@
-alert nfs any any -> any any (nfs_version:<3; sid:1;)
-alert nfs any any -> any any (nfs_version:>3; sid:2;)
-alert nfs any any -> any any (nfs_version:3; sid:3;)
-alert nfs any any -> any any (nfs_version:2<>4; sid:6;)
-
-alert nfs any any -> any any (nfs_procedure:<3; sid:10;)
-alert nfs any any -> any any (nfs_procedure:>3; sid:11;)
-alert nfs any any -> any any (nfs_procedure:3; sid:12;)
-alert nfs any any -> any any (nfs_procedure:2<>4; sid:15;)
diff --git a/tests/nfs3-01-pre-6/test.yaml b/tests/nfs3-01-pre-6/test.yaml
deleted file mode 100644 (file)
index 8339092..0000000
--- a/tests/nfs3-01-pre-6/test.yaml
+++ /dev/null
@@ -1,8507 +0,0 @@
-pcap: ../detect-itype-prefilter/icmpv4-ping.pcap
-
-requires:
-  version: 5
-
-args:
-- -k none
-
-checks:
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 0
-      flow.bytes_toserver: 170
-      flow.pkts_toclient: 0
-      flow.pkts_toserver: 1
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: 38a4e9f6
-      nfs.id: 1
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 11
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961884
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 0
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 0
-      flow.bytes_toserver: 170
-      flow.pkts_toclient: 0
-      flow.pkts_toserver: 1
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: 38a4e9f6
-      nfs.id: 1
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 11
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961884
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 0
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 10
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 0
-      flow.bytes_toserver: 170
-      flow.pkts_toclient: 0
-      flow.pkts_toserver: 1
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: 38a4e9f6
-      nfs.id: 1
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 11
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961884
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 0
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 154
-      flow.bytes_toserver: 340
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 2
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 2
-      nfs.procedure: FSINFO
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 13
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961885
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 1
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 154
-      flow.bytes_toserver: 340
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 2
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 2
-      nfs.procedure: FSINFO
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 13
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961885
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 1
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 154
-      flow.bytes_toserver: 340
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 2
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 2
-      nfs.procedure: FSINFO
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 13
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961885
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 1
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 2
-      nfs.procedure: FSINFO
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 14
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961885
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 360
-      flow.bytes_toserver: 510
-      flow.pkts_toclient: 2
-      flow.pkts_toserver: 3
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 3
-      nfs.procedure: FSSTAT
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 15
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961886
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 2
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 360
-      flow.bytes_toserver: 510
-      flow.pkts_toclient: 2
-      flow.pkts_toserver: 3
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 3
-      nfs.procedure: FSSTAT
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 15
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961886
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 2
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 360
-      flow.bytes_toserver: 510
-      flow.pkts_toclient: 2
-      flow.pkts_toserver: 3
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 3
-      nfs.procedure: FSSTAT
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 15
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961886
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 2
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 3
-      nfs.procedure: FSSTAT
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 16
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961886
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 570
-      flow.bytes_toserver: 680
-      flow.pkts_toclient: 3
-      flow.pkts_toserver: 4
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 4
-      nfs.procedure: PATHCONF
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 17
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961887
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 3
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 570
-      flow.bytes_toserver: 680
-      flow.pkts_toclient: 3
-      flow.pkts_toserver: 4
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 4
-      nfs.procedure: PATHCONF
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 17
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961887
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 3
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 570
-      flow.bytes_toserver: 680
-      flow.pkts_toclient: 3
-      flow.pkts_toserver: 4
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 4
-      nfs.procedure: PATHCONF
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 17
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961887
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 3
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 4
-      nfs.procedure: PATHCONF
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 18
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961887
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 752
-      flow.bytes_toserver: 858
-      flow.pkts_toclient: 4
-      flow.pkts_toserver: 5
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 5
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 19
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961888
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 4
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 752
-      flow.bytes_toserver: 858
-      flow.pkts_toclient: 4
-      flow.pkts_toserver: 5
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 5
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 19
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961888
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 4
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 752
-      flow.bytes_toserver: 858
-      flow.pkts_toclient: 4
-      flow.pkts_toserver: 5
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 5
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 19
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961888
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 4
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 752
-      flow.bytes_toserver: 858
-      flow.pkts_toclient: 4
-      flow.pkts_toserver: 5
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 5
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 19
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961888
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 4
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 5
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 20
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961888
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 826
-      flow.bytes_toserver: 1036
-      flow.pkts_toclient: 5
-      flow.pkts_toserver: 6
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 6
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 21
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961889
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 5
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 826
-      flow.bytes_toserver: 1036
-      flow.pkts_toclient: 5
-      flow.pkts_toserver: 6
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 6
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 21
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961889
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 5
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 826
-      flow.bytes_toserver: 1036
-      flow.pkts_toclient: 5
-      flow.pkts_toserver: 6
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 6
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 21
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961889
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 5
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 826
-      flow.bytes_toserver: 1036
-      flow.pkts_toclient: 5
-      flow.pkts_toserver: 6
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 6
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 21
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961889
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 5
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 6
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 22
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961889
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 900
-      flow.bytes_toserver: 1262
-      flow.pkts_toclient: 6
-      flow.pkts_toserver: 7
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 38a4e9f6
-      nfs.id: 7
-      nfs.procedure: CREATE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 23
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961890
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 6
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 900
-      flow.bytes_toserver: 1262
-      flow.pkts_toclient: 6
-      flow.pkts_toserver: 7
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 38a4e9f6
-      nfs.id: 7
-      nfs.procedure: CREATE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 23
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961890
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 6
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 900
-      flow.bytes_toserver: 1262
-      flow.pkts_toclient: 6
-      flow.pkts_toserver: 7
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 38a4e9f6
-      nfs.id: 7
-      nfs.procedure: CREATE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 23
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961890
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 6
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 38a4e9f6
-      nfs.id: 7
-      nfs.procedure: CREATE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 24
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961890
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1214
-      flow.bytes_toserver: 1432
-      flow.pkts_toclient: 7
-      flow.pkts_toserver: 8
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 131299c5
-      nfs.id: 8
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 25
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961891
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 7
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1214
-      flow.bytes_toserver: 1432
-      flow.pkts_toclient: 7
-      flow.pkts_toserver: 8
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 131299c5
-      nfs.id: 8
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 25
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961891
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 7
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 10
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1214
-      flow.bytes_toserver: 1432
-      flow.pkts_toclient: 7
-      flow.pkts_toserver: 8
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 131299c5
-      nfs.id: 8
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 25
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961891
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 7
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1368
-      flow.bytes_toserver: 1638
-      flow.pkts_toclient: 8
-      flow.pkts_toserver: 9
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 9
-      nfs.procedure: SETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 27
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961892
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 8
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1368
-      flow.bytes_toserver: 1638
-      flow.pkts_toclient: 8
-      flow.pkts_toserver: 9
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 9
-      nfs.procedure: SETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 27
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961892
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 8
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 10
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1368
-      flow.bytes_toserver: 1638
-      flow.pkts_toclient: 8
-      flow.pkts_toserver: 9
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 9
-      nfs.procedure: SETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 27
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961892
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 8
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1368
-      flow.bytes_toserver: 1638
-      flow.pkts_toclient: 8
-      flow.pkts_toserver: 9
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 9
-      nfs.procedure: SETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 27
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961892
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 8
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 9
-      nfs.procedure: SETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 28
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961892
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1554
-      flow.bytes_toserver: 1816
-      flow.pkts_toclient: 9
-      flow.pkts_toserver: 10
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 10
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 29
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961893
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 9
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1554
-      flow.bytes_toserver: 1816
-      flow.pkts_toclient: 9
-      flow.pkts_toserver: 10
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 10
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 29
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961893
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 9
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1554
-      flow.bytes_toserver: 1816
-      flow.pkts_toclient: 9
-      flow.pkts_toserver: 10
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 10
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 29
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961893
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 9
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1554
-      flow.bytes_toserver: 1816
-      flow.pkts_toclient: 9
-      flow.pkts_toserver: 10
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 10
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 29
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961893
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 9
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 10
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 30
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961893
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1628
-      flow.bytes_toserver: 1994
-      flow.pkts_toclient: 10
-      flow.pkts_toserver: 11
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 11
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 31
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961894
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 10
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1628
-      flow.bytes_toserver: 1994
-      flow.pkts_toclient: 10
-      flow.pkts_toserver: 11
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 11
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 31
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961894
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 10
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1628
-      flow.bytes_toserver: 1994
-      flow.pkts_toclient: 10
-      flow.pkts_toserver: 11
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 11
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 31
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961894
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 10
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1628
-      flow.bytes_toserver: 1994
-      flow.pkts_toclient: 10
-      flow.pkts_toserver: 11
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 11
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 31
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961894
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 10
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 11
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 32
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961894
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1702
-      flow.bytes_toserver: 2172
-      flow.pkts_toclient: 11
-      flow.pkts_toserver: 12
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 12
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 33
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961895
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 11
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1702
-      flow.bytes_toserver: 2172
-      flow.pkts_toclient: 11
-      flow.pkts_toserver: 12
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 12
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 33
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961895
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 11
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1702
-      flow.bytes_toserver: 2172
-      flow.pkts_toclient: 11
-      flow.pkts_toserver: 12
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 12
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 33
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961895
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 11
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1702
-      flow.bytes_toserver: 2172
-      flow.pkts_toclient: 11
-      flow.pkts_toserver: 12
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.id: 12
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 33
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961895
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 11
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 131299c5
-      nfs.id: 12
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 34
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961895
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1984
-      flow.bytes_toserver: 2350
-      flow.pkts_toclient: 12
-      flow.pkts_toserver: 13
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 13
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 35
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961896
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 12
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1984
-      flow.bytes_toserver: 2350
-      flow.pkts_toclient: 12
-      flow.pkts_toserver: 13
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 13
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 35
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961896
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 12
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1984
-      flow.bytes_toserver: 2350
-      flow.pkts_toclient: 12
-      flow.pkts_toserver: 13
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 13
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 35
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961896
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 12
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 1984
-      flow.bytes_toserver: 2350
-      flow.pkts_toclient: 12
-      flow.pkts_toserver: 13
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 13
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 35
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961896
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 12
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 13
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 36
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961896
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2058
-      flow.bytes_toserver: 2572
-      flow.pkts_toclient: 13
-      flow.pkts_toserver: 14
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 38a4e9f6
-      nfs.id: 14
-      nfs.procedure: RENAME
-      nfs.rename.from: a
-      nfs.rename.to: am
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 37
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961897
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 13
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2058
-      flow.bytes_toserver: 2572
-      flow.pkts_toclient: 13
-      flow.pkts_toserver: 14
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 38a4e9f6
-      nfs.id: 14
-      nfs.procedure: RENAME
-      nfs.rename.from: a
-      nfs.rename.to: am
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 37
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961897
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 13
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2058
-      flow.bytes_toserver: 2572
-      flow.pkts_toclient: 13
-      flow.pkts_toserver: 14
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 38a4e9f6
-      nfs.id: 14
-      nfs.procedure: RENAME
-      nfs.rename.from: a
-      nfs.rename.to: am
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 37
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961897
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 13
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: a
-      nfs.hhash: 38a4e9f6
-      nfs.id: 14
-      nfs.procedure: RENAME
-      nfs.rename.from: a
-      nfs.rename.to: am
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 38
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961897
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2360
-      flow.bytes_toserver: 2750
-      flow.pkts_toclient: 14
-      flow.pkts_toserver: 15
-      nfs.file_tx: false
-      nfs.filename: b
-      nfs.id: 15
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 39
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961898
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 14
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2360
-      flow.bytes_toserver: 2750
-      flow.pkts_toclient: 14
-      flow.pkts_toserver: 15
-      nfs.file_tx: false
-      nfs.filename: b
-      nfs.id: 15
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 39
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961898
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 14
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2360
-      flow.bytes_toserver: 2750
-      flow.pkts_toclient: 14
-      flow.pkts_toserver: 15
-      nfs.file_tx: false
-      nfs.filename: b
-      nfs.id: 15
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 39
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961898
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 14
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2360
-      flow.bytes_toserver: 2750
-      flow.pkts_toclient: 14
-      flow.pkts_toserver: 15
-      nfs.file_tx: false
-      nfs.filename: b
-      nfs.id: 15
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 39
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961898
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 14
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: b
-      nfs.hhash: a5fcf973
-      nfs.id: 15
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 40
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961898
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2642
-      flow.bytes_toserver: 2928
-      flow.pkts_toclient: 15
-      flow.pkts_toserver: 16
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 16
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 41
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 1869440256
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961899
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 15
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2642
-      flow.bytes_toserver: 2928
-      flow.pkts_toclient: 15
-      flow.pkts_toserver: 16
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 16
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 41
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 1869440256
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961899
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 15
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2642
-      flow.bytes_toserver: 2928
-      flow.pkts_toclient: 15
-      flow.pkts_toserver: 16
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 16
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 41
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 1869440256
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961899
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 15
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2642
-      flow.bytes_toserver: 2928
-      flow.pkts_toclient: 15
-      flow.pkts_toserver: 16
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 16
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 41
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 1869440256
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961899
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 15
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 16
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 42
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 1869440256
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961899
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2716
-      flow.bytes_toserver: 3106
-      flow.pkts_toclient: 16
-      flow.pkts_toserver: 17
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 17
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 43
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961900
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 16
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2716
-      flow.bytes_toserver: 3106
-      flow.pkts_toclient: 16
-      flow.pkts_toserver: 17
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 17
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 43
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961900
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 16
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2716
-      flow.bytes_toserver: 3106
-      flow.pkts_toclient: 16
-      flow.pkts_toserver: 17
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 17
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 43
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961900
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 16
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2716
-      flow.bytes_toserver: 3106
-      flow.pkts_toclient: 16
-      flow.pkts_toserver: 17
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 17
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 43
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961900
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 16
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 17
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 44
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961900
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2790
-      flow.bytes_toserver: 3320
-      flow.pkts_toclient: 17
-      flow.pkts_toserver: 18
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 18
-      nfs.procedure: LINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 45
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 1869440256
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961901
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 17
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2790
-      flow.bytes_toserver: 3320
-      flow.pkts_toclient: 17
-      flow.pkts_toserver: 18
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 18
-      nfs.procedure: LINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 45
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 1869440256
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961901
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 17
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 2790
-      flow.bytes_toserver: 3320
-      flow.pkts_toclient: 17
-      flow.pkts_toserver: 18
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 18
-      nfs.procedure: LINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 45
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 1869440256
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961901
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 17
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 18
-      nfs.procedure: LINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 46
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 1869440256
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961901
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3064
-      flow.bytes_toserver: 3498
-      flow.pkts_toclient: 18
-      flow.pkts_toserver: 19
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 19
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 47
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961902
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 18
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3064
-      flow.bytes_toserver: 3498
-      flow.pkts_toclient: 18
-      flow.pkts_toserver: 19
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 19
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 47
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961902
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 18
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3064
-      flow.bytes_toserver: 3498
-      flow.pkts_toclient: 18
-      flow.pkts_toserver: 19
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 19
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 47
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961902
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 18
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3064
-      flow.bytes_toserver: 3498
-      flow.pkts_toclient: 18
-      flow.pkts_toserver: 19
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 19
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 47
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961902
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 18
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 19
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 48
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961902
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3138
-      flow.bytes_toserver: 3676
-      flow.pkts_toclient: 19
-      flow.pkts_toserver: 20
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 20
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 49
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961903
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 19
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3138
-      flow.bytes_toserver: 3676
-      flow.pkts_toclient: 19
-      flow.pkts_toserver: 20
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 20
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 49
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961903
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 19
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3138
-      flow.bytes_toserver: 3676
-      flow.pkts_toclient: 19
-      flow.pkts_toserver: 20
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 20
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 49
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961903
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 19
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3138
-      flow.bytes_toserver: 3676
-      flow.pkts_toclient: 19
-      flow.pkts_toserver: 20
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 20
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 49
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961903
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 19
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 20
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 50
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961903
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3212
-      flow.bytes_toserver: 3898
-      flow.pkts_toclient: 20
-      flow.pkts_toserver: 21
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 21
-      nfs.procedure: SYMLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 51
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961904
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 20
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3212
-      flow.bytes_toserver: 3898
-      flow.pkts_toclient: 20
-      flow.pkts_toserver: 21
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 21
-      nfs.procedure: SYMLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 51
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961904
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 20
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3212
-      flow.bytes_toserver: 3898
-      flow.pkts_toclient: 20
-      flow.pkts_toserver: 21
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 21
-      nfs.procedure: SYMLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 51
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961904
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 20
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 21
-      nfs.procedure: SYMLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 52
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961904
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3502
-      flow.bytes_toserver: 4076
-      flow.pkts_toclient: 21
-      flow.pkts_toserver: 22
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.id: 22
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 53
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961905
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 21
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3502
-      flow.bytes_toserver: 4076
-      flow.pkts_toclient: 21
-      flow.pkts_toserver: 22
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.id: 22
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 53
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961905
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 21
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3502
-      flow.bytes_toserver: 4076
-      flow.pkts_toclient: 21
-      flow.pkts_toserver: 22
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.id: 22
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 53
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961905
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 21
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3502
-      flow.bytes_toserver: 4076
-      flow.pkts_toclient: 21
-      flow.pkts_toserver: 22
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.id: 22
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 53
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961905
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 21
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.hhash: 38a4e9f6
-      nfs.id: 22
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 54
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961905
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3784
-      flow.bytes_toserver: 4250
-      flow.pkts_toclient: 22
-      flow.pkts_toserver: 23
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.hhash: 38a4e9f6
-      nfs.id: 23
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 55
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961906
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 22
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3784
-      flow.bytes_toserver: 4250
-      flow.pkts_toclient: 22
-      flow.pkts_toserver: 23
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.hhash: 38a4e9f6
-      nfs.id: 23
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 55
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961906
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 22
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3784
-      flow.bytes_toserver: 4250
-      flow.pkts_toclient: 22
-      flow.pkts_toserver: 23
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.hhash: 38a4e9f6
-      nfs.id: 23
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 55
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961906
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 22
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3784
-      flow.bytes_toserver: 4250
-      flow.pkts_toclient: 22
-      flow.pkts_toserver: 23
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.hhash: 38a4e9f6
-      nfs.id: 23
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 55
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961906
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 22
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.hhash: 38a4e9f6
-      nfs.id: 23
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 56
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961906
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3946
-      flow.bytes_toserver: 4420
-      flow.pkts_toclient: 23
-      flow.pkts_toserver: 24
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.hhash: 38a4e9f6
-      nfs.id: 24
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 57
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961907
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 23
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3946
-      flow.bytes_toserver: 4420
-      flow.pkts_toclient: 23
-      flow.pkts_toserver: 24
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.hhash: 38a4e9f6
-      nfs.id: 24
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 57
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961907
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 23
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 10
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 3946
-      flow.bytes_toserver: 4420
-      flow.pkts_toclient: 23
-      flow.pkts_toserver: 24
-      nfs.file_tx: false
-      nfs.filename: .
-      nfs.hhash: 38a4e9f6
-      nfs.id: 24
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 57
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961907
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 23
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4100
-      flow.bytes_toserver: 4610
-      flow.pkts_toclient: 24
-      flow.pkts_toserver: 25
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 25
-      nfs.procedure: READDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 59
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961908
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 24
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4100
-      flow.bytes_toserver: 4610
-      flow.pkts_toclient: 24
-      flow.pkts_toserver: 25
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 25
-      nfs.procedure: READDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 59
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961908
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 24
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4100
-      flow.bytes_toserver: 4610
-      flow.pkts_toclient: 24
-      flow.pkts_toserver: 25
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 25
-      nfs.procedure: READDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 59
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961908
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 24
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 25
-      nfs.procedure: READDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 60
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961908
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4442
-      flow.bytes_toserver: 4788
-      flow.pkts_toclient: 25
-      flow.pkts_toserver: 26
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 26
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 61
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961909
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 25
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4442
-      flow.bytes_toserver: 4788
-      flow.pkts_toclient: 25
-      flow.pkts_toserver: 26
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 26
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 61
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961909
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 25
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4442
-      flow.bytes_toserver: 4788
-      flow.pkts_toclient: 25
-      flow.pkts_toserver: 26
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 26
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 61
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961909
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 25
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4442
-      flow.bytes_toserver: 4788
-      flow.pkts_toclient: 25
-      flow.pkts_toserver: 26
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 26
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 61
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961909
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 25
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.hhash: 131299c5
-      nfs.id: 26
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 62
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961909
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4724
-      flow.bytes_toserver: 4966
-      flow.pkts_toclient: 26
-      flow.pkts_toserver: 27
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 27
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 63
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961910
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 26
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4724
-      flow.bytes_toserver: 4966
-      flow.pkts_toclient: 26
-      flow.pkts_toserver: 27
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 27
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 63
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961910
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 26
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4724
-      flow.bytes_toserver: 4966
-      flow.pkts_toclient: 26
-      flow.pkts_toserver: 27
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 27
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 63
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961910
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 26
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 4724
-      flow.bytes_toserver: 4966
-      flow.pkts_toclient: 26
-      flow.pkts_toserver: 27
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 27
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 63
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961910
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 26
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 27
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 64
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961910
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5006
-      flow.bytes_toserver: 5136
-      flow.pkts_toclient: 27
-      flow.pkts_toserver: 28
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 28
-      nfs.procedure: READLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 65
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961911
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 27
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5006
-      flow.bytes_toserver: 5136
-      flow.pkts_toclient: 27
-      flow.pkts_toserver: 28
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 28
-      nfs.procedure: READLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 65
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961911
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 27
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5006
-      flow.bytes_toserver: 5136
-      flow.pkts_toclient: 27
-      flow.pkts_toserver: 28
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 28
-      nfs.procedure: READLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 65
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961911
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 27
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 28
-      nfs.procedure: READLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 66
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961911
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5172
-      flow.bytes_toserver: 5314
-      flow.pkts_toclient: 28
-      flow.pkts_toserver: 29
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.id: 29
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 67
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961912
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 28
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5172
-      flow.bytes_toserver: 5314
-      flow.pkts_toclient: 28
-      flow.pkts_toserver: 29
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.id: 29
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 67
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961912
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 28
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5172
-      flow.bytes_toserver: 5314
-      flow.pkts_toclient: 28
-      flow.pkts_toserver: 29
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.id: 29
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 67
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961912
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 28
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5172
-      flow.bytes_toserver: 5314
-      flow.pkts_toclient: 28
-      flow.pkts_toserver: 29
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.id: 29
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 67
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961912
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 28
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.id: 29
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 68
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961912
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5246
-      flow.bytes_toserver: 5528
-      flow.pkts_toclient: 29
-      flow.pkts_toserver: 30
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.hhash: 38a4e9f6
-      nfs.id: 30
-      nfs.procedure: MKDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 69
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961913
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 29
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5246
-      flow.bytes_toserver: 5528
-      flow.pkts_toclient: 29
-      flow.pkts_toserver: 30
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.hhash: 38a4e9f6
-      nfs.id: 30
-      nfs.procedure: MKDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 69
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961913
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 29
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5246
-      flow.bytes_toserver: 5528
-      flow.pkts_toclient: 29
-      flow.pkts_toserver: 30
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.hhash: 38a4e9f6
-      nfs.id: 30
-      nfs.procedure: MKDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 69
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961913
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 29
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.hhash: 38a4e9f6
-      nfs.id: 30
-      nfs.procedure: MKDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 70
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961913
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5560
-      flow.bytes_toserver: 5706
-      flow.pkts_toclient: 30
-      flow.pkts_toserver: 31
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.id: 31
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 71
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961914
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 30
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5560
-      flow.bytes_toserver: 5706
-      flow.pkts_toclient: 30
-      flow.pkts_toserver: 31
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.id: 31
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 71
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961914
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 30
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5560
-      flow.bytes_toserver: 5706
-      flow.pkts_toclient: 30
-      flow.pkts_toserver: 31
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.id: 31
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 71
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961914
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 30
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5560
-      flow.bytes_toserver: 5706
-      flow.pkts_toclient: 30
-      flow.pkts_toserver: 31
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.id: 31
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 71
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961914
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 30
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.id: 31
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 72
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961914
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5634
-      flow.bytes_toserver: 5932
-      flow.pkts_toclient: 31
-      flow.pkts_toserver: 32
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: e87927b5
-      nfs.id: 32
-      nfs.procedure: CREATE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 73
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961915
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 31
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5634
-      flow.bytes_toserver: 5932
-      flow.pkts_toclient: 31
-      flow.pkts_toserver: 32
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: e87927b5
-      nfs.id: 32
-      nfs.procedure: CREATE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 73
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961915
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 31
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5634
-      flow.bytes_toserver: 5932
-      flow.pkts_toclient: 31
-      flow.pkts_toserver: 32
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: e87927b5
-      nfs.id: 32
-      nfs.procedure: CREATE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 73
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961915
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 31
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: e87927b5
-      nfs.id: 32
-      nfs.procedure: CREATE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 74
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961915
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5948
-      flow.bytes_toserver: 6102
-      flow.pkts_toclient: 32
-      flow.pkts_toserver: 33
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 33
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 75
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961916
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 32
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5948
-      flow.bytes_toserver: 6102
-      flow.pkts_toclient: 32
-      flow.pkts_toserver: 33
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 33
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 75
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961916
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 32
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 10
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 5948
-      flow.bytes_toserver: 6102
-      flow.pkts_toclient: 32
-      flow.pkts_toserver: 33
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 33
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 75
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961916
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 32
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6102
-      flow.bytes_toserver: 6300
-      flow.pkts_toclient: 33
-      flow.pkts_toserver: 34
-      nfs.file_tx: true
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 34
-      nfs.procedure: WRITE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      nfs.write.chunks: 0
-      nfs.write.first: true
-      nfs.write.last: false
-      nfs.write.last_xid: 0
-      pcap_cnt: 77
-      proto: UDP
-      rpc.auth_type: 'NULL'
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961917
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 33
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6102
-      flow.bytes_toserver: 6300
-      flow.pkts_toclient: 33
-      flow.pkts_toserver: 34
-      nfs.file_tx: true
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 34
-      nfs.procedure: WRITE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      nfs.write.chunks: 0
-      nfs.write.first: true
-      nfs.write.last: false
-      nfs.write.last_xid: 0
-      pcap_cnt: 77
-      proto: UDP
-      rpc.auth_type: 'NULL'
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961917
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 33
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6102
-      flow.bytes_toserver: 6300
-      flow.pkts_toclient: 33
-      flow.pkts_toserver: 34
-      nfs.file_tx: true
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 34
-      nfs.procedure: WRITE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      nfs.write.chunks: 0
-      nfs.write.first: true
-      nfs.write.last: false
-      nfs.write.last_xid: 0
-      pcap_cnt: 77
-      proto: UDP
-      rpc.auth_type: 'NULL'
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961917
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 33
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6304
-      flow.bytes_toserver: 6474
-      flow.pkts_toclient: 34
-      flow.pkts_toserver: 35
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 35
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 79
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961918
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 34
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6304
-      flow.bytes_toserver: 6474
-      flow.pkts_toclient: 34
-      flow.pkts_toserver: 35
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 35
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 79
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961918
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 34
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6304
-      flow.bytes_toserver: 6474
-      flow.pkts_toclient: 34
-      flow.pkts_toserver: 35
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 35
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 79
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961918
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 34
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6304
-      flow.bytes_toserver: 6474
-      flow.pkts_toclient: 34
-      flow.pkts_toserver: 35
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 35
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 79
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961918
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 34
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 35
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 80
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961918
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6466
-      flow.bytes_toserver: 6644
-      flow.pkts_toclient: 35
-      flow.pkts_toserver: 36
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 36
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 81
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961919
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 35
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6466
-      flow.bytes_toserver: 6644
-      flow.pkts_toclient: 35
-      flow.pkts_toserver: 36
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 36
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 81
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961919
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 35
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 10
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6466
-      flow.bytes_toserver: 6644
-      flow.pkts_toclient: 35
-      flow.pkts_toserver: 36
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: 3baec21a
-      nfs.id: 36
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 81
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961919
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 35
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6620
-      flow.bytes_toserver: 6818
-      flow.pkts_toclient: 36
-      flow.pkts_toserver: 37
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 37
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 83
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961920
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 36
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6620
-      flow.bytes_toserver: 6818
-      flow.pkts_toclient: 36
-      flow.pkts_toserver: 37
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 37
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 83
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961920
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 36
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6620
-      flow.bytes_toserver: 6818
-      flow.pkts_toclient: 36
-      flow.pkts_toserver: 37
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 37
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 83
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961920
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 36
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6620
-      flow.bytes_toserver: 6818
-      flow.pkts_toclient: 36
-      flow.pkts_toserver: 37
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 37
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 83
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961920
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 36
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 37
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 84
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961920
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6782
-      flow.bytes_toserver: 6988
-      flow.pkts_toclient: 37
-      flow.pkts_toserver: 38
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 38
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 85
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961921
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 37
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6782
-      flow.bytes_toserver: 6988
-      flow.pkts_toclient: 37
-      flow.pkts_toserver: 38
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 38
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 85
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961921
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 37
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 10
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6782
-      flow.bytes_toserver: 6988
-      flow.pkts_toclient: 37
-      flow.pkts_toserver: 38
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 38
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 85
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961921
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 37
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6936
-      flow.bytes_toserver: 7170
-      flow.pkts_toclient: 38
-      flow.pkts_toserver: 39
-      nfs.file_tx: true
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 39
-      nfs.procedure: READ
-      nfs.read.chunks: 0
-      nfs.read.first: true
-      nfs.read.last: false
-      nfs.read.last_xid: 0
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 87
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961922
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 38
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6936
-      flow.bytes_toserver: 7170
-      flow.pkts_toclient: 38
-      flow.pkts_toserver: 39
-      nfs.file_tx: true
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 39
-      nfs.procedure: READ
-      nfs.read.chunks: 0
-      nfs.read.first: true
-      nfs.read.last: false
-      nfs.read.last_xid: 0
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 87
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961922
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 38
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 6936
-      flow.bytes_toserver: 7170
-      flow.pkts_toclient: 38
-      flow.pkts_toserver: 39
-      nfs.file_tx: true
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 39
-      nfs.procedure: READ
-      nfs.read.chunks: 0
-      nfs.read.first: true
-      nfs.read.last: false
-      nfs.read.last_xid: 0
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 87
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961922
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 38
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: true
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 39
-      nfs.procedure: READ
-      nfs.read.chunks: 1
-      nfs.read.first: true
-      nfs.read.last: true
-      nfs.read.last_xid: 1578961922
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 88
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961922
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      app_proto: nfs
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: fileinfo
-      fileinfo.filename: bln
-      fileinfo.gaps: false
-      fileinfo.size: 11
-      fileinfo.state: CLOSED
-      fileinfo.stored: false
-      fileinfo.tx_id: 38
-      nfs.file_tx: true
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 39
-      nfs.procedure: READ
-      nfs.read.chunks: 1
-      nfs.read.first: true
-      nfs.read.last: true
-      nfs.read.last_xid: 1578961922
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 88
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961922
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7320
-      flow.bytes_toserver: 7554
-      flow.pkts_toclient: 40
-      flow.pkts_toserver: 41
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: e87927b5
-      nfs.id: 40
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 91
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961924
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 39
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7320
-      flow.bytes_toserver: 7554
-      flow.pkts_toclient: 40
-      flow.pkts_toserver: 41
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: e87927b5
-      nfs.id: 40
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 91
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961924
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 39
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7320
-      flow.bytes_toserver: 7554
-      flow.pkts_toclient: 40
-      flow.pkts_toserver: 41
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: e87927b5
-      nfs.id: 40
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 91
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961924
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 39
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7320
-      flow.bytes_toserver: 7554
-      flow.pkts_toclient: 40
-      flow.pkts_toserver: 41
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: e87927b5
-      nfs.id: 40
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 91
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961924
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 39
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: e87927b5
-      nfs.id: 40
-      nfs.procedure: ACCESS
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 92
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961924
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7482
-      flow.bytes_toserver: 7724
-      flow.pkts_toclient: 41
-      flow.pkts_toserver: 42
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: e87927b5
-      nfs.id: 41
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 93
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961925
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 40
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7482
-      flow.bytes_toserver: 7724
-      flow.pkts_toclient: 41
-      flow.pkts_toserver: 42
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: e87927b5
-      nfs.id: 41
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 93
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961925
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 40
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 10
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7482
-      flow.bytes_toserver: 7724
-      flow.pkts_toclient: 41
-      flow.pkts_toserver: 42
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.hhash: e87927b5
-      nfs.id: 41
-      nfs.procedure: GETATTR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 93
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961925
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 40
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7636
-      flow.bytes_toserver: 7914
-      flow.pkts_toclient: 42
-      flow.pkts_toserver: 43
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 42
-      nfs.procedure: READDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 95
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961926
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 41
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7636
-      flow.bytes_toserver: 7914
-      flow.pkts_toclient: 42
-      flow.pkts_toserver: 43
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 42
-      nfs.procedure: READDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 95
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961926
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 41
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7636
-      flow.bytes_toserver: 7914
-      flow.pkts_toclient: 42
-      flow.pkts_toserver: 43
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 42
-      nfs.procedure: READDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 95
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961926
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 41
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 42
-      nfs.procedure: READDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 96
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961926
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7894
-      flow.bytes_toserver: 8092
-      flow.pkts_toclient: 43
-      flow.pkts_toserver: 44
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: e87927b5
-      nfs.id: 43
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 97
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961927
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 42
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7894
-      flow.bytes_toserver: 8092
-      flow.pkts_toclient: 43
-      flow.pkts_toserver: 44
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: e87927b5
-      nfs.id: 43
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 97
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961927
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 42
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 7894
-      flow.bytes_toserver: 8092
-      flow.pkts_toclient: 43
-      flow.pkts_toserver: 44
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: e87927b5
-      nfs.id: 43
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 97
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961927
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 42
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: h
-      nfs.hhash: e87927b5
-      nfs.id: 43
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 98
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961927
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8080
-      flow.bytes_toserver: 8270
-      flow.pkts_toclient: 44
-      flow.pkts_toserver: 45
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.hhash: 38a4e9f6
-      nfs.id: 44
-      nfs.procedure: RMDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 99
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961928
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 43
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8080
-      flow.bytes_toserver: 8270
-      flow.pkts_toclient: 44
-      flow.pkts_toserver: 45
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.hhash: 38a4e9f6
-      nfs.id: 44
-      nfs.procedure: RMDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 99
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961928
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 43
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8080
-      flow.bytes_toserver: 8270
-      flow.pkts_toclient: 44
-      flow.pkts_toserver: 45
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.hhash: 38a4e9f6
-      nfs.id: 44
-      nfs.procedure: RMDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 99
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961928
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 43
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: d
-      nfs.hhash: 38a4e9f6
-      nfs.id: 44
-      nfs.procedure: RMDIR
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 100
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961928
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8266
-      flow.bytes_toserver: 8448
-      flow.pkts_toclient: 45
-      flow.pkts_toserver: 46
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 45
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 101
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961929
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 44
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8266
-      flow.bytes_toserver: 8448
-      flow.pkts_toclient: 45
-      flow.pkts_toserver: 46
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 45
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 101
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961929
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 44
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8266
-      flow.bytes_toserver: 8448
-      flow.pkts_toclient: 45
-      flow.pkts_toserver: 46
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 45
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 101
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961929
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 44
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8266
-      flow.bytes_toserver: 8448
-      flow.pkts_toclient: 45
-      flow.pkts_toserver: 46
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 45
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 101
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961929
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 44
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.hhash: 131299c5
-      nfs.id: 45
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 102
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961929
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8548
-      flow.bytes_toserver: 8626
-      flow.pkts_toclient: 46
-      flow.pkts_toserver: 47
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 46
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 103
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961930
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 45
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8548
-      flow.bytes_toserver: 8626
-      flow.pkts_toclient: 46
-      flow.pkts_toserver: 47
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 46
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 103
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961930
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 45
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8548
-      flow.bytes_toserver: 8626
-      flow.pkts_toclient: 46
-      flow.pkts_toserver: 47
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 46
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 103
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961930
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 45
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8548
-      flow.bytes_toserver: 8626
-      flow.pkts_toclient: 46
-      flow.pkts_toserver: 47
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 46
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 103
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961930
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 45
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.hhash: 131299c5
-      nfs.id: 46
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 104
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961930
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8830
-      flow.bytes_toserver: 8804
-      flow.pkts_toclient: 47
-      flow.pkts_toserver: 48
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.hhash: 38a4e9f6
-      nfs.id: 47
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 105
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961931
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 46
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8830
-      flow.bytes_toserver: 8804
-      flow.pkts_toclient: 47
-      flow.pkts_toserver: 48
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.hhash: 38a4e9f6
-      nfs.id: 47
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 105
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961931
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 46
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 8830
-      flow.bytes_toserver: 8804
-      flow.pkts_toclient: 47
-      flow.pkts_toserver: 48
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.hhash: 38a4e9f6
-      nfs.id: 47
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 105
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961931
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 46
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.hhash: 38a4e9f6
-      nfs.id: 47
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 106
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961931
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9016
-      flow.bytes_toserver: 8982
-      flow.pkts_toclient: 48
-      flow.pkts_toserver: 49
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 48
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 107
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961932
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 47
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9016
-      flow.bytes_toserver: 8982
-      flow.pkts_toclient: 48
-      flow.pkts_toserver: 49
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 48
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 107
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961932
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 47
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9016
-      flow.bytes_toserver: 8982
-      flow.pkts_toclient: 48
-      flow.pkts_toserver: 49
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 48
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 107
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961932
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 47
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9016
-      flow.bytes_toserver: 8982
-      flow.pkts_toclient: 48
-      flow.pkts_toserver: 49
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 48
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 107
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961932
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 47
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 48
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 108
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961932
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9298
-      flow.bytes_toserver: 9160
-      flow.pkts_toclient: 49
-      flow.pkts_toserver: 50
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 49
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 109
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961933
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 48
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9298
-      flow.bytes_toserver: 9160
-      flow.pkts_toclient: 49
-      flow.pkts_toserver: 50
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 49
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 109
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961933
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 48
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9298
-      flow.bytes_toserver: 9160
-      flow.pkts_toclient: 49
-      flow.pkts_toserver: 50
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 49
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 109
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961933
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 48
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9298
-      flow.bytes_toserver: 9160
-      flow.pkts_toclient: 49
-      flow.pkts_toserver: 50
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.id: 49
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 109
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961933
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 48
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: a5fcf973
-      nfs.id: 49
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 110
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961933
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9580
-      flow.bytes_toserver: 9338
-      flow.pkts_toclient: 50
-      flow.pkts_toserver: 51
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: 38a4e9f6
-      nfs.id: 50
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 111
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961934
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 49
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9580
-      flow.bytes_toserver: 9338
-      flow.pkts_toclient: 50
-      flow.pkts_toserver: 51
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: 38a4e9f6
-      nfs.id: 50
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 111
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961934
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 49
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9580
-      flow.bytes_toserver: 9338
-      flow.pkts_toclient: 50
-      flow.pkts_toserver: 51
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: 38a4e9f6
-      nfs.id: 50
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 111
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961934
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 49
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: bln
-      nfs.hhash: 38a4e9f6
-      nfs.id: 50
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 112
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961934
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9766
-      flow.bytes_toserver: 9516
-      flow.pkts_toclient: 51
-      flow.pkts_toserver: 52
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 51
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 113
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961935
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 50
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9766
-      flow.bytes_toserver: 9516
-      flow.pkts_toclient: 51
-      flow.pkts_toserver: 52
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 51
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 113
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961935
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 50
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9766
-      flow.bytes_toserver: 9516
-      flow.pkts_toclient: 51
-      flow.pkts_toserver: 52
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 51
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 113
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961935
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 50
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 9766
-      flow.bytes_toserver: 9516
-      flow.pkts_toclient: 51
-      flow.pkts_toserver: 52
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 51
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 113
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961935
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 50
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.hhash: 94b45286
-      nfs.id: 51
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 114
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961935
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10048
-      flow.bytes_toserver: 9694
-      flow.pkts_toclient: 52
-      flow.pkts_toserver: 53
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 52
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 115
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961936
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 51
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10048
-      flow.bytes_toserver: 9694
-      flow.pkts_toclient: 52
-      flow.pkts_toserver: 53
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 52
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 115
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961936
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 51
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10048
-      flow.bytes_toserver: 9694
-      flow.pkts_toclient: 52
-      flow.pkts_toserver: 53
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 52
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 115
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961936
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 51
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10048
-      flow.bytes_toserver: 9694
-      flow.pkts_toclient: 52
-      flow.pkts_toserver: 53
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.id: 52
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 115
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961936
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 51
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.hhash: 94b45286
-      nfs.id: 52
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 116
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961936
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10330
-      flow.bytes_toserver: 9864
-      flow.pkts_toclient: 53
-      flow.pkts_toserver: 54
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 53
-      nfs.procedure: READLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 117
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961937
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 52
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10330
-      flow.bytes_toserver: 9864
-      flow.pkts_toclient: 53
-      flow.pkts_toserver: 54
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 53
-      nfs.procedure: READLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 117
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961937
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 52
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10330
-      flow.bytes_toserver: 9864
-      flow.pkts_toclient: 53
-      flow.pkts_toserver: 54
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 53
-      nfs.procedure: READLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 117
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961937
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 52
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: ''
-      nfs.id: 53
-      nfs.procedure: READLINK
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 118
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961937
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10496
-      flow.bytes_toserver: 10042
-      flow.pkts_toclient: 54
-      flow.pkts_toserver: 55
-      nfs.file_tx: false
-      nfs.filename: b
-      nfs.id: 54
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 119
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961938
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 53
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10496
-      flow.bytes_toserver: 10042
-      flow.pkts_toclient: 54
-      flow.pkts_toserver: 55
-      nfs.file_tx: false
-      nfs.filename: b
-      nfs.id: 54
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 119
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961938
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 53
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10496
-      flow.bytes_toserver: 10042
-      flow.pkts_toclient: 54
-      flow.pkts_toserver: 55
-      nfs.file_tx: false
-      nfs.filename: b
-      nfs.id: 54
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 119
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961938
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 53
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10496
-      flow.bytes_toserver: 10042
-      flow.pkts_toclient: 54
-      flow.pkts_toserver: 55
-      nfs.file_tx: false
-      nfs.filename: b
-      nfs.id: 54
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 119
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961938
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 53
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: b
-      nfs.hhash: a5fcf973
-      nfs.id: 54
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 120
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961938
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10778
-      flow.bytes_toserver: 10220
-      flow.pkts_toclient: 55
-      flow.pkts_toserver: 56
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.hhash: 38a4e9f6
-      nfs.id: 55
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 121
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961939
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 54
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10778
-      flow.bytes_toserver: 10220
-      flow.pkts_toclient: 55
-      flow.pkts_toserver: 56
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.hhash: 38a4e9f6
-      nfs.id: 55
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 121
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961939
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 54
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 11
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10778
-      flow.bytes_toserver: 10220
-      flow.pkts_toclient: 55
-      flow.pkts_toserver: 56
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.hhash: 38a4e9f6
-      nfs.id: 55
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 121
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961939
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 54
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: blns
-      nfs.hhash: 38a4e9f6
-      nfs.id: 55
-      nfs.procedure: REMOVE
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 122
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961939
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 3
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10964
-      flow.bytes_toserver: 10398
-      flow.pkts_toclient: 56
-      flow.pkts_toserver: 57
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 56
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 123
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961940
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 55
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 6
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10964
-      flow.bytes_toserver: 10398
-      flow.pkts_toclient: 56
-      flow.pkts_toserver: 57
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 56
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 123
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961940
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 55
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 12
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10964
-      flow.bytes_toserver: 10398
-      flow.pkts_toclient: 56
-      flow.pkts_toserver: 57
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 56
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 123
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961940
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 55
-- filter:
-    count: 1
-    match:
-      alert.action: allowed
-      alert.category: ''
-      alert.gid: 1
-      alert.rev: 0
-      alert.severity: 3
-      alert.signature: ''
-      alert.signature_id: 15
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: alert
-      flow.bytes_toclient: 10964
-      flow.bytes_toserver: 10398
-      flow.pkts_toclient: 56
-      flow.pkts_toserver: 57
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 56
-      nfs.procedure: LOOKUP
-      nfs.status: OK
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 123
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961940
-      src_ip: 139.25.22.2
-      src_port: 1022
-      tx_id: 55
-- filter:
-    count: 1
-    match:
-      dest_ip: 139.25.22.2
-      dest_port: 1022
-      event_type: nfs
-      nfs.file_tx: false
-      nfs.filename: am
-      nfs.id: 56
-      nfs.procedure: LOOKUP
-      nfs.status: ERR_NOENT
-      nfs.type: response
-      nfs.version: 3
-      pcap_cnt: 124
-      proto: UDP
-      rpc.auth_type: UNIX
-      rpc.creds.gid: 0
-      rpc.creds.machine_name: werrmsche
-      rpc.creds.uid: 0
-      rpc.status: ACCEPTED
-      rpc.xid: 1578961940
-      src_ip: 139.25.22.102
-      src_port: 2049
-- filter:
-    count: 1
-    match:
-      app_proto: failed
-      dest_ip: 139.25.22.102
-      dest_port: 1048
-      event_type: flow
-      flow.age: 0
-      flow.alerted: false
-      flow.bytes_toclient: 66
-      flow.bytes_toserver: 158
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 1
-      flow.reason: shutdown
-      flow.state: established
-      proto: UDP
-      src_ip: 139.25.22.2
-      src_port: 722
-- filter:
-    count: 1
-    match:
-      app_proto: failed
-      dest_ip: 139.25.22.102
-      dest_port: 111
-      event_type: flow
-      flow.age: 0
-      flow.alerted: false
-      flow.bytes_toclient: 90
-      flow.bytes_toserver: 106
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 1
-      flow.reason: shutdown
-      flow.state: established
-      proto: UDP
-      src_ip: 139.25.22.2
-      src_port: 3299
-- filter:
-    count: 1
-    match:
-      app_proto: nfs
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: flow
-      flow.age: 0
-      flow.alerted: true
-      flow.bytes_toclient: 11038
-      flow.bytes_toserver: 10398
-      flow.pkts_toclient: 57
-      flow.pkts_toserver: 57
-      flow.reason: shutdown
-      flow.state: established
-      proto: UDP
-      src_ip: 139.25.22.2
-      src_port: 1022
-- filter:
-    count: 1
-    match:
-      app_proto: failed
-      dest_ip: 139.25.22.102
-      dest_port: 1048
-      event_type: flow
-      flow.age: 0
-      flow.alerted: false
-      flow.bytes_toclient: 66
-      flow.bytes_toserver: 82
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 1
-      flow.reason: shutdown
-      flow.state: established
-      proto: UDP
-      src_ip: 139.25.22.2
-      src_port: 3296
-- filter:
-    count: 1
-    match:
-      app_proto: failed
-      dest_ip: 139.25.22.102
-      dest_port: 111
-      event_type: flow
-      flow.age: 0
-      flow.alerted: false
-      flow.bytes_toclient: 90
-      flow.bytes_toserver: 106
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 1
-      flow.reason: shutdown
-      flow.state: established
-      proto: UDP
-      src_ip: 139.25.22.2
-      src_port: 3295
-- filter:
-    count: 1
-    match:
-      app_proto: failed
-      dest_ip: 139.25.22.102
-      dest_port: 111
-      event_type: flow
-      flow.age: 0
-      flow.alerted: false
-      flow.bytes_toclient: 90
-      flow.bytes_toserver: 106
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 1
-      flow.reason: shutdown
-      flow.state: established
-      proto: UDP
-      src_ip: 139.25.22.2
-      src_port: 3297
-- filter:
-    count: 1
-    match:
-      app_proto: failed
-      dest_ip: 139.25.22.102
-      dest_port: 1048
-      event_type: flow
-      flow.age: 0
-      flow.alerted: false
-      flow.bytes_toclient: 114
-      flow.bytes_toserver: 158
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 1
-      flow.reason: shutdown
-      flow.state: established
-      proto: UDP
-      src_ip: 139.25.22.2
-      src_port: 706
-- filter:
-    count: 1
-    match:
-      app_proto: failed
-      dest_ip: 139.25.22.102
-      dest_port: 2049
-      event_type: flow
-      flow.age: 0
-      flow.alerted: false
-      flow.bytes_toclient: 66
-      flow.bytes_toserver: 82
-      flow.pkts_toclient: 1
-      flow.pkts_toserver: 1
-      flow.reason: shutdown
-      flow.state: established
-      proto: UDP
-      src_ip: 139.25.22.2
-      src_port: 3298
diff --git a/tests/test-bad-byte-extract-rule-3/eve.json b/tests/test-bad-byte-extract-rule-3/eve.json
deleted file mode 100644 (file)
index aa71d91..0000000
--- a/tests/test-bad-byte-extract-rule-3/eve.json
+++ /dev/null
@@ -1,40 +0,0 @@
-{"timestamp":"2020-06-07T21:15:31.170962+0000","log_level":"Notice","event_type":"engine","engine":{"message":"This is Suricata version 4.1.0-dev (rev 32990c9ad)"}}
-{"timestamp":"2020-06-07T21:15:31.171398+0000","log_level":"Info","event_type":"engine","engine":{"message":"CPUs\/cores online: 2"}}
-{"timestamp":"2020-06-07T21:15:31.179917+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":307,"error":"SC_ERR_SMB_CONFIG","message":"no SMB TCP config found, enabling SMB detection on port 445."}}
-{"timestamp":"2020-06-07T21:15:31.183113+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":240,"error":"SC_ERR_DNS_CONFIG","message":"no DNS UDP config found, enabling DNS detection on port 53."}}
-{"timestamp":"2020-06-07T21:15:31.183282+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":240,"error":"SC_ERR_DNS_CONFIG","message":"no DNS TCP config found, enabling DNS detection on port 53."}}
-{"timestamp":"2020-06-07T21:15:31.197576+0000","log_level":"Info","event_type":"engine","engine":{"message":"No 'host-mode': suricata is in IDS mode, using default setting 'sniffer-only'"}}
-{"timestamp":"2020-06-07T21:15:31.219781+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":261,"error":"SC_WARN_NO_STATS_LOGGERS","message":"stats are enabled but no loggers are active"}}
-{"timestamp":"2020-06-07T21:15:31.220772+0000","log_level":"Info","event_type":"engine","engine":{"message":"Added \"42\" classification types from the classification file"}}
-{"timestamp":"2020-06-07T21:15:31.220967+0000","log_level":"Info","event_type":"engine","engine":{"message":"Added \"19\" reference types from the reference.config file"}}
-{"timestamp":"2020-06-07T21:15:31.221365+0000","log_level":"Error","event_type":"engine","engine":{"error_code":39,"error":"SC_ERR_INVALID_SIGNATURE","message":"unknown byte_extract var seen in depth - d\n"}}
-{"timestamp":"2020-06-07T21:15:31.221461+0000","log_level":"Error","event_type":"engine","engine":{"error_code":39,"error":"SC_ERR_INVALID_SIGNATURE","message":"error parsing signature \"alert tcp any any -> any any (msg:\"Byte_Extract Example Using depth\"; content:\"Alice\"; depth:d; byte_extract:2,1,size; content:\"Bob\"; sid:1111;)\" from file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/test.rules at line 1"}}
-{"timestamp":"2020-06-07T21:15:31.221578+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"1 rule files specified, but no rule was loaded at all!"}}
-{"timestamp":"2020-06-07T21:15:31.221749+0000","log_level":"Info","event_type":"engine","engine":{"message":"Threshold config parsed: 0 rule(s) found"}}
-{"timestamp":"2020-06-07T21:15:31.222071+0000","log_level":"Info","event_type":"engine","engine":{"message":"0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application layer, 0 are decoder event only"}}
-{"timestamp":"2020-06-07T21:15:31.227159+0000","log_level":"Info","event_type":"engine","engine":{"message":"Checking file or directory \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/"}}
-{"timestamp":"2020-06-07T21:15:31.227479+0000","log_level":"Info","event_type":"engine","engine":{"message":"Argument \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/ was a directory"}}
-{"timestamp":"2020-06-07T21:15:31.253874+0000","log_level":"Notice","event_type":"engine","engine":{"message":"all 3 packet processing threads, 2 management threads initialized, engine started."}}
-{"timestamp":"2020-06-07T21:15:31.254027+0000","log_level":"Info","event_type":"engine","engine":{"message":"Starting directory run for \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/"}}
-{"timestamp":"2020-06-07T21:15:31.254116+0000","log_level":"Info","event_type":"engine","engine":{"message":"Processing pcaps directory \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/, files must be newer than 0 and older than 18446744073709550616"}}
-{"timestamp":"2020-06-07T21:15:31.254266+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/eve.json\" at 1591564531251"}}
-{"timestamp":"2020-06-07T21:15:31.254327+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.yaml\" at 1591564527947"}}
-{"timestamp":"2020-06-07T21:15:31.254369+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/.test.yaml.swp\" at 1591564527951"}}
-{"timestamp":"2020-06-07T21:15:31.254426+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/suricata.yaml\" at 1562592701002"}}
-{"timestamp":"2020-06-07T21:15:31.254468+0000","log_level":"Info","event_type":"engine","engine":{"message":"Found \"\/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.rules\" at 1562592701002"}}
-{"timestamp":"2020-06-07T21:15:31.254636+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}}
-{"timestamp":"2020-06-07T21:15:31.254687+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/suricata.yaml, skipping"}}
-{"timestamp":"2020-06-07T21:15:31.254779+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}}
-{"timestamp":"2020-06-07T21:15:31.254807+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.rules, skipping"}}
-{"timestamp":"2020-06-07T21:15:31.254869+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}}
-{"timestamp":"2020-06-07T21:15:31.254896+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/test.yaml, skipping"}}
-{"timestamp":"2020-06-07T21:15:31.254956+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}}
-{"timestamp":"2020-06-07T21:15:31.254984+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/.test.yaml.swp, skipping"}}
-{"timestamp":"2020-06-07T21:15:31.255056+0000","log_level":"Error","event_type":"engine","engine":{"error_code":44,"error":"SC_ERR_FOPEN","message":"unknown file format"}}
-{"timestamp":"2020-06-07T21:15:31.255096+0000","log_level":"Warning","event_type":"engine","engine":{"error_code":20,"error":"SC_ERR_PCAP_DISPATCH","message":"Failed to init pcap file \/home\/jlucovsky\/src\/jal\/suricata-verify\/tests\/test-bad-byte-extract-rule-3\/\/eve.json, skipping"}}
-{"timestamp":"2020-06-07T21:15:31.255127+0000","log_level":"Info","event_type":"engine","engine":{"message":"Directory run mode complete"}}
-{"timestamp":"2020-06-07T21:15:31.264063+0000","log_level":"Notice","event_type":"engine","engine":{"message":"Signal Received.  Stopping engine."}}
-{"timestamp":"2020-06-07T21:15:31.279036+0000","log_level":"Info","event_type":"engine","engine":{"message":"time elapsed 0.056s"}}
-{"timestamp":"2020-06-07T21:15:31.286147+0000","log_level":"Notice","event_type":"engine","engine":{"message":"Pcap-file module read 0 files, 0 packets, 0 bytes"}}
-{"timestamp":"2020-06-07T21:15:31.288407+0000","log_level":"Info","event_type":"engine","engine":{"message":"Alerts: 0"}}
-{"timestamp":"2020-06-07T21:15:31.302139+0000","log_level":"Info","event_type":"engine","engine":{"message":"cleaning up signature grouping structure... complete"}}
diff --git a/tests/test-bad-byte-extract-rule-3/suricata.yaml b/tests/test-bad-byte-extract-rule-3/suricata.yaml
deleted file mode 100644 (file)
index dcaae57..0000000
--- a/tests/test-bad-byte-extract-rule-3/suricata.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-%YAML 1.1
----
-
-logging:
-  default-log-level: info
-  outputs:
-  - file:
-      enabled: yes
-      filename: eve.json
-      type: json
diff --git a/tests/test-bad-byte-extract-rule-3/test.rules b/tests/test-bad-byte-extract-rule-3/test.rules
deleted file mode 100644 (file)
index ede6581..0000000
--- a/tests/test-bad-byte-extract-rule-3/test.rules
+++ /dev/null
@@ -1 +0,0 @@
-alert tcp any any -> any any (msg:"Byte_Extract Example Using depth"; content:"Alice"; depth:d; byte_extract:2,1,size; content:"Bob"; sid:1111;)
diff --git a/tests/test-bad-byte-extract-rule-3/test.yaml b/tests/test-bad-byte-extract-rule-3/test.yaml
deleted file mode 100644 (file)
index b432da4..0000000
--- a/tests/test-bad-byte-extract-rule-3/test.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-requires:
-  version: 5
-  lt-version: 6
-
-  features:
-    - HAVE_LIBJANSSON
-
-command: |
-  ${SRCDIR}/src/suricata --set classification-file="${SRCDIR}/classification.config" --set reference-config-file="${SRCDIR}/reference.config" -l ${OUTPUT_DIR} -c ${TEST_DIR}/suricata.yaml -r ${TEST_DIR}/ -S ${TEST_DIR}/test.rules
-
-checks:
-  # check that we have the following entries in eve.json
-  # match 1 specific rule load failure reason
-  - filter:
-      count: 1
-      match:
-        event_type: engine
-        engine.message: "unknown byte_extract var seen in depth - d."
-
-  - filter:
-      count: 1
-      match:
-        event_type: engine
-        engine.error: "SC_ERR_NO_RULES_LOADED"
Mirror of https://github.com/OISF/suricata-verify.git