From: Victor Julien Date: Wed, 20 Jan 2021 21:26:45 +0000 (+0100) Subject: tests: nfs version for 5 X-Git-Tag: suricata-6.0.4~165 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=84985d8d24d75fd50dd1a8deb67ebbb7b22d259a;p=thirdparty%2Fsuricata-verify.git tests: nfs version for 5 --- diff --git a/tests/nfs3-01-pre-6/input.pcap b/tests/nfs3-01-pre-6/input.pcap new file mode 100644 index 000000000..9a94efd9e Binary files /dev/null and b/tests/nfs3-01-pre-6/input.pcap differ diff --git a/tests/nfs3-01-pre-6/test.rules b/tests/nfs3-01-pre-6/test.rules new file mode 100644 index 000000000..f62d2e1f7 --- /dev/null +++ b/tests/nfs3-01-pre-6/test.rules @@ -0,0 +1,9 @@ +alert nfs any any -> any any (nfs_version:<3; sid:1;) +alert nfs any any -> any any (nfs_version:>3; sid:2;) +alert nfs any any -> any any (nfs_version:3; sid:3;) +alert nfs any any -> any any (nfs_version:2<>4; sid:6;) + +alert nfs any any -> any any (nfs_procedure:<3; sid:10;) +alert nfs any any -> any any (nfs_procedure:>3; sid:11;) +alert nfs any any -> any any (nfs_procedure:3; sid:12;) +alert nfs any any -> any any (nfs_procedure:2<>4; sid:15;) diff --git a/tests/nfs3-01-pre-6/test.yaml b/tests/nfs3-01-pre-6/test.yaml new file mode 100644 index 000000000..84762f4da --- /dev/null +++ b/tests/nfs3-01-pre-6/test.yaml @@ -0,0 +1,8505 @@ +requires: + version: 5 + +args: +- -k none + +checks: +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 170 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: 38a4e9f6 + nfs.id: 1 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 11 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961884 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 170 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: 38a4e9f6 + nfs.id: 1 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 11 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961884 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 10 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 0 + flow.bytes_toserver: 170 + flow.pkts_toclient: 0 + flow.pkts_toserver: 1 + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: 38a4e9f6 + nfs.id: 1 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 11 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961884 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 0 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 154 + flow.bytes_toserver: 340 + flow.pkts_toclient: 1 + flow.pkts_toserver: 2 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 2 + nfs.procedure: FSINFO + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 13 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961885 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 1 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 154 + flow.bytes_toserver: 340 + flow.pkts_toclient: 1 + flow.pkts_toserver: 2 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 2 + nfs.procedure: FSINFO + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 13 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961885 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 1 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 154 + flow.bytes_toserver: 340 + flow.pkts_toclient: 1 + flow.pkts_toserver: 2 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 2 + nfs.procedure: FSINFO + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 13 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961885 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 1 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.id: 2 + nfs.procedure: FSINFO + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 14 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961885 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 360 + flow.bytes_toserver: 510 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 3 + nfs.procedure: FSSTAT + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 15 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961886 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 2 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 360 + flow.bytes_toserver: 510 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 3 + nfs.procedure: FSSTAT + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 15 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961886 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 2 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 360 + flow.bytes_toserver: 510 + flow.pkts_toclient: 2 + flow.pkts_toserver: 3 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 3 + nfs.procedure: FSSTAT + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 15 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961886 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 2 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.id: 3 + nfs.procedure: FSSTAT + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 16 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961886 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 570 + flow.bytes_toserver: 680 + flow.pkts_toclient: 3 + flow.pkts_toserver: 4 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 4 + nfs.procedure: PATHCONF + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 17 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961887 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 3 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 570 + flow.bytes_toserver: 680 + flow.pkts_toclient: 3 + flow.pkts_toserver: 4 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 4 + nfs.procedure: PATHCONF + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 17 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961887 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 3 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 570 + flow.bytes_toserver: 680 + flow.pkts_toclient: 3 + flow.pkts_toserver: 4 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 4 + nfs.procedure: PATHCONF + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 17 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961887 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 3 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.id: 4 + nfs.procedure: PATHCONF + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 18 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961887 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 752 + flow.bytes_toserver: 858 + flow.pkts_toclient: 4 + flow.pkts_toserver: 5 + nfs.file_tx: false + nfs.filename: a + nfs.id: 5 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 19 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961888 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 4 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 752 + flow.bytes_toserver: 858 + flow.pkts_toclient: 4 + flow.pkts_toserver: 5 + nfs.file_tx: false + nfs.filename: a + nfs.id: 5 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 19 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961888 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 4 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 752 + flow.bytes_toserver: 858 + flow.pkts_toclient: 4 + flow.pkts_toserver: 5 + nfs.file_tx: false + nfs.filename: a + nfs.id: 5 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 19 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961888 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 4 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 752 + flow.bytes_toserver: 858 + flow.pkts_toclient: 4 + flow.pkts_toserver: 5 + nfs.file_tx: false + nfs.filename: a + nfs.id: 5 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 19 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961888 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 4 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: a + nfs.id: 5 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 20 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961888 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 826 + flow.bytes_toserver: 1036 + flow.pkts_toclient: 5 + flow.pkts_toserver: 6 + nfs.file_tx: false + nfs.filename: a + nfs.id: 6 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 21 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961889 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 5 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 826 + flow.bytes_toserver: 1036 + flow.pkts_toclient: 5 + flow.pkts_toserver: 6 + nfs.file_tx: false + nfs.filename: a + nfs.id: 6 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 21 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961889 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 5 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 826 + flow.bytes_toserver: 1036 + flow.pkts_toclient: 5 + flow.pkts_toserver: 6 + nfs.file_tx: false + nfs.filename: a + nfs.id: 6 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 21 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961889 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 5 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 826 + flow.bytes_toserver: 1036 + flow.pkts_toclient: 5 + flow.pkts_toserver: 6 + nfs.file_tx: false + nfs.filename: a + nfs.id: 6 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 21 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961889 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 5 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: a + nfs.id: 6 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 22 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961889 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 900 + flow.bytes_toserver: 1262 + flow.pkts_toclient: 6 + flow.pkts_toserver: 7 + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 38a4e9f6 + nfs.id: 7 + nfs.procedure: CREATE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 23 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961890 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 6 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 900 + flow.bytes_toserver: 1262 + flow.pkts_toclient: 6 + flow.pkts_toserver: 7 + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 38a4e9f6 + nfs.id: 7 + nfs.procedure: CREATE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 23 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961890 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 6 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 900 + flow.bytes_toserver: 1262 + flow.pkts_toclient: 6 + flow.pkts_toserver: 7 + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 38a4e9f6 + nfs.id: 7 + nfs.procedure: CREATE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 23 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961890 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 6 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 38a4e9f6 + nfs.id: 7 + nfs.procedure: CREATE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 24 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961890 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1214 + flow.bytes_toserver: 1432 + flow.pkts_toclient: 7 + flow.pkts_toserver: 8 + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 131299c5 + nfs.id: 8 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 25 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961891 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 7 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1214 + flow.bytes_toserver: 1432 + flow.pkts_toclient: 7 + flow.pkts_toserver: 8 + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 131299c5 + nfs.id: 8 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 25 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961891 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 7 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 10 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1214 + flow.bytes_toserver: 1432 + flow.pkts_toclient: 7 + flow.pkts_toserver: 8 + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 131299c5 + nfs.id: 8 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 25 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961891 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 7 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1368 + flow.bytes_toserver: 1638 + flow.pkts_toclient: 8 + flow.pkts_toserver: 9 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 9 + nfs.procedure: SETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 27 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961892 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 8 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1368 + flow.bytes_toserver: 1638 + flow.pkts_toclient: 8 + flow.pkts_toserver: 9 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 9 + nfs.procedure: SETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 27 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961892 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 8 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 10 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1368 + flow.bytes_toserver: 1638 + flow.pkts_toclient: 8 + flow.pkts_toserver: 9 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 9 + nfs.procedure: SETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 27 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961892 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 8 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1368 + flow.bytes_toserver: 1638 + flow.pkts_toclient: 8 + flow.pkts_toserver: 9 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 9 + nfs.procedure: SETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 27 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961892 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 8 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.id: 9 + nfs.procedure: SETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 28 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961892 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1554 + flow.bytes_toserver: 1816 + flow.pkts_toclient: 9 + flow.pkts_toserver: 10 + nfs.file_tx: false + nfs.filename: am + nfs.id: 10 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 29 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961893 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 9 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1554 + flow.bytes_toserver: 1816 + flow.pkts_toclient: 9 + flow.pkts_toserver: 10 + nfs.file_tx: false + nfs.filename: am + nfs.id: 10 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 29 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961893 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 9 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1554 + flow.bytes_toserver: 1816 + flow.pkts_toclient: 9 + flow.pkts_toserver: 10 + nfs.file_tx: false + nfs.filename: am + nfs.id: 10 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 29 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961893 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 9 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1554 + flow.bytes_toserver: 1816 + flow.pkts_toclient: 9 + flow.pkts_toserver: 10 + nfs.file_tx: false + nfs.filename: am + nfs.id: 10 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 29 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961893 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 9 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: am + nfs.id: 10 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 30 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961893 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1628 + flow.bytes_toserver: 1994 + flow.pkts_toclient: 10 + flow.pkts_toserver: 11 + nfs.file_tx: false + nfs.filename: am + nfs.id: 11 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 31 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961894 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 10 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1628 + flow.bytes_toserver: 1994 + flow.pkts_toclient: 10 + flow.pkts_toserver: 11 + nfs.file_tx: false + nfs.filename: am + nfs.id: 11 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 31 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961894 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 10 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1628 + flow.bytes_toserver: 1994 + flow.pkts_toclient: 10 + flow.pkts_toserver: 11 + nfs.file_tx: false + nfs.filename: am + nfs.id: 11 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 31 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961894 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 10 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1628 + flow.bytes_toserver: 1994 + flow.pkts_toclient: 10 + flow.pkts_toserver: 11 + nfs.file_tx: false + nfs.filename: am + nfs.id: 11 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 31 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961894 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 10 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: am + nfs.id: 11 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 32 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961894 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1702 + flow.bytes_toserver: 2172 + flow.pkts_toclient: 11 + flow.pkts_toserver: 12 + nfs.file_tx: false + nfs.filename: a + nfs.id: 12 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 33 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961895 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 11 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1702 + flow.bytes_toserver: 2172 + flow.pkts_toclient: 11 + flow.pkts_toserver: 12 + nfs.file_tx: false + nfs.filename: a + nfs.id: 12 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 33 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961895 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 11 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1702 + flow.bytes_toserver: 2172 + flow.pkts_toclient: 11 + flow.pkts_toserver: 12 + nfs.file_tx: false + nfs.filename: a + nfs.id: 12 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 33 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961895 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 11 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1702 + flow.bytes_toserver: 2172 + flow.pkts_toclient: 11 + flow.pkts_toserver: 12 + nfs.file_tx: false + nfs.filename: a + nfs.id: 12 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 33 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961895 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 11 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 131299c5 + nfs.id: 12 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 34 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961895 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1984 + flow.bytes_toserver: 2350 + flow.pkts_toclient: 12 + flow.pkts_toserver: 13 + nfs.file_tx: false + nfs.filename: am + nfs.id: 13 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 35 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961896 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 12 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1984 + flow.bytes_toserver: 2350 + flow.pkts_toclient: 12 + flow.pkts_toserver: 13 + nfs.file_tx: false + nfs.filename: am + nfs.id: 13 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 35 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961896 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 12 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1984 + flow.bytes_toserver: 2350 + flow.pkts_toclient: 12 + flow.pkts_toserver: 13 + nfs.file_tx: false + nfs.filename: am + nfs.id: 13 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 35 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961896 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 12 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 1984 + flow.bytes_toserver: 2350 + flow.pkts_toclient: 12 + flow.pkts_toserver: 13 + nfs.file_tx: false + nfs.filename: am + nfs.id: 13 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 35 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961896 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 12 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: am + nfs.id: 13 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 36 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961896 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2058 + flow.bytes_toserver: 2572 + flow.pkts_toclient: 13 + flow.pkts_toserver: 14 + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 38a4e9f6 + nfs.id: 14 + nfs.procedure: RENAME + nfs.rename.from: a + nfs.rename.to: am + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 37 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961897 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 13 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2058 + flow.bytes_toserver: 2572 + flow.pkts_toclient: 13 + flow.pkts_toserver: 14 + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 38a4e9f6 + nfs.id: 14 + nfs.procedure: RENAME + nfs.rename.from: a + nfs.rename.to: am + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 37 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961897 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 13 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2058 + flow.bytes_toserver: 2572 + flow.pkts_toclient: 13 + flow.pkts_toserver: 14 + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 38a4e9f6 + nfs.id: 14 + nfs.procedure: RENAME + nfs.rename.from: a + nfs.rename.to: am + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 37 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961897 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 13 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: a + nfs.hhash: 38a4e9f6 + nfs.id: 14 + nfs.procedure: RENAME + nfs.rename.from: a + nfs.rename.to: am + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 38 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961897 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2360 + flow.bytes_toserver: 2750 + flow.pkts_toclient: 14 + flow.pkts_toserver: 15 + nfs.file_tx: false + nfs.filename: b + nfs.id: 15 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 39 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961898 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 14 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2360 + flow.bytes_toserver: 2750 + flow.pkts_toclient: 14 + flow.pkts_toserver: 15 + nfs.file_tx: false + nfs.filename: b + nfs.id: 15 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 39 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961898 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 14 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2360 + flow.bytes_toserver: 2750 + flow.pkts_toclient: 14 + flow.pkts_toserver: 15 + nfs.file_tx: false + nfs.filename: b + nfs.id: 15 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 39 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961898 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 14 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2360 + flow.bytes_toserver: 2750 + flow.pkts_toclient: 14 + flow.pkts_toserver: 15 + nfs.file_tx: false + nfs.filename: b + nfs.id: 15 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 39 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961898 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 14 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: b + nfs.hhash: a5fcf973 + nfs.id: 15 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 40 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961898 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2642 + flow.bytes_toserver: 2928 + flow.pkts_toclient: 15 + flow.pkts_toserver: 16 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 16 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 41 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 1869440256 + rpc.status: ACCEPTED + rpc.xid: 1578961899 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 15 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2642 + flow.bytes_toserver: 2928 + flow.pkts_toclient: 15 + flow.pkts_toserver: 16 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 16 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 41 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 1869440256 + rpc.status: ACCEPTED + rpc.xid: 1578961899 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 15 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2642 + flow.bytes_toserver: 2928 + flow.pkts_toclient: 15 + flow.pkts_toserver: 16 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 16 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 41 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 1869440256 + rpc.status: ACCEPTED + rpc.xid: 1578961899 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 15 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2642 + flow.bytes_toserver: 2928 + flow.pkts_toclient: 15 + flow.pkts_toserver: 16 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 16 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 41 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 1869440256 + rpc.status: ACCEPTED + rpc.xid: 1578961899 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 15 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: bln + nfs.id: 16 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 42 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 1869440256 + rpc.status: ACCEPTED + rpc.xid: 1578961899 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2716 + flow.bytes_toserver: 3106 + flow.pkts_toclient: 16 + flow.pkts_toserver: 17 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 17 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 43 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961900 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 16 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2716 + flow.bytes_toserver: 3106 + flow.pkts_toclient: 16 + flow.pkts_toserver: 17 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 17 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 43 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961900 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 16 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2716 + flow.bytes_toserver: 3106 + flow.pkts_toclient: 16 + flow.pkts_toserver: 17 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 17 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 43 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961900 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 16 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2716 + flow.bytes_toserver: 3106 + flow.pkts_toclient: 16 + flow.pkts_toserver: 17 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 17 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 43 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961900 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 16 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: bln + nfs.id: 17 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 44 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961900 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2790 + flow.bytes_toserver: 3320 + flow.pkts_toclient: 17 + flow.pkts_toserver: 18 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 18 + nfs.procedure: LINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 45 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 1869440256 + rpc.status: ACCEPTED + rpc.xid: 1578961901 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 17 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2790 + flow.bytes_toserver: 3320 + flow.pkts_toclient: 17 + flow.pkts_toserver: 18 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 18 + nfs.procedure: LINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 45 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 1869440256 + rpc.status: ACCEPTED + rpc.xid: 1578961901 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 17 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 2790 + flow.bytes_toserver: 3320 + flow.pkts_toclient: 17 + flow.pkts_toserver: 18 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 18 + nfs.procedure: LINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 45 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 1869440256 + rpc.status: ACCEPTED + rpc.xid: 1578961901 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 17 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.id: 18 + nfs.procedure: LINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 46 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 1869440256 + rpc.status: ACCEPTED + rpc.xid: 1578961901 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3064 + flow.bytes_toserver: 3498 + flow.pkts_toclient: 18 + flow.pkts_toserver: 19 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 19 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 47 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961902 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 18 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3064 + flow.bytes_toserver: 3498 + flow.pkts_toclient: 18 + flow.pkts_toserver: 19 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 19 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 47 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961902 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 18 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3064 + flow.bytes_toserver: 3498 + flow.pkts_toclient: 18 + flow.pkts_toserver: 19 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 19 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 47 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961902 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 18 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3064 + flow.bytes_toserver: 3498 + flow.pkts_toclient: 18 + flow.pkts_toserver: 19 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 19 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 47 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961902 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 18 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: blns + nfs.id: 19 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 48 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961902 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3138 + flow.bytes_toserver: 3676 + flow.pkts_toclient: 19 + flow.pkts_toserver: 20 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 20 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 49 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961903 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 19 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3138 + flow.bytes_toserver: 3676 + flow.pkts_toclient: 19 + flow.pkts_toserver: 20 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 20 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 49 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961903 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 19 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3138 + flow.bytes_toserver: 3676 + flow.pkts_toclient: 19 + flow.pkts_toserver: 20 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 20 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 49 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961903 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 19 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3138 + flow.bytes_toserver: 3676 + flow.pkts_toclient: 19 + flow.pkts_toserver: 20 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 20 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 49 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961903 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 19 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: blns + nfs.id: 20 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 50 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961903 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3212 + flow.bytes_toserver: 3898 + flow.pkts_toclient: 20 + flow.pkts_toserver: 21 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 21 + nfs.procedure: SYMLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 51 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961904 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 20 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3212 + flow.bytes_toserver: 3898 + flow.pkts_toclient: 20 + flow.pkts_toserver: 21 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 21 + nfs.procedure: SYMLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 51 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961904 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 20 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3212 + flow.bytes_toserver: 3898 + flow.pkts_toclient: 20 + flow.pkts_toserver: 21 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 21 + nfs.procedure: SYMLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 51 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961904 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 20 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.id: 21 + nfs.procedure: SYMLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 52 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961904 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3502 + flow.bytes_toserver: 4076 + flow.pkts_toclient: 21 + flow.pkts_toserver: 22 + nfs.file_tx: false + nfs.filename: . + nfs.id: 22 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 53 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961905 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 21 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3502 + flow.bytes_toserver: 4076 + flow.pkts_toclient: 21 + flow.pkts_toserver: 22 + nfs.file_tx: false + nfs.filename: . + nfs.id: 22 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 53 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961905 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 21 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3502 + flow.bytes_toserver: 4076 + flow.pkts_toclient: 21 + flow.pkts_toserver: 22 + nfs.file_tx: false + nfs.filename: . + nfs.id: 22 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 53 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961905 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 21 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3502 + flow.bytes_toserver: 4076 + flow.pkts_toclient: 21 + flow.pkts_toserver: 22 + nfs.file_tx: false + nfs.filename: . + nfs.id: 22 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 53 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961905 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 21 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: . + nfs.hhash: 38a4e9f6 + nfs.id: 22 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 54 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961905 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3784 + flow.bytes_toserver: 4250 + flow.pkts_toclient: 22 + flow.pkts_toserver: 23 + nfs.file_tx: false + nfs.filename: . + nfs.hhash: 38a4e9f6 + nfs.id: 23 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 55 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961906 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 22 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3784 + flow.bytes_toserver: 4250 + flow.pkts_toclient: 22 + flow.pkts_toserver: 23 + nfs.file_tx: false + nfs.filename: . + nfs.hhash: 38a4e9f6 + nfs.id: 23 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 55 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961906 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 22 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3784 + flow.bytes_toserver: 4250 + flow.pkts_toclient: 22 + flow.pkts_toserver: 23 + nfs.file_tx: false + nfs.filename: . + nfs.hhash: 38a4e9f6 + nfs.id: 23 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 55 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961906 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 22 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3784 + flow.bytes_toserver: 4250 + flow.pkts_toclient: 22 + flow.pkts_toserver: 23 + nfs.file_tx: false + nfs.filename: . + nfs.hhash: 38a4e9f6 + nfs.id: 23 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 55 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961906 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 22 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: . + nfs.hhash: 38a4e9f6 + nfs.id: 23 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 56 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961906 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3946 + flow.bytes_toserver: 4420 + flow.pkts_toclient: 23 + flow.pkts_toserver: 24 + nfs.file_tx: false + nfs.filename: . + nfs.hhash: 38a4e9f6 + nfs.id: 24 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 57 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961907 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 23 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3946 + flow.bytes_toserver: 4420 + flow.pkts_toclient: 23 + flow.pkts_toserver: 24 + nfs.file_tx: false + nfs.filename: . + nfs.hhash: 38a4e9f6 + nfs.id: 24 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 57 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961907 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 23 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 10 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 3946 + flow.bytes_toserver: 4420 + flow.pkts_toclient: 23 + flow.pkts_toserver: 24 + nfs.file_tx: false + nfs.filename: . + nfs.hhash: 38a4e9f6 + nfs.id: 24 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 57 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961907 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 23 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4100 + flow.bytes_toserver: 4610 + flow.pkts_toclient: 24 + flow.pkts_toserver: 25 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 25 + nfs.procedure: READDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 59 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961908 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 24 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4100 + flow.bytes_toserver: 4610 + flow.pkts_toclient: 24 + flow.pkts_toserver: 25 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 25 + nfs.procedure: READDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 59 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961908 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 24 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4100 + flow.bytes_toserver: 4610 + flow.pkts_toclient: 24 + flow.pkts_toserver: 25 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 25 + nfs.procedure: READDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 59 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961908 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 24 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.id: 25 + nfs.procedure: READDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 60 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961908 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4442 + flow.bytes_toserver: 4788 + flow.pkts_toclient: 25 + flow.pkts_toserver: 26 + nfs.file_tx: false + nfs.filename: am + nfs.id: 26 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 61 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961909 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 25 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4442 + flow.bytes_toserver: 4788 + flow.pkts_toclient: 25 + flow.pkts_toserver: 26 + nfs.file_tx: false + nfs.filename: am + nfs.id: 26 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 61 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961909 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 25 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4442 + flow.bytes_toserver: 4788 + flow.pkts_toclient: 25 + flow.pkts_toserver: 26 + nfs.file_tx: false + nfs.filename: am + nfs.id: 26 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 61 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961909 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 25 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4442 + flow.bytes_toserver: 4788 + flow.pkts_toclient: 25 + flow.pkts_toserver: 26 + nfs.file_tx: false + nfs.filename: am + nfs.id: 26 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 61 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961909 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 25 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: am + nfs.hhash: 131299c5 + nfs.id: 26 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 62 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961909 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4724 + flow.bytes_toserver: 4966 + flow.pkts_toclient: 26 + flow.pkts_toserver: 27 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 27 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 63 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961910 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 26 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4724 + flow.bytes_toserver: 4966 + flow.pkts_toclient: 26 + flow.pkts_toserver: 27 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 27 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 63 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961910 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 26 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4724 + flow.bytes_toserver: 4966 + flow.pkts_toclient: 26 + flow.pkts_toserver: 27 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 27 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 63 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961910 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 26 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 4724 + flow.bytes_toserver: 4966 + flow.pkts_toclient: 26 + flow.pkts_toserver: 27 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 27 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 63 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961910 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 26 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 27 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 64 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961910 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5006 + flow.bytes_toserver: 5136 + flow.pkts_toclient: 27 + flow.pkts_toserver: 28 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 28 + nfs.procedure: READLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 65 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961911 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 27 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5006 + flow.bytes_toserver: 5136 + flow.pkts_toclient: 27 + flow.pkts_toserver: 28 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 28 + nfs.procedure: READLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 65 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961911 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 27 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5006 + flow.bytes_toserver: 5136 + flow.pkts_toclient: 27 + flow.pkts_toserver: 28 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 28 + nfs.procedure: READLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 65 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961911 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 27 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.id: 28 + nfs.procedure: READLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 66 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961911 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5172 + flow.bytes_toserver: 5314 + flow.pkts_toclient: 28 + flow.pkts_toserver: 29 + nfs.file_tx: false + nfs.filename: d + nfs.id: 29 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 67 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961912 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 28 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5172 + flow.bytes_toserver: 5314 + flow.pkts_toclient: 28 + flow.pkts_toserver: 29 + nfs.file_tx: false + nfs.filename: d + nfs.id: 29 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 67 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961912 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 28 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5172 + flow.bytes_toserver: 5314 + flow.pkts_toclient: 28 + flow.pkts_toserver: 29 + nfs.file_tx: false + nfs.filename: d + nfs.id: 29 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 67 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961912 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 28 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5172 + flow.bytes_toserver: 5314 + flow.pkts_toclient: 28 + flow.pkts_toserver: 29 + nfs.file_tx: false + nfs.filename: d + nfs.id: 29 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 67 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961912 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 28 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: d + nfs.id: 29 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 68 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961912 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5246 + flow.bytes_toserver: 5528 + flow.pkts_toclient: 29 + flow.pkts_toserver: 30 + nfs.file_tx: false + nfs.filename: d + nfs.hhash: 38a4e9f6 + nfs.id: 30 + nfs.procedure: MKDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 69 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961913 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 29 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5246 + flow.bytes_toserver: 5528 + flow.pkts_toclient: 29 + flow.pkts_toserver: 30 + nfs.file_tx: false + nfs.filename: d + nfs.hhash: 38a4e9f6 + nfs.id: 30 + nfs.procedure: MKDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 69 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961913 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 29 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5246 + flow.bytes_toserver: 5528 + flow.pkts_toclient: 29 + flow.pkts_toserver: 30 + nfs.file_tx: false + nfs.filename: d + nfs.hhash: 38a4e9f6 + nfs.id: 30 + nfs.procedure: MKDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 69 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961913 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 29 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: d + nfs.hhash: 38a4e9f6 + nfs.id: 30 + nfs.procedure: MKDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 70 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961913 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5560 + flow.bytes_toserver: 5706 + flow.pkts_toclient: 30 + flow.pkts_toserver: 31 + nfs.file_tx: false + nfs.filename: h + nfs.id: 31 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 71 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961914 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 30 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5560 + flow.bytes_toserver: 5706 + flow.pkts_toclient: 30 + flow.pkts_toserver: 31 + nfs.file_tx: false + nfs.filename: h + nfs.id: 31 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 71 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961914 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 30 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5560 + flow.bytes_toserver: 5706 + flow.pkts_toclient: 30 + flow.pkts_toserver: 31 + nfs.file_tx: false + nfs.filename: h + nfs.id: 31 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 71 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961914 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 30 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5560 + flow.bytes_toserver: 5706 + flow.pkts_toclient: 30 + flow.pkts_toserver: 31 + nfs.file_tx: false + nfs.filename: h + nfs.id: 31 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 71 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961914 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 30 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: h + nfs.id: 31 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 72 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961914 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5634 + flow.bytes_toserver: 5932 + flow.pkts_toclient: 31 + flow.pkts_toserver: 32 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: e87927b5 + nfs.id: 32 + nfs.procedure: CREATE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 73 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961915 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 31 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5634 + flow.bytes_toserver: 5932 + flow.pkts_toclient: 31 + flow.pkts_toserver: 32 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: e87927b5 + nfs.id: 32 + nfs.procedure: CREATE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 73 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961915 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 31 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5634 + flow.bytes_toserver: 5932 + flow.pkts_toclient: 31 + flow.pkts_toserver: 32 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: e87927b5 + nfs.id: 32 + nfs.procedure: CREATE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 73 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961915 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 31 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: h + nfs.hhash: e87927b5 + nfs.id: 32 + nfs.procedure: CREATE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 74 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961915 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5948 + flow.bytes_toserver: 6102 + flow.pkts_toclient: 32 + flow.pkts_toserver: 33 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 33 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 75 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961916 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 32 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5948 + flow.bytes_toserver: 6102 + flow.pkts_toclient: 32 + flow.pkts_toserver: 33 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 33 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 75 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961916 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 32 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 10 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 5948 + flow.bytes_toserver: 6102 + flow.pkts_toclient: 32 + flow.pkts_toserver: 33 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 33 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 75 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961916 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 32 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6102 + flow.bytes_toserver: 6300 + flow.pkts_toclient: 33 + flow.pkts_toserver: 34 + nfs.file_tx: true + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 34 + nfs.procedure: WRITE + nfs.status: OK + nfs.type: response + nfs.version: 3 + nfs.write.chunks: 0 + nfs.write.first: true + nfs.write.last: false + nfs.write.last_xid: 0 + pcap_cnt: 77 + proto: UDP + rpc.auth_type: 'NULL' + rpc.status: ACCEPTED + rpc.xid: 1578961917 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 33 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6102 + flow.bytes_toserver: 6300 + flow.pkts_toclient: 33 + flow.pkts_toserver: 34 + nfs.file_tx: true + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 34 + nfs.procedure: WRITE + nfs.status: OK + nfs.type: response + nfs.version: 3 + nfs.write.chunks: 0 + nfs.write.first: true + nfs.write.last: false + nfs.write.last_xid: 0 + pcap_cnt: 77 + proto: UDP + rpc.auth_type: 'NULL' + rpc.status: ACCEPTED + rpc.xid: 1578961917 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 33 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6102 + flow.bytes_toserver: 6300 + flow.pkts_toclient: 33 + flow.pkts_toserver: 34 + nfs.file_tx: true + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 34 + nfs.procedure: WRITE + nfs.status: OK + nfs.type: response + nfs.version: 3 + nfs.write.chunks: 0 + nfs.write.first: true + nfs.write.last: false + nfs.write.last_xid: 0 + pcap_cnt: 77 + proto: UDP + rpc.auth_type: 'NULL' + rpc.status: ACCEPTED + rpc.xid: 1578961917 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 33 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6304 + flow.bytes_toserver: 6474 + flow.pkts_toclient: 34 + flow.pkts_toserver: 35 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 35 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 79 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961918 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 34 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6304 + flow.bytes_toserver: 6474 + flow.pkts_toclient: 34 + flow.pkts_toserver: 35 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 35 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 79 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961918 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 34 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6304 + flow.bytes_toserver: 6474 + flow.pkts_toclient: 34 + flow.pkts_toserver: 35 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 35 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 79 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961918 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 34 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6304 + flow.bytes_toserver: 6474 + flow.pkts_toclient: 34 + flow.pkts_toserver: 35 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 35 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 79 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961918 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 34 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 35 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 80 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961918 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6466 + flow.bytes_toserver: 6644 + flow.pkts_toclient: 35 + flow.pkts_toserver: 36 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 36 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 81 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961919 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 35 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6466 + flow.bytes_toserver: 6644 + flow.pkts_toclient: 35 + flow.pkts_toserver: 36 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 36 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 81 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961919 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 35 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 10 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6466 + flow.bytes_toserver: 6644 + flow.pkts_toclient: 35 + flow.pkts_toserver: 36 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: 3baec21a + nfs.id: 36 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 81 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961919 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 35 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6620 + flow.bytes_toserver: 6818 + flow.pkts_toclient: 36 + flow.pkts_toserver: 37 + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 37 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 83 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961920 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 36 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6620 + flow.bytes_toserver: 6818 + flow.pkts_toclient: 36 + flow.pkts_toserver: 37 + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 37 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 83 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961920 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 36 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6620 + flow.bytes_toserver: 6818 + flow.pkts_toclient: 36 + flow.pkts_toserver: 37 + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 37 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 83 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961920 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 36 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6620 + flow.bytes_toserver: 6818 + flow.pkts_toclient: 36 + flow.pkts_toserver: 37 + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 37 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 83 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961920 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 36 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 37 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 84 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961920 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6782 + flow.bytes_toserver: 6988 + flow.pkts_toclient: 37 + flow.pkts_toserver: 38 + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 38 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 85 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961921 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 37 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6782 + flow.bytes_toserver: 6988 + flow.pkts_toclient: 37 + flow.pkts_toserver: 38 + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 38 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 85 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961921 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 37 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 10 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6782 + flow.bytes_toserver: 6988 + flow.pkts_toclient: 37 + flow.pkts_toserver: 38 + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 38 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 85 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961921 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 37 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6936 + flow.bytes_toserver: 7170 + flow.pkts_toclient: 38 + flow.pkts_toserver: 39 + nfs.file_tx: true + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 39 + nfs.procedure: READ + nfs.read.chunks: 0 + nfs.read.first: true + nfs.read.last: false + nfs.read.last_xid: 0 + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 87 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961922 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 38 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6936 + flow.bytes_toserver: 7170 + flow.pkts_toclient: 38 + flow.pkts_toserver: 39 + nfs.file_tx: true + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 39 + nfs.procedure: READ + nfs.read.chunks: 0 + nfs.read.first: true + nfs.read.last: false + nfs.read.last_xid: 0 + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 87 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961922 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 38 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 6936 + flow.bytes_toserver: 7170 + flow.pkts_toclient: 38 + flow.pkts_toserver: 39 + nfs.file_tx: true + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 39 + nfs.procedure: READ + nfs.read.chunks: 0 + nfs.read.first: true + nfs.read.last: false + nfs.read.last_xid: 0 + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 87 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961922 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 38 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: true + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 39 + nfs.procedure: READ + nfs.read.chunks: 1 + nfs.read.first: true + nfs.read.last: true + nfs.read.last_xid: 1578961922 + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 88 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961922 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + app_proto: nfs + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: fileinfo + fileinfo.filename: bln + fileinfo.gaps: false + fileinfo.size: 11 + fileinfo.state: CLOSED + fileinfo.stored: false + fileinfo.tx_id: 38 + nfs.file_tx: true + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 39 + nfs.procedure: READ + nfs.read.chunks: 1 + nfs.read.first: true + nfs.read.last: true + nfs.read.last_xid: 1578961922 + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 88 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961922 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7320 + flow.bytes_toserver: 7554 + flow.pkts_toclient: 40 + flow.pkts_toserver: 41 + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: e87927b5 + nfs.id: 40 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 91 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961924 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 39 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7320 + flow.bytes_toserver: 7554 + flow.pkts_toclient: 40 + flow.pkts_toserver: 41 + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: e87927b5 + nfs.id: 40 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 91 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961924 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 39 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7320 + flow.bytes_toserver: 7554 + flow.pkts_toclient: 40 + flow.pkts_toserver: 41 + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: e87927b5 + nfs.id: 40 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 91 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961924 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 39 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7320 + flow.bytes_toserver: 7554 + flow.pkts_toclient: 40 + flow.pkts_toserver: 41 + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: e87927b5 + nfs.id: 40 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 91 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961924 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 39 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: e87927b5 + nfs.id: 40 + nfs.procedure: ACCESS + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 92 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961924 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7482 + flow.bytes_toserver: 7724 + flow.pkts_toclient: 41 + flow.pkts_toserver: 42 + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: e87927b5 + nfs.id: 41 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 93 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961925 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 40 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7482 + flow.bytes_toserver: 7724 + flow.pkts_toclient: 41 + flow.pkts_toserver: 42 + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: e87927b5 + nfs.id: 41 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 93 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961925 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 40 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 10 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7482 + flow.bytes_toserver: 7724 + flow.pkts_toclient: 41 + flow.pkts_toserver: 42 + nfs.file_tx: false + nfs.filename: '' + nfs.hhash: e87927b5 + nfs.id: 41 + nfs.procedure: GETATTR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 93 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961925 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 40 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7636 + flow.bytes_toserver: 7914 + flow.pkts_toclient: 42 + flow.pkts_toserver: 43 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 42 + nfs.procedure: READDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 95 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961926 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 41 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7636 + flow.bytes_toserver: 7914 + flow.pkts_toclient: 42 + flow.pkts_toserver: 43 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 42 + nfs.procedure: READDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 95 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961926 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 41 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7636 + flow.bytes_toserver: 7914 + flow.pkts_toclient: 42 + flow.pkts_toserver: 43 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 42 + nfs.procedure: READDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 95 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961926 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 41 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.id: 42 + nfs.procedure: READDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 96 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961926 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7894 + flow.bytes_toserver: 8092 + flow.pkts_toclient: 43 + flow.pkts_toserver: 44 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: e87927b5 + nfs.id: 43 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 97 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961927 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 42 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7894 + flow.bytes_toserver: 8092 + flow.pkts_toclient: 43 + flow.pkts_toserver: 44 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: e87927b5 + nfs.id: 43 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 97 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961927 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 42 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 7894 + flow.bytes_toserver: 8092 + flow.pkts_toclient: 43 + flow.pkts_toserver: 44 + nfs.file_tx: false + nfs.filename: h + nfs.hhash: e87927b5 + nfs.id: 43 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 97 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961927 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 42 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: h + nfs.hhash: e87927b5 + nfs.id: 43 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 98 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961927 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8080 + flow.bytes_toserver: 8270 + flow.pkts_toclient: 44 + flow.pkts_toserver: 45 + nfs.file_tx: false + nfs.filename: d + nfs.hhash: 38a4e9f6 + nfs.id: 44 + nfs.procedure: RMDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 99 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961928 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 43 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8080 + flow.bytes_toserver: 8270 + flow.pkts_toclient: 44 + flow.pkts_toserver: 45 + nfs.file_tx: false + nfs.filename: d + nfs.hhash: 38a4e9f6 + nfs.id: 44 + nfs.procedure: RMDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 99 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961928 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 43 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8080 + flow.bytes_toserver: 8270 + flow.pkts_toclient: 44 + flow.pkts_toserver: 45 + nfs.file_tx: false + nfs.filename: d + nfs.hhash: 38a4e9f6 + nfs.id: 44 + nfs.procedure: RMDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 99 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961928 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 43 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: d + nfs.hhash: 38a4e9f6 + nfs.id: 44 + nfs.procedure: RMDIR + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 100 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961928 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8266 + flow.bytes_toserver: 8448 + flow.pkts_toclient: 45 + flow.pkts_toserver: 46 + nfs.file_tx: false + nfs.filename: am + nfs.id: 45 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 101 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961929 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 44 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8266 + flow.bytes_toserver: 8448 + flow.pkts_toclient: 45 + flow.pkts_toserver: 46 + nfs.file_tx: false + nfs.filename: am + nfs.id: 45 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 101 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961929 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 44 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8266 + flow.bytes_toserver: 8448 + flow.pkts_toclient: 45 + flow.pkts_toserver: 46 + nfs.file_tx: false + nfs.filename: am + nfs.id: 45 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 101 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961929 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 44 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8266 + flow.bytes_toserver: 8448 + flow.pkts_toclient: 45 + flow.pkts_toserver: 46 + nfs.file_tx: false + nfs.filename: am + nfs.id: 45 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 101 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961929 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 44 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: am + nfs.hhash: 131299c5 + nfs.id: 45 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 102 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961929 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8548 + flow.bytes_toserver: 8626 + flow.pkts_toclient: 46 + flow.pkts_toserver: 47 + nfs.file_tx: false + nfs.filename: am + nfs.id: 46 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 103 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961930 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 45 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8548 + flow.bytes_toserver: 8626 + flow.pkts_toclient: 46 + flow.pkts_toserver: 47 + nfs.file_tx: false + nfs.filename: am + nfs.id: 46 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 103 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961930 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 45 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8548 + flow.bytes_toserver: 8626 + flow.pkts_toclient: 46 + flow.pkts_toserver: 47 + nfs.file_tx: false + nfs.filename: am + nfs.id: 46 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 103 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961930 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 45 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8548 + flow.bytes_toserver: 8626 + flow.pkts_toclient: 46 + flow.pkts_toserver: 47 + nfs.file_tx: false + nfs.filename: am + nfs.id: 46 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 103 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961930 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 45 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: am + nfs.hhash: 131299c5 + nfs.id: 46 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 104 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961930 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8830 + flow.bytes_toserver: 8804 + flow.pkts_toclient: 47 + flow.pkts_toserver: 48 + nfs.file_tx: false + nfs.filename: am + nfs.hhash: 38a4e9f6 + nfs.id: 47 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 105 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961931 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 46 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8830 + flow.bytes_toserver: 8804 + flow.pkts_toclient: 47 + flow.pkts_toserver: 48 + nfs.file_tx: false + nfs.filename: am + nfs.hhash: 38a4e9f6 + nfs.id: 47 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 105 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961931 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 46 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 8830 + flow.bytes_toserver: 8804 + flow.pkts_toclient: 47 + flow.pkts_toserver: 48 + nfs.file_tx: false + nfs.filename: am + nfs.hhash: 38a4e9f6 + nfs.id: 47 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 105 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961931 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 46 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: am + nfs.hhash: 38a4e9f6 + nfs.id: 47 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 106 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961931 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9016 + flow.bytes_toserver: 8982 + flow.pkts_toclient: 48 + flow.pkts_toserver: 49 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 48 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 107 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961932 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 47 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9016 + flow.bytes_toserver: 8982 + flow.pkts_toclient: 48 + flow.pkts_toserver: 49 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 48 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 107 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961932 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 47 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9016 + flow.bytes_toserver: 8982 + flow.pkts_toclient: 48 + flow.pkts_toserver: 49 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 48 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 107 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961932 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 47 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9016 + flow.bytes_toserver: 8982 + flow.pkts_toclient: 48 + flow.pkts_toserver: 49 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 48 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 107 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961932 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 47 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 48 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 108 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961932 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9298 + flow.bytes_toserver: 9160 + flow.pkts_toclient: 49 + flow.pkts_toserver: 50 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 49 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 109 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961933 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 48 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9298 + flow.bytes_toserver: 9160 + flow.pkts_toclient: 49 + flow.pkts_toserver: 50 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 49 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 109 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961933 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 48 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9298 + flow.bytes_toserver: 9160 + flow.pkts_toclient: 49 + flow.pkts_toserver: 50 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 49 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 109 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961933 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 48 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9298 + flow.bytes_toserver: 9160 + flow.pkts_toclient: 49 + flow.pkts_toserver: 50 + nfs.file_tx: false + nfs.filename: bln + nfs.id: 49 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 109 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961933 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 48 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: a5fcf973 + nfs.id: 49 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 110 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961933 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9580 + flow.bytes_toserver: 9338 + flow.pkts_toclient: 50 + flow.pkts_toserver: 51 + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: 38a4e9f6 + nfs.id: 50 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 111 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961934 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 49 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9580 + flow.bytes_toserver: 9338 + flow.pkts_toclient: 50 + flow.pkts_toserver: 51 + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: 38a4e9f6 + nfs.id: 50 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 111 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961934 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 49 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9580 + flow.bytes_toserver: 9338 + flow.pkts_toclient: 50 + flow.pkts_toserver: 51 + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: 38a4e9f6 + nfs.id: 50 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 111 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961934 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 49 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: bln + nfs.hhash: 38a4e9f6 + nfs.id: 50 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 112 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961934 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9766 + flow.bytes_toserver: 9516 + flow.pkts_toclient: 51 + flow.pkts_toserver: 52 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 51 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 113 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961935 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 50 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9766 + flow.bytes_toserver: 9516 + flow.pkts_toclient: 51 + flow.pkts_toserver: 52 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 51 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 113 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961935 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 50 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9766 + flow.bytes_toserver: 9516 + flow.pkts_toclient: 51 + flow.pkts_toserver: 52 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 51 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 113 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961935 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 50 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 9766 + flow.bytes_toserver: 9516 + flow.pkts_toclient: 51 + flow.pkts_toserver: 52 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 51 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 113 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961935 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 50 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: blns + nfs.hhash: 94b45286 + nfs.id: 51 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 114 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961935 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10048 + flow.bytes_toserver: 9694 + flow.pkts_toclient: 52 + flow.pkts_toserver: 53 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 52 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 115 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961936 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 51 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10048 + flow.bytes_toserver: 9694 + flow.pkts_toclient: 52 + flow.pkts_toserver: 53 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 52 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 115 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961936 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 51 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10048 + flow.bytes_toserver: 9694 + flow.pkts_toclient: 52 + flow.pkts_toserver: 53 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 52 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 115 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961936 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 51 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10048 + flow.bytes_toserver: 9694 + flow.pkts_toclient: 52 + flow.pkts_toserver: 53 + nfs.file_tx: false + nfs.filename: blns + nfs.id: 52 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 115 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961936 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 51 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: blns + nfs.hhash: 94b45286 + nfs.id: 52 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 116 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961936 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10330 + flow.bytes_toserver: 9864 + flow.pkts_toclient: 53 + flow.pkts_toserver: 54 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 53 + nfs.procedure: READLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 117 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961937 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 52 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10330 + flow.bytes_toserver: 9864 + flow.pkts_toclient: 53 + flow.pkts_toserver: 54 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 53 + nfs.procedure: READLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 117 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961937 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 52 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10330 + flow.bytes_toserver: 9864 + flow.pkts_toclient: 53 + flow.pkts_toserver: 54 + nfs.file_tx: false + nfs.filename: '' + nfs.id: 53 + nfs.procedure: READLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 117 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961937 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 52 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: '' + nfs.id: 53 + nfs.procedure: READLINK + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 118 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961937 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10496 + flow.bytes_toserver: 10042 + flow.pkts_toclient: 54 + flow.pkts_toserver: 55 + nfs.file_tx: false + nfs.filename: b + nfs.id: 54 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 119 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961938 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 53 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10496 + flow.bytes_toserver: 10042 + flow.pkts_toclient: 54 + flow.pkts_toserver: 55 + nfs.file_tx: false + nfs.filename: b + nfs.id: 54 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 119 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961938 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 53 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10496 + flow.bytes_toserver: 10042 + flow.pkts_toclient: 54 + flow.pkts_toserver: 55 + nfs.file_tx: false + nfs.filename: b + nfs.id: 54 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 119 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961938 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 53 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10496 + flow.bytes_toserver: 10042 + flow.pkts_toclient: 54 + flow.pkts_toserver: 55 + nfs.file_tx: false + nfs.filename: b + nfs.id: 54 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 119 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961938 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 53 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: b + nfs.hhash: a5fcf973 + nfs.id: 54 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 120 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961938 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10778 + flow.bytes_toserver: 10220 + flow.pkts_toclient: 55 + flow.pkts_toserver: 56 + nfs.file_tx: false + nfs.filename: blns + nfs.hhash: 38a4e9f6 + nfs.id: 55 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 121 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961939 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 54 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10778 + flow.bytes_toserver: 10220 + flow.pkts_toclient: 55 + flow.pkts_toserver: 56 + nfs.file_tx: false + nfs.filename: blns + nfs.hhash: 38a4e9f6 + nfs.id: 55 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 121 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961939 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 54 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 11 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10778 + flow.bytes_toserver: 10220 + flow.pkts_toclient: 55 + flow.pkts_toserver: 56 + nfs.file_tx: false + nfs.filename: blns + nfs.hhash: 38a4e9f6 + nfs.id: 55 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 121 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961939 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 54 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: blns + nfs.hhash: 38a4e9f6 + nfs.id: 55 + nfs.procedure: REMOVE + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 122 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961939 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 3 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10964 + flow.bytes_toserver: 10398 + flow.pkts_toclient: 56 + flow.pkts_toserver: 57 + nfs.file_tx: false + nfs.filename: am + nfs.id: 56 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 123 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961940 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 55 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 6 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10964 + flow.bytes_toserver: 10398 + flow.pkts_toclient: 56 + flow.pkts_toserver: 57 + nfs.file_tx: false + nfs.filename: am + nfs.id: 56 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 123 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961940 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 55 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 12 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10964 + flow.bytes_toserver: 10398 + flow.pkts_toclient: 56 + flow.pkts_toserver: 57 + nfs.file_tx: false + nfs.filename: am + nfs.id: 56 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 123 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961940 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 55 +- filter: + count: 1 + match: + alert.action: allowed + alert.category: '' + alert.gid: 1 + alert.rev: 0 + alert.severity: 3 + alert.signature: '' + alert.signature_id: 15 + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: alert + flow.bytes_toclient: 10964 + flow.bytes_toserver: 10398 + flow.pkts_toclient: 56 + flow.pkts_toserver: 57 + nfs.file_tx: false + nfs.filename: am + nfs.id: 56 + nfs.procedure: LOOKUP + nfs.status: OK + nfs.type: response + nfs.version: 3 + pcap_cnt: 123 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961940 + src_ip: 139.25.22.2 + src_port: 1022 + tx_id: 55 +- filter: + count: 1 + match: + dest_ip: 139.25.22.2 + dest_port: 1022 + event_type: nfs + nfs.file_tx: false + nfs.filename: am + nfs.id: 56 + nfs.procedure: LOOKUP + nfs.status: ERR_NOENT + nfs.type: response + nfs.version: 3 + pcap_cnt: 124 + proto: UDP + rpc.auth_type: UNIX + rpc.creds.gid: 0 + rpc.creds.machine_name: werrmsche + rpc.creds.uid: 0 + rpc.status: ACCEPTED + rpc.xid: 1578961940 + src_ip: 139.25.22.102 + src_port: 2049 +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 139.25.22.102 + dest_port: 1048 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 66 + flow.bytes_toserver: 158 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 139.25.22.2 + src_port: 722 +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 139.25.22.102 + dest_port: 111 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 90 + flow.bytes_toserver: 106 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 139.25.22.2 + src_port: 3299 +- filter: + count: 1 + match: + app_proto: nfs + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: flow + flow.age: 0 + flow.alerted: true + flow.bytes_toclient: 11038 + flow.bytes_toserver: 10398 + flow.pkts_toclient: 57 + flow.pkts_toserver: 57 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 139.25.22.2 + src_port: 1022 +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 139.25.22.102 + dest_port: 1048 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 66 + flow.bytes_toserver: 82 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 139.25.22.2 + src_port: 3296 +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 139.25.22.102 + dest_port: 111 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 90 + flow.bytes_toserver: 106 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 139.25.22.2 + src_port: 3295 +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 139.25.22.102 + dest_port: 111 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 90 + flow.bytes_toserver: 106 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 139.25.22.2 + src_port: 3297 +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 139.25.22.102 + dest_port: 1048 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 114 + flow.bytes_toserver: 158 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 139.25.22.2 + src_port: 706 +- filter: + count: 1 + match: + app_proto: failed + dest_ip: 139.25.22.102 + dest_port: 2049 + event_type: flow + flow.age: 0 + flow.alerted: false + flow.bytes_toclient: 66 + flow.bytes_toserver: 82 + flow.pkts_toclient: 1 + flow.pkts_toserver: 1 + flow.reason: shutdown + flow.state: established + proto: UDP + src_ip: 139.25.22.2 + src_port: 3298