From 84985d8d24d75fd50dd1a8deb67ebbb7b22d259a Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Wed, 20 Jan 2021 22:26:45 +0100
Subject: [PATCH] tests: nfs version for 5

---
 tests/nfs3-01-pre-6/input.pcap |  Bin 0 -> 24888 bytes
 tests/nfs3-01-pre-6/test.rules |    9 +
 tests/nfs3-01-pre-6/test.yaml  | 8505 ++++++++++++++++++++++++++++++++
 3 files changed, 8514 insertions(+)
 create mode 100644 tests/nfs3-01-pre-6/input.pcap
 create mode 100644 tests/nfs3-01-pre-6/test.rules
 create mode 100644 tests/nfs3-01-pre-6/test.yaml

diff --git a/tests/nfs3-01-pre-6/input.pcap b/tests/nfs3-01-pre-6/input.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..9a94efd9ea66390e4e7174cc37eeeff2ecf057b2
GIT binary patch
literal 24888
zc-rk;2~bo=8tw;(TtRTq^)BLiuZtJzXgu(Uc;C08csxagpdg6H>R{rLM6<+TVr^Mj
zT#t2)8x6@O8_PAUu@XxYb=9@hiV<<LW>um|G~TfN{?{{f_jJD*bmk3a^Qzh&8R-7M
z@9Y2X`)w)w^fU@U3PO=l2;omCI05I1H8Hy>3VOZ>f1V4eXye@>r|`eUbq|D~=MkE$
zc0(v3`sBV>>(&myX;#EVl#cp$jI{O{HV5esE_ZbS&I3teA7%A+$9GvX=R1E))jSar
z)T!4GH4nD8)@mMgUaM8B9i`*Ct<xHjnib^w)NI$GOI-VoaqZj3wQJixE<Ub(yrZVn
z6Zrd)ka&!J)$V}tUrvn0L3L2u?DwsGvL{d&w+rzhriR{-cr5YuHh|@Z14~eyh+-7`
z=y#+B#h}EuA@MfnsXf5vmmD?+9K<#+`}mHvuh3?Nq<CC%IL<>CsTmn*nKM#UN-3PG
zQPu>Izm290i)oXRo~E{$Jtre|&Ww~cYR>%hjD@<j`)=azGa&K!XWBah{*Nl~2OLDh
z*XI&zMOtc4EQ*R+g^jp^!nFSuYAvND^O+#iEhs?-?YJlK^^sHKOIkbLGQ`^Fa!U`}
z@m6^|hMHyV_&LCSlxoM9ko8C&sab?Qnr+9{xOR@3s)a@wwBrQ8c+82hBt$`Nr-oVk
zyi%9KxYe*7>ov&QG4_=5==@>_mJlVP1jT-HlGGq>$HDb%_~R}}yv>`{URsHkEQig3
zW!UDmi`GnO82**OW^c7)w=IjZ{11?LF4oyc0T&q+Tm+V(oC&jt<+3)7t?5-ttU}c9
zB@2HWtkkW-7DdGLc@$tx%(~jPxFeOj<+wL+ypZE~A-42_fMbif9QVq@pN~P}IWDq~
z29CQk9Pd8;6|r2#vEmD!5z;8Ok+SH|L1;y}{!n$*r_jlC=>xiC3Uv8epi50Z=yDPg
zugf9(SkR?2qs!j-?}+6l>w-`ZoBmsMv)k(V0P=&tB9d=OqH_<l=?mIqaM~=u2rmk>
ziSdIrA41}_*=ZjK+Kgnh$v@kYSZ=a5D>R=d=jzq_>*_(p+8;yW`QN7Y1O8JO{_|?j
z$0&*g{0ExFzxMaj94$ykFc1>2LpQq$I_zb1XptC15Gdllfhk$WO(JkJo8u-Omwf3d
z;bs<avxnm*kRb4cn-WMoH>cJ9z)dHHo1&OxTylwkn-H_PsVGy~MwO{h$#n!({Wo}Q
zt#pONajCSn&(RRSv7hErsq<PZg4oF4Ijgr`$Nxl%#@7ht^47{9XI$8NU9-Oayl{oj
z>DVHO=U$3MP#2<eok?lT9{_D9jg9%MLot(=%^Qolsz6yT8;i~bf11ROMPJ`TEH`Ka
z-qn?|)G?xCIWAHM0>}Lsj(0bkhb^@WI1Vt2V^PG>>TFcD!O0ATZXYCGhu!vhphH(i
zhfQrP1f7vDI=x-sCr_diAkfNd5V*xg=cxK9WYEV90-a{CeN3%K7|Az&?qdR`r8%?!
z1hPIR9kkfN_A&j+2?95Lj3GCJft%?ZHxF^i|9MKdnGf7-=eQ{&2%dzSA;8TvZfr6K
zmwct_j7^qA;s4fy#P_EW_65+No@ThYTb4)=c(_*OlfG2w%f9U|HKwFm4+X80IX}3M
znfkWs_yHi0`9TKw!B)->9ufp@`~XV+8WPXV33V87(}Ce;f7c7R<o^n|iS)xb^f7o;
z;vn%p6Kl^Bj6oyHP7$>3`n_bn?Rm3JH;g}KbL9T0Q)h2Wtbrd5hqf|>^CN8~@v6UL
z=5%Lk*APf!=5o;gb2erUyG0Oqy1uWi&9tgS%na8vn@p1=ZBEhpgI{3{794u^-bx$H
zF%sX-^`q7!K<gw{>n@EkQ`ah`b$XiWWvv6Jr@laGEsdEgAZEVF#msvIft#3V$jwOL
zW-`moj@!88>wfkFPr0!HHyb%_?h*uUxH+sXUY>!(b8}dQ-3Ci%hMNyQiNYn93b?7^
zqjn?m&`R>Bp;T%@;^Rn=eYGHt+$^0$P#X0kju;W}<S`<<X(RPPF5g!O`Vp_h4_udx
z&QbLn2?jm_J0g~eoR6%)41MQk9|^)5XHp1cKC%{kWIg92KM@3Oe8iBOF~H3Pj+^DU
z<Qq>3H?IOWuW;PlCI~#?Mm8RW9UDt)c0Ag<9xnN&fSWM0xgl$!<$^U)#?zhSk&xPW
z)TA_q#K(~s`)d$KnDu1^U3#6Mt<0Kesbn69k#8v%j7bzX^SDy*^|B2LpL=&72FgTq
zjzYR88~6_F8d=7%zB6DdX6$=^k3r*{nrjH8W6%wt`TOh`^iU^);7QMzcwG|{w0;*7
zuXTYsUeJfETcl#9eh_FKWTw`X^?!oI$H;v98xSK~F*@50{+?Lx<NZxn4JnId`w9~T
zWB#>^w7tw9{eH$pw_LWbkPlq9WA_yf77)vQc*aHArVl{kIo_*I6znT(&a`4nZwWY#
zGO<l_PY@l;#zNv_S%3RRh-C|z{wuyHkD&2Y8*duh<`X31p56r^$RH}a_SA*idA@+S
zI0|mXcS(*OoIDLGzJv8rSZyLt3-0e=2I1Hyq5iIv8bQ!F6%YEnNzi6SaqBLnnC075
zX8qE*&wJB#oP+LOzd#UFskLf6Z_4#$8+D`gWYBsfH#fM3nfj^9tSy9S2TP?|zXe*q
z%WD139fH7HYi!=0Kl?~)ID#wdZ<7S`z_qJxVy5m0w65l(J?2v3KE7`G4oG}|yUD%@
z`rBt2jbGZ;fLLx6_n&A!5_@=zO)wv!W?O}M2EH{F_#VdkmSsG)`mVp{4l`K<vUzs_
z@SerZyRQ=j#`A8yWZAl1GH}z1UAK#_gG;_A;3m{;Zpgg5)M(yafl_(~X*<Lw8+!)n
zhxr6$W#-#gV07lS`PbGfn)Ns?t>kllea~QS7WgEw3)huP=P2Y{fq^eggZ46n^`(X-
zn92L*`I1<L6lYri1TtUR3BHuZ`O;N_z>P0K$+EM3(}9}??AgBh+AiY*^Un6kxp}O!
zeSlc%SAPM&TE_ZSgHnRH5`MK~w00)ldt<yEqc!UrZ>X#AIqz2jpYw_@<GK)?leQxp
z6U-2d_1C_*6f^nIyg9h53Y6utIruK{r~2$1eAvgtaxb6llj}-Z`WYmi<G-sj1!r%!
z^&E#SeI($xx>+1kzZ*=-3Qn1pnwlO)d@vO4#Xma&iRXX6{jcDI-!lB~96y_&^5{&T
zz&~XA1RIaHUG#DKfCHU1aqebkbkUK?)&W&PU$gGT=@?m=dFy~ey&@><W$S=@z%L@%
zb-?2riS?fB6?&6<+G1G@f>ZC7;am*L!4{YMJqGEP%VN-8;JOwYgO0yPEU#<~dTgF`
zOPd!NwCUNv@gQz(d(@PM5y-@~ZQ(4NvR>Av-vgc_*fyOrlvr>2{x@Z@tWBo?-$S{z
z?J3w|#l*F37rrUWWo^0;xVEruI%g`e++CaY8qbuajvHMp$2(QH;bG~;aGc*c0b3d%
z;5gXCHcg%cBtXI6OZyx2qqo?5X<fb`D16kmvzz|<(|$<Mw!=v|;R{pL*y*ve=A^1&
zGz!PfM^=kND%`ZNG-0&Z+w2{TBCv{#aiU3C(fSyN#^)Fn3_W2m-uV!8y2y@q9@q&&
zcjKL4LEmW9=SEkiFVMBra|cp(ypvUI&^N&C3`-*0H>|pdkp-F8H;Cttl=ZT{VL!wx
zh3y+!EG5?aU{6Rs-{LHm^$n@O_dsqP_A0ixnu+(RT==Fem-P+*0IoyWzM;iBV!4<1
zJ>AS}bxURYo@u~wM|R&cw-8$zY~H@7uuY5iJpqjp0Ey@Qmi++4o<B0Y7r$JCpz&E7
zZ*nUWiMXfYmjk72-*cjT-xH!Wy+Xw9QHE~5X|Nvn0_dB-tp{qoW_5wS5q?<@)Dg(;
z#QhUAwX=8P7B3|TJh~eo(8DWwH(eiUqjNV}z>P9XPi~*12SySi(Bc`t>~k1v@tL4+
z-!$S5LEw=V^m?{8_xP{|E9o4C9zq6MzzsG_4{q=N97YmaW%lj?fpkCjC}^>S-Os(b
zlOXt6@7=p<ea+~e8QjRTbmz1_i<t_mI$B>dx>NWCXuX)z`p*QxFIrb<4L9;E-8ij}
zVWz^(>+d|#S{h@&1g+1qF}66BAn+*0(wuoyi)IHp+34Jj7MY;MbKIGke`6#ORp!i$
zvELmBEwWj^`|T!zz>jBUr0WvC(>koC(cP<spmkSH>(iL2XR3_WfIzDC3D7!=)A}uf
z;1{hcw1(TdmM)yuM=(>7evYx6*3uYz60|<W#@I3E2?CE|EX|oWwP-%}OD0EQUD_IG
zkquf{IW4sH^BPs=&JrMy`rT>JVgc)SpRXYZJRRHk<erV}T$`V?UL?4~nYSYeGZpoe
zXnh8>PUo~<O%VJ)YAsv)%n{5_*RDE)nTq!N8C2bJ*%{Qcpz$U43~K&)V!6-Gpf<lT
zBiHZ@s<Ce^7OaEj)za2xYWn*ODvLnsTjzlHRMxked`}Sg@f`}T;}`4$KK8BT1Ou&?
zfY$L`936p~viN!YLd8))ARE720Id(R<Cmko2m+7BFEnS~)S|_j`%I3))(kh$VyWOg
zH~M@%rpm0%=m=!zRZC#6rvrCh^#nm+d|owtpmrWk_RjHT@ILM(&i8R&*4{a8{n0vj
z&|-?40%ZK|e9Z#acaG~d%icMD8{Rn{O}%scGP0@)skw6R&JSOpoeYw_hkiL=?CX3F
u{YmXT^!xW%2WP%aVRYg^zJ3qAZmsP7<#&OXX4HG=PomhcQN&soUj7Hm`mwbD

literal 0
Hc-jL100001

diff --git a/tests/nfs3-01-pre-6/test.rules b/tests/nfs3-01-pre-6/test.rules
new file mode 100644
index 000000000..f62d2e1f7
--- /dev/null
+++ b/tests/nfs3-01-pre-6/test.rules
@@ -0,0 +1,9 @@
+alert nfs any any -> any any (nfs_version:<3; sid:1;)
+alert nfs any any -> any any (nfs_version:>3; sid:2;)
+alert nfs any any -> any any (nfs_version:3; sid:3;)
+alert nfs any any -> any any (nfs_version:2<>4; sid:6;)
+
+alert nfs any any -> any any (nfs_procedure:<3; sid:10;)
+alert nfs any any -> any any (nfs_procedure:>3; sid:11;)
+alert nfs any any -> any any (nfs_procedure:3; sid:12;)
+alert nfs any any -> any any (nfs_procedure:2<>4; sid:15;)
diff --git a/tests/nfs3-01-pre-6/test.yaml b/tests/nfs3-01-pre-6/test.yaml
new file mode 100644
index 000000000..84762f4da
--- /dev/null
+++ b/tests/nfs3-01-pre-6/test.yaml
@@ -0,0 +1,8505 @@
+requires:
+  version: 5
+
+args:
+- -k none
+
+checks:
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 170
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: 38a4e9f6
+      nfs.id: 1
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 11
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961884
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 170
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: 38a4e9f6
+      nfs.id: 1
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 11
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961884
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 10
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 0
+      flow.bytes_toserver: 170
+      flow.pkts_toclient: 0
+      flow.pkts_toserver: 1
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: 38a4e9f6
+      nfs.id: 1
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 11
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961884
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 0
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 154
+      flow.bytes_toserver: 340
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 2
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 2
+      nfs.procedure: FSINFO
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 13
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961885
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 1
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 154
+      flow.bytes_toserver: 340
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 2
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 2
+      nfs.procedure: FSINFO
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 13
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961885
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 1
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 154
+      flow.bytes_toserver: 340
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 2
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 2
+      nfs.procedure: FSINFO
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 13
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961885
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 1
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 2
+      nfs.procedure: FSINFO
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 14
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961885
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 360
+      flow.bytes_toserver: 510
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 3
+      nfs.procedure: FSSTAT
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 15
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961886
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 2
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 360
+      flow.bytes_toserver: 510
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 3
+      nfs.procedure: FSSTAT
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 15
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961886
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 2
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 360
+      flow.bytes_toserver: 510
+      flow.pkts_toclient: 2
+      flow.pkts_toserver: 3
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 3
+      nfs.procedure: FSSTAT
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 15
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961886
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 2
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 3
+      nfs.procedure: FSSTAT
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 16
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961886
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 570
+      flow.bytes_toserver: 680
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 4
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 4
+      nfs.procedure: PATHCONF
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 17
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961887
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 3
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 570
+      flow.bytes_toserver: 680
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 4
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 4
+      nfs.procedure: PATHCONF
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 17
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961887
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 3
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 570
+      flow.bytes_toserver: 680
+      flow.pkts_toclient: 3
+      flow.pkts_toserver: 4
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 4
+      nfs.procedure: PATHCONF
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 17
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961887
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 3
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 4
+      nfs.procedure: PATHCONF
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 18
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961887
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 752
+      flow.bytes_toserver: 858
+      flow.pkts_toclient: 4
+      flow.pkts_toserver: 5
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 5
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 19
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961888
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 4
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 752
+      flow.bytes_toserver: 858
+      flow.pkts_toclient: 4
+      flow.pkts_toserver: 5
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 5
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 19
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961888
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 4
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 752
+      flow.bytes_toserver: 858
+      flow.pkts_toclient: 4
+      flow.pkts_toserver: 5
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 5
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 19
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961888
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 4
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 752
+      flow.bytes_toserver: 858
+      flow.pkts_toclient: 4
+      flow.pkts_toserver: 5
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 5
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 19
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961888
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 4
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 5
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 20
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961888
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 826
+      flow.bytes_toserver: 1036
+      flow.pkts_toclient: 5
+      flow.pkts_toserver: 6
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 6
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 21
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961889
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 5
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 826
+      flow.bytes_toserver: 1036
+      flow.pkts_toclient: 5
+      flow.pkts_toserver: 6
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 6
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 21
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961889
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 5
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 826
+      flow.bytes_toserver: 1036
+      flow.pkts_toclient: 5
+      flow.pkts_toserver: 6
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 6
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 21
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961889
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 5
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 826
+      flow.bytes_toserver: 1036
+      flow.pkts_toclient: 5
+      flow.pkts_toserver: 6
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 6
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 21
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961889
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 5
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 6
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 22
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961889
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 900
+      flow.bytes_toserver: 1262
+      flow.pkts_toclient: 6
+      flow.pkts_toserver: 7
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 38a4e9f6
+      nfs.id: 7
+      nfs.procedure: CREATE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 23
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961890
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 6
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 900
+      flow.bytes_toserver: 1262
+      flow.pkts_toclient: 6
+      flow.pkts_toserver: 7
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 38a4e9f6
+      nfs.id: 7
+      nfs.procedure: CREATE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 23
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961890
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 6
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 900
+      flow.bytes_toserver: 1262
+      flow.pkts_toclient: 6
+      flow.pkts_toserver: 7
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 38a4e9f6
+      nfs.id: 7
+      nfs.procedure: CREATE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 23
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961890
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 6
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 38a4e9f6
+      nfs.id: 7
+      nfs.procedure: CREATE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 24
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961890
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1214
+      flow.bytes_toserver: 1432
+      flow.pkts_toclient: 7
+      flow.pkts_toserver: 8
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 131299c5
+      nfs.id: 8
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 25
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961891
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 7
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1214
+      flow.bytes_toserver: 1432
+      flow.pkts_toclient: 7
+      flow.pkts_toserver: 8
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 131299c5
+      nfs.id: 8
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 25
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961891
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 7
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 10
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1214
+      flow.bytes_toserver: 1432
+      flow.pkts_toclient: 7
+      flow.pkts_toserver: 8
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 131299c5
+      nfs.id: 8
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 25
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961891
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 7
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1368
+      flow.bytes_toserver: 1638
+      flow.pkts_toclient: 8
+      flow.pkts_toserver: 9
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 9
+      nfs.procedure: SETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 27
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961892
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 8
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1368
+      flow.bytes_toserver: 1638
+      flow.pkts_toclient: 8
+      flow.pkts_toserver: 9
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 9
+      nfs.procedure: SETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 27
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961892
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 8
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 10
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1368
+      flow.bytes_toserver: 1638
+      flow.pkts_toclient: 8
+      flow.pkts_toserver: 9
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 9
+      nfs.procedure: SETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 27
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961892
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 8
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1368
+      flow.bytes_toserver: 1638
+      flow.pkts_toclient: 8
+      flow.pkts_toserver: 9
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 9
+      nfs.procedure: SETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 27
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961892
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 8
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 9
+      nfs.procedure: SETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 28
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961892
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1554
+      flow.bytes_toserver: 1816
+      flow.pkts_toclient: 9
+      flow.pkts_toserver: 10
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 10
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 29
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961893
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 9
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1554
+      flow.bytes_toserver: 1816
+      flow.pkts_toclient: 9
+      flow.pkts_toserver: 10
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 10
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 29
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961893
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 9
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1554
+      flow.bytes_toserver: 1816
+      flow.pkts_toclient: 9
+      flow.pkts_toserver: 10
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 10
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 29
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961893
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 9
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1554
+      flow.bytes_toserver: 1816
+      flow.pkts_toclient: 9
+      flow.pkts_toserver: 10
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 10
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 29
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961893
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 9
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 10
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 30
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961893
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1628
+      flow.bytes_toserver: 1994
+      flow.pkts_toclient: 10
+      flow.pkts_toserver: 11
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 11
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 31
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961894
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 10
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1628
+      flow.bytes_toserver: 1994
+      flow.pkts_toclient: 10
+      flow.pkts_toserver: 11
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 11
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 31
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961894
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 10
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1628
+      flow.bytes_toserver: 1994
+      flow.pkts_toclient: 10
+      flow.pkts_toserver: 11
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 11
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 31
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961894
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 10
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1628
+      flow.bytes_toserver: 1994
+      flow.pkts_toclient: 10
+      flow.pkts_toserver: 11
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 11
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 31
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961894
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 10
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 11
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 32
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961894
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1702
+      flow.bytes_toserver: 2172
+      flow.pkts_toclient: 11
+      flow.pkts_toserver: 12
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 12
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 33
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961895
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 11
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1702
+      flow.bytes_toserver: 2172
+      flow.pkts_toclient: 11
+      flow.pkts_toserver: 12
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 12
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 33
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961895
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 11
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1702
+      flow.bytes_toserver: 2172
+      flow.pkts_toclient: 11
+      flow.pkts_toserver: 12
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 12
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 33
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961895
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 11
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1702
+      flow.bytes_toserver: 2172
+      flow.pkts_toclient: 11
+      flow.pkts_toserver: 12
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.id: 12
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 33
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961895
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 11
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 131299c5
+      nfs.id: 12
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 34
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961895
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1984
+      flow.bytes_toserver: 2350
+      flow.pkts_toclient: 12
+      flow.pkts_toserver: 13
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 13
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 35
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961896
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 12
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1984
+      flow.bytes_toserver: 2350
+      flow.pkts_toclient: 12
+      flow.pkts_toserver: 13
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 13
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 35
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961896
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 12
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1984
+      flow.bytes_toserver: 2350
+      flow.pkts_toclient: 12
+      flow.pkts_toserver: 13
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 13
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 35
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961896
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 12
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 1984
+      flow.bytes_toserver: 2350
+      flow.pkts_toclient: 12
+      flow.pkts_toserver: 13
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 13
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 35
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961896
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 12
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 13
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 36
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961896
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2058
+      flow.bytes_toserver: 2572
+      flow.pkts_toclient: 13
+      flow.pkts_toserver: 14
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 38a4e9f6
+      nfs.id: 14
+      nfs.procedure: RENAME
+      nfs.rename.from: a
+      nfs.rename.to: am
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 37
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961897
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 13
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2058
+      flow.bytes_toserver: 2572
+      flow.pkts_toclient: 13
+      flow.pkts_toserver: 14
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 38a4e9f6
+      nfs.id: 14
+      nfs.procedure: RENAME
+      nfs.rename.from: a
+      nfs.rename.to: am
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 37
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961897
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 13
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2058
+      flow.bytes_toserver: 2572
+      flow.pkts_toclient: 13
+      flow.pkts_toserver: 14
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 38a4e9f6
+      nfs.id: 14
+      nfs.procedure: RENAME
+      nfs.rename.from: a
+      nfs.rename.to: am
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 37
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961897
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 13
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: a
+      nfs.hhash: 38a4e9f6
+      nfs.id: 14
+      nfs.procedure: RENAME
+      nfs.rename.from: a
+      nfs.rename.to: am
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 38
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961897
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2360
+      flow.bytes_toserver: 2750
+      flow.pkts_toclient: 14
+      flow.pkts_toserver: 15
+      nfs.file_tx: false
+      nfs.filename: b
+      nfs.id: 15
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 39
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961898
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 14
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2360
+      flow.bytes_toserver: 2750
+      flow.pkts_toclient: 14
+      flow.pkts_toserver: 15
+      nfs.file_tx: false
+      nfs.filename: b
+      nfs.id: 15
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 39
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961898
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 14
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2360
+      flow.bytes_toserver: 2750
+      flow.pkts_toclient: 14
+      flow.pkts_toserver: 15
+      nfs.file_tx: false
+      nfs.filename: b
+      nfs.id: 15
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 39
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961898
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 14
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2360
+      flow.bytes_toserver: 2750
+      flow.pkts_toclient: 14
+      flow.pkts_toserver: 15
+      nfs.file_tx: false
+      nfs.filename: b
+      nfs.id: 15
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 39
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961898
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 14
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: b
+      nfs.hhash: a5fcf973
+      nfs.id: 15
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 40
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961898
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2642
+      flow.bytes_toserver: 2928
+      flow.pkts_toclient: 15
+      flow.pkts_toserver: 16
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 16
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 41
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 1869440256
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961899
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 15
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2642
+      flow.bytes_toserver: 2928
+      flow.pkts_toclient: 15
+      flow.pkts_toserver: 16
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 16
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 41
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 1869440256
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961899
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 15
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2642
+      flow.bytes_toserver: 2928
+      flow.pkts_toclient: 15
+      flow.pkts_toserver: 16
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 16
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 41
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 1869440256
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961899
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 15
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2642
+      flow.bytes_toserver: 2928
+      flow.pkts_toclient: 15
+      flow.pkts_toserver: 16
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 16
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 41
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 1869440256
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961899
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 15
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 16
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 42
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 1869440256
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961899
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2716
+      flow.bytes_toserver: 3106
+      flow.pkts_toclient: 16
+      flow.pkts_toserver: 17
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 17
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 43
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961900
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 16
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2716
+      flow.bytes_toserver: 3106
+      flow.pkts_toclient: 16
+      flow.pkts_toserver: 17
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 17
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 43
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961900
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 16
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2716
+      flow.bytes_toserver: 3106
+      flow.pkts_toclient: 16
+      flow.pkts_toserver: 17
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 17
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 43
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961900
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 16
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2716
+      flow.bytes_toserver: 3106
+      flow.pkts_toclient: 16
+      flow.pkts_toserver: 17
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 17
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 43
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961900
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 16
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 17
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 44
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961900
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2790
+      flow.bytes_toserver: 3320
+      flow.pkts_toclient: 17
+      flow.pkts_toserver: 18
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 18
+      nfs.procedure: LINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 45
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 1869440256
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961901
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 17
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2790
+      flow.bytes_toserver: 3320
+      flow.pkts_toclient: 17
+      flow.pkts_toserver: 18
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 18
+      nfs.procedure: LINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 45
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 1869440256
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961901
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 17
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 2790
+      flow.bytes_toserver: 3320
+      flow.pkts_toclient: 17
+      flow.pkts_toserver: 18
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 18
+      nfs.procedure: LINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 45
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 1869440256
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961901
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 17
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 18
+      nfs.procedure: LINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 46
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 1869440256
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961901
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3064
+      flow.bytes_toserver: 3498
+      flow.pkts_toclient: 18
+      flow.pkts_toserver: 19
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 19
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 47
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961902
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 18
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3064
+      flow.bytes_toserver: 3498
+      flow.pkts_toclient: 18
+      flow.pkts_toserver: 19
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 19
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 47
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961902
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 18
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3064
+      flow.bytes_toserver: 3498
+      flow.pkts_toclient: 18
+      flow.pkts_toserver: 19
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 19
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 47
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961902
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 18
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3064
+      flow.bytes_toserver: 3498
+      flow.pkts_toclient: 18
+      flow.pkts_toserver: 19
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 19
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 47
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961902
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 18
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 19
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 48
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961902
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3138
+      flow.bytes_toserver: 3676
+      flow.pkts_toclient: 19
+      flow.pkts_toserver: 20
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 20
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 49
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961903
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 19
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3138
+      flow.bytes_toserver: 3676
+      flow.pkts_toclient: 19
+      flow.pkts_toserver: 20
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 20
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 49
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961903
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 19
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3138
+      flow.bytes_toserver: 3676
+      flow.pkts_toclient: 19
+      flow.pkts_toserver: 20
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 20
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 49
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961903
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 19
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3138
+      flow.bytes_toserver: 3676
+      flow.pkts_toclient: 19
+      flow.pkts_toserver: 20
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 20
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 49
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961903
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 19
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 20
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 50
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961903
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3212
+      flow.bytes_toserver: 3898
+      flow.pkts_toclient: 20
+      flow.pkts_toserver: 21
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 21
+      nfs.procedure: SYMLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 51
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961904
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 20
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3212
+      flow.bytes_toserver: 3898
+      flow.pkts_toclient: 20
+      flow.pkts_toserver: 21
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 21
+      nfs.procedure: SYMLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 51
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961904
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 20
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3212
+      flow.bytes_toserver: 3898
+      flow.pkts_toclient: 20
+      flow.pkts_toserver: 21
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 21
+      nfs.procedure: SYMLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 51
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961904
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 20
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 21
+      nfs.procedure: SYMLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 52
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961904
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3502
+      flow.bytes_toserver: 4076
+      flow.pkts_toclient: 21
+      flow.pkts_toserver: 22
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.id: 22
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 53
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961905
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 21
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3502
+      flow.bytes_toserver: 4076
+      flow.pkts_toclient: 21
+      flow.pkts_toserver: 22
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.id: 22
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 53
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961905
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 21
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3502
+      flow.bytes_toserver: 4076
+      flow.pkts_toclient: 21
+      flow.pkts_toserver: 22
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.id: 22
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 53
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961905
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 21
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3502
+      flow.bytes_toserver: 4076
+      flow.pkts_toclient: 21
+      flow.pkts_toserver: 22
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.id: 22
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 53
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961905
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 21
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.hhash: 38a4e9f6
+      nfs.id: 22
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 54
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961905
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3784
+      flow.bytes_toserver: 4250
+      flow.pkts_toclient: 22
+      flow.pkts_toserver: 23
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.hhash: 38a4e9f6
+      nfs.id: 23
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 55
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961906
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 22
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3784
+      flow.bytes_toserver: 4250
+      flow.pkts_toclient: 22
+      flow.pkts_toserver: 23
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.hhash: 38a4e9f6
+      nfs.id: 23
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 55
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961906
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 22
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3784
+      flow.bytes_toserver: 4250
+      flow.pkts_toclient: 22
+      flow.pkts_toserver: 23
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.hhash: 38a4e9f6
+      nfs.id: 23
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 55
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961906
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 22
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3784
+      flow.bytes_toserver: 4250
+      flow.pkts_toclient: 22
+      flow.pkts_toserver: 23
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.hhash: 38a4e9f6
+      nfs.id: 23
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 55
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961906
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 22
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.hhash: 38a4e9f6
+      nfs.id: 23
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 56
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961906
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3946
+      flow.bytes_toserver: 4420
+      flow.pkts_toclient: 23
+      flow.pkts_toserver: 24
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.hhash: 38a4e9f6
+      nfs.id: 24
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 57
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961907
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 23
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3946
+      flow.bytes_toserver: 4420
+      flow.pkts_toclient: 23
+      flow.pkts_toserver: 24
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.hhash: 38a4e9f6
+      nfs.id: 24
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 57
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961907
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 23
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 10
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 3946
+      flow.bytes_toserver: 4420
+      flow.pkts_toclient: 23
+      flow.pkts_toserver: 24
+      nfs.file_tx: false
+      nfs.filename: .
+      nfs.hhash: 38a4e9f6
+      nfs.id: 24
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 57
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961907
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 23
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4100
+      flow.bytes_toserver: 4610
+      flow.pkts_toclient: 24
+      flow.pkts_toserver: 25
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 25
+      nfs.procedure: READDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 59
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961908
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 24
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4100
+      flow.bytes_toserver: 4610
+      flow.pkts_toclient: 24
+      flow.pkts_toserver: 25
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 25
+      nfs.procedure: READDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 59
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961908
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 24
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4100
+      flow.bytes_toserver: 4610
+      flow.pkts_toclient: 24
+      flow.pkts_toserver: 25
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 25
+      nfs.procedure: READDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 59
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961908
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 24
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 25
+      nfs.procedure: READDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 60
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961908
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4442
+      flow.bytes_toserver: 4788
+      flow.pkts_toclient: 25
+      flow.pkts_toserver: 26
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 26
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 61
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961909
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 25
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4442
+      flow.bytes_toserver: 4788
+      flow.pkts_toclient: 25
+      flow.pkts_toserver: 26
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 26
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 61
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961909
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 25
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4442
+      flow.bytes_toserver: 4788
+      flow.pkts_toclient: 25
+      flow.pkts_toserver: 26
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 26
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 61
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961909
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 25
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4442
+      flow.bytes_toserver: 4788
+      flow.pkts_toclient: 25
+      flow.pkts_toserver: 26
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 26
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 61
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961909
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 25
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.hhash: 131299c5
+      nfs.id: 26
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 62
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961909
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4724
+      flow.bytes_toserver: 4966
+      flow.pkts_toclient: 26
+      flow.pkts_toserver: 27
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 27
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 63
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961910
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 26
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4724
+      flow.bytes_toserver: 4966
+      flow.pkts_toclient: 26
+      flow.pkts_toserver: 27
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 27
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 63
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961910
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 26
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4724
+      flow.bytes_toserver: 4966
+      flow.pkts_toclient: 26
+      flow.pkts_toserver: 27
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 27
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 63
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961910
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 26
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 4724
+      flow.bytes_toserver: 4966
+      flow.pkts_toclient: 26
+      flow.pkts_toserver: 27
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 27
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 63
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961910
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 26
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 27
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 64
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961910
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5006
+      flow.bytes_toserver: 5136
+      flow.pkts_toclient: 27
+      flow.pkts_toserver: 28
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 28
+      nfs.procedure: READLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 65
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961911
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 27
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5006
+      flow.bytes_toserver: 5136
+      flow.pkts_toclient: 27
+      flow.pkts_toserver: 28
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 28
+      nfs.procedure: READLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 65
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961911
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 27
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5006
+      flow.bytes_toserver: 5136
+      flow.pkts_toclient: 27
+      flow.pkts_toserver: 28
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 28
+      nfs.procedure: READLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 65
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961911
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 27
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 28
+      nfs.procedure: READLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 66
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961911
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5172
+      flow.bytes_toserver: 5314
+      flow.pkts_toclient: 28
+      flow.pkts_toserver: 29
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.id: 29
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 67
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961912
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 28
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5172
+      flow.bytes_toserver: 5314
+      flow.pkts_toclient: 28
+      flow.pkts_toserver: 29
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.id: 29
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 67
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961912
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 28
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5172
+      flow.bytes_toserver: 5314
+      flow.pkts_toclient: 28
+      flow.pkts_toserver: 29
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.id: 29
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 67
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961912
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 28
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5172
+      flow.bytes_toserver: 5314
+      flow.pkts_toclient: 28
+      flow.pkts_toserver: 29
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.id: 29
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 67
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961912
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 28
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.id: 29
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 68
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961912
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5246
+      flow.bytes_toserver: 5528
+      flow.pkts_toclient: 29
+      flow.pkts_toserver: 30
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.hhash: 38a4e9f6
+      nfs.id: 30
+      nfs.procedure: MKDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 69
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961913
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 29
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5246
+      flow.bytes_toserver: 5528
+      flow.pkts_toclient: 29
+      flow.pkts_toserver: 30
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.hhash: 38a4e9f6
+      nfs.id: 30
+      nfs.procedure: MKDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 69
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961913
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 29
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5246
+      flow.bytes_toserver: 5528
+      flow.pkts_toclient: 29
+      flow.pkts_toserver: 30
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.hhash: 38a4e9f6
+      nfs.id: 30
+      nfs.procedure: MKDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 69
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961913
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 29
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.hhash: 38a4e9f6
+      nfs.id: 30
+      nfs.procedure: MKDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 70
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961913
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5560
+      flow.bytes_toserver: 5706
+      flow.pkts_toclient: 30
+      flow.pkts_toserver: 31
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.id: 31
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 71
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961914
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 30
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5560
+      flow.bytes_toserver: 5706
+      flow.pkts_toclient: 30
+      flow.pkts_toserver: 31
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.id: 31
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 71
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961914
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 30
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5560
+      flow.bytes_toserver: 5706
+      flow.pkts_toclient: 30
+      flow.pkts_toserver: 31
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.id: 31
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 71
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961914
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 30
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5560
+      flow.bytes_toserver: 5706
+      flow.pkts_toclient: 30
+      flow.pkts_toserver: 31
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.id: 31
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 71
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961914
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 30
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.id: 31
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 72
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961914
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5634
+      flow.bytes_toserver: 5932
+      flow.pkts_toclient: 31
+      flow.pkts_toserver: 32
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: e87927b5
+      nfs.id: 32
+      nfs.procedure: CREATE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 73
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961915
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 31
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5634
+      flow.bytes_toserver: 5932
+      flow.pkts_toclient: 31
+      flow.pkts_toserver: 32
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: e87927b5
+      nfs.id: 32
+      nfs.procedure: CREATE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 73
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961915
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 31
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5634
+      flow.bytes_toserver: 5932
+      flow.pkts_toclient: 31
+      flow.pkts_toserver: 32
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: e87927b5
+      nfs.id: 32
+      nfs.procedure: CREATE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 73
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961915
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 31
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: e87927b5
+      nfs.id: 32
+      nfs.procedure: CREATE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 74
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961915
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5948
+      flow.bytes_toserver: 6102
+      flow.pkts_toclient: 32
+      flow.pkts_toserver: 33
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 33
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 75
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961916
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 32
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5948
+      flow.bytes_toserver: 6102
+      flow.pkts_toclient: 32
+      flow.pkts_toserver: 33
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 33
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 75
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961916
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 32
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 10
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 5948
+      flow.bytes_toserver: 6102
+      flow.pkts_toclient: 32
+      flow.pkts_toserver: 33
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 33
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 75
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961916
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 32
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6102
+      flow.bytes_toserver: 6300
+      flow.pkts_toclient: 33
+      flow.pkts_toserver: 34
+      nfs.file_tx: true
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 34
+      nfs.procedure: WRITE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      nfs.write.chunks: 0
+      nfs.write.first: true
+      nfs.write.last: false
+      nfs.write.last_xid: 0
+      pcap_cnt: 77
+      proto: UDP
+      rpc.auth_type: 'NULL'
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961917
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 33
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6102
+      flow.bytes_toserver: 6300
+      flow.pkts_toclient: 33
+      flow.pkts_toserver: 34
+      nfs.file_tx: true
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 34
+      nfs.procedure: WRITE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      nfs.write.chunks: 0
+      nfs.write.first: true
+      nfs.write.last: false
+      nfs.write.last_xid: 0
+      pcap_cnt: 77
+      proto: UDP
+      rpc.auth_type: 'NULL'
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961917
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 33
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6102
+      flow.bytes_toserver: 6300
+      flow.pkts_toclient: 33
+      flow.pkts_toserver: 34
+      nfs.file_tx: true
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 34
+      nfs.procedure: WRITE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      nfs.write.chunks: 0
+      nfs.write.first: true
+      nfs.write.last: false
+      nfs.write.last_xid: 0
+      pcap_cnt: 77
+      proto: UDP
+      rpc.auth_type: 'NULL'
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961917
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 33
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6304
+      flow.bytes_toserver: 6474
+      flow.pkts_toclient: 34
+      flow.pkts_toserver: 35
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 35
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 79
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961918
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 34
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6304
+      flow.bytes_toserver: 6474
+      flow.pkts_toclient: 34
+      flow.pkts_toserver: 35
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 35
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 79
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961918
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 34
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6304
+      flow.bytes_toserver: 6474
+      flow.pkts_toclient: 34
+      flow.pkts_toserver: 35
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 35
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 79
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961918
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 34
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6304
+      flow.bytes_toserver: 6474
+      flow.pkts_toclient: 34
+      flow.pkts_toserver: 35
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 35
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 79
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961918
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 34
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 35
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 80
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961918
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6466
+      flow.bytes_toserver: 6644
+      flow.pkts_toclient: 35
+      flow.pkts_toserver: 36
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 36
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 81
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961919
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 35
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6466
+      flow.bytes_toserver: 6644
+      flow.pkts_toclient: 35
+      flow.pkts_toserver: 36
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 36
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 81
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961919
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 35
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 10
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6466
+      flow.bytes_toserver: 6644
+      flow.pkts_toclient: 35
+      flow.pkts_toserver: 36
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: 3baec21a
+      nfs.id: 36
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 81
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961919
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 35
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6620
+      flow.bytes_toserver: 6818
+      flow.pkts_toclient: 36
+      flow.pkts_toserver: 37
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 37
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 83
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961920
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 36
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6620
+      flow.bytes_toserver: 6818
+      flow.pkts_toclient: 36
+      flow.pkts_toserver: 37
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 37
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 83
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961920
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 36
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6620
+      flow.bytes_toserver: 6818
+      flow.pkts_toclient: 36
+      flow.pkts_toserver: 37
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 37
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 83
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961920
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 36
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6620
+      flow.bytes_toserver: 6818
+      flow.pkts_toclient: 36
+      flow.pkts_toserver: 37
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 37
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 83
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961920
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 36
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 37
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 84
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961920
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6782
+      flow.bytes_toserver: 6988
+      flow.pkts_toclient: 37
+      flow.pkts_toserver: 38
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 38
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 85
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961921
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 37
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6782
+      flow.bytes_toserver: 6988
+      flow.pkts_toclient: 37
+      flow.pkts_toserver: 38
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 38
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 85
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961921
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 37
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 10
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6782
+      flow.bytes_toserver: 6988
+      flow.pkts_toclient: 37
+      flow.pkts_toserver: 38
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 38
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 85
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961921
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 37
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6936
+      flow.bytes_toserver: 7170
+      flow.pkts_toclient: 38
+      flow.pkts_toserver: 39
+      nfs.file_tx: true
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 39
+      nfs.procedure: READ
+      nfs.read.chunks: 0
+      nfs.read.first: true
+      nfs.read.last: false
+      nfs.read.last_xid: 0
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 87
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961922
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 38
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6936
+      flow.bytes_toserver: 7170
+      flow.pkts_toclient: 38
+      flow.pkts_toserver: 39
+      nfs.file_tx: true
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 39
+      nfs.procedure: READ
+      nfs.read.chunks: 0
+      nfs.read.first: true
+      nfs.read.last: false
+      nfs.read.last_xid: 0
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 87
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961922
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 38
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 6936
+      flow.bytes_toserver: 7170
+      flow.pkts_toclient: 38
+      flow.pkts_toserver: 39
+      nfs.file_tx: true
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 39
+      nfs.procedure: READ
+      nfs.read.chunks: 0
+      nfs.read.first: true
+      nfs.read.last: false
+      nfs.read.last_xid: 0
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 87
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961922
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 38
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: true
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 39
+      nfs.procedure: READ
+      nfs.read.chunks: 1
+      nfs.read.first: true
+      nfs.read.last: true
+      nfs.read.last_xid: 1578961922
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 88
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961922
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      app_proto: nfs
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: fileinfo
+      fileinfo.filename: bln
+      fileinfo.gaps: false
+      fileinfo.size: 11
+      fileinfo.state: CLOSED
+      fileinfo.stored: false
+      fileinfo.tx_id: 38
+      nfs.file_tx: true
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 39
+      nfs.procedure: READ
+      nfs.read.chunks: 1
+      nfs.read.first: true
+      nfs.read.last: true
+      nfs.read.last_xid: 1578961922
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 88
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961922
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7320
+      flow.bytes_toserver: 7554
+      flow.pkts_toclient: 40
+      flow.pkts_toserver: 41
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: e87927b5
+      nfs.id: 40
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 91
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961924
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 39
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7320
+      flow.bytes_toserver: 7554
+      flow.pkts_toclient: 40
+      flow.pkts_toserver: 41
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: e87927b5
+      nfs.id: 40
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 91
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961924
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 39
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7320
+      flow.bytes_toserver: 7554
+      flow.pkts_toclient: 40
+      flow.pkts_toserver: 41
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: e87927b5
+      nfs.id: 40
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 91
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961924
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 39
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7320
+      flow.bytes_toserver: 7554
+      flow.pkts_toclient: 40
+      flow.pkts_toserver: 41
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: e87927b5
+      nfs.id: 40
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 91
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961924
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 39
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: e87927b5
+      nfs.id: 40
+      nfs.procedure: ACCESS
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 92
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961924
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7482
+      flow.bytes_toserver: 7724
+      flow.pkts_toclient: 41
+      flow.pkts_toserver: 42
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: e87927b5
+      nfs.id: 41
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 93
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961925
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 40
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7482
+      flow.bytes_toserver: 7724
+      flow.pkts_toclient: 41
+      flow.pkts_toserver: 42
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: e87927b5
+      nfs.id: 41
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 93
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961925
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 40
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 10
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7482
+      flow.bytes_toserver: 7724
+      flow.pkts_toclient: 41
+      flow.pkts_toserver: 42
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.hhash: e87927b5
+      nfs.id: 41
+      nfs.procedure: GETATTR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 93
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961925
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 40
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7636
+      flow.bytes_toserver: 7914
+      flow.pkts_toclient: 42
+      flow.pkts_toserver: 43
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 42
+      nfs.procedure: READDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 95
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961926
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 41
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7636
+      flow.bytes_toserver: 7914
+      flow.pkts_toclient: 42
+      flow.pkts_toserver: 43
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 42
+      nfs.procedure: READDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 95
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961926
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 41
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7636
+      flow.bytes_toserver: 7914
+      flow.pkts_toclient: 42
+      flow.pkts_toserver: 43
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 42
+      nfs.procedure: READDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 95
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961926
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 41
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 42
+      nfs.procedure: READDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 96
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961926
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7894
+      flow.bytes_toserver: 8092
+      flow.pkts_toclient: 43
+      flow.pkts_toserver: 44
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: e87927b5
+      nfs.id: 43
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 97
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961927
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 42
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7894
+      flow.bytes_toserver: 8092
+      flow.pkts_toclient: 43
+      flow.pkts_toserver: 44
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: e87927b5
+      nfs.id: 43
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 97
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961927
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 42
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 7894
+      flow.bytes_toserver: 8092
+      flow.pkts_toclient: 43
+      flow.pkts_toserver: 44
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: e87927b5
+      nfs.id: 43
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 97
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961927
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 42
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: h
+      nfs.hhash: e87927b5
+      nfs.id: 43
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 98
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961927
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8080
+      flow.bytes_toserver: 8270
+      flow.pkts_toclient: 44
+      flow.pkts_toserver: 45
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.hhash: 38a4e9f6
+      nfs.id: 44
+      nfs.procedure: RMDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 99
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961928
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 43
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8080
+      flow.bytes_toserver: 8270
+      flow.pkts_toclient: 44
+      flow.pkts_toserver: 45
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.hhash: 38a4e9f6
+      nfs.id: 44
+      nfs.procedure: RMDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 99
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961928
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 43
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8080
+      flow.bytes_toserver: 8270
+      flow.pkts_toclient: 44
+      flow.pkts_toserver: 45
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.hhash: 38a4e9f6
+      nfs.id: 44
+      nfs.procedure: RMDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 99
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961928
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 43
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: d
+      nfs.hhash: 38a4e9f6
+      nfs.id: 44
+      nfs.procedure: RMDIR
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 100
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961928
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8266
+      flow.bytes_toserver: 8448
+      flow.pkts_toclient: 45
+      flow.pkts_toserver: 46
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 45
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 101
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961929
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 44
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8266
+      flow.bytes_toserver: 8448
+      flow.pkts_toclient: 45
+      flow.pkts_toserver: 46
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 45
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 101
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961929
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 44
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8266
+      flow.bytes_toserver: 8448
+      flow.pkts_toclient: 45
+      flow.pkts_toserver: 46
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 45
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 101
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961929
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 44
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8266
+      flow.bytes_toserver: 8448
+      flow.pkts_toclient: 45
+      flow.pkts_toserver: 46
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 45
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 101
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961929
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 44
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.hhash: 131299c5
+      nfs.id: 45
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 102
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961929
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8548
+      flow.bytes_toserver: 8626
+      flow.pkts_toclient: 46
+      flow.pkts_toserver: 47
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 46
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 103
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961930
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 45
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8548
+      flow.bytes_toserver: 8626
+      flow.pkts_toclient: 46
+      flow.pkts_toserver: 47
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 46
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 103
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961930
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 45
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8548
+      flow.bytes_toserver: 8626
+      flow.pkts_toclient: 46
+      flow.pkts_toserver: 47
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 46
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 103
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961930
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 45
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8548
+      flow.bytes_toserver: 8626
+      flow.pkts_toclient: 46
+      flow.pkts_toserver: 47
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 46
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 103
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961930
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 45
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.hhash: 131299c5
+      nfs.id: 46
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 104
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961930
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8830
+      flow.bytes_toserver: 8804
+      flow.pkts_toclient: 47
+      flow.pkts_toserver: 48
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.hhash: 38a4e9f6
+      nfs.id: 47
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 105
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961931
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 46
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8830
+      flow.bytes_toserver: 8804
+      flow.pkts_toclient: 47
+      flow.pkts_toserver: 48
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.hhash: 38a4e9f6
+      nfs.id: 47
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 105
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961931
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 46
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 8830
+      flow.bytes_toserver: 8804
+      flow.pkts_toclient: 47
+      flow.pkts_toserver: 48
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.hhash: 38a4e9f6
+      nfs.id: 47
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 105
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961931
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 46
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.hhash: 38a4e9f6
+      nfs.id: 47
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 106
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961931
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9016
+      flow.bytes_toserver: 8982
+      flow.pkts_toclient: 48
+      flow.pkts_toserver: 49
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 48
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 107
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961932
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 47
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9016
+      flow.bytes_toserver: 8982
+      flow.pkts_toclient: 48
+      flow.pkts_toserver: 49
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 48
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 107
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961932
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 47
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9016
+      flow.bytes_toserver: 8982
+      flow.pkts_toclient: 48
+      flow.pkts_toserver: 49
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 48
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 107
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961932
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 47
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9016
+      flow.bytes_toserver: 8982
+      flow.pkts_toclient: 48
+      flow.pkts_toserver: 49
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 48
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 107
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961932
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 47
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 48
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 108
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961932
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9298
+      flow.bytes_toserver: 9160
+      flow.pkts_toclient: 49
+      flow.pkts_toserver: 50
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 49
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 109
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961933
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 48
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9298
+      flow.bytes_toserver: 9160
+      flow.pkts_toclient: 49
+      flow.pkts_toserver: 50
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 49
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 109
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961933
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 48
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9298
+      flow.bytes_toserver: 9160
+      flow.pkts_toclient: 49
+      flow.pkts_toserver: 50
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 49
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 109
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961933
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 48
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9298
+      flow.bytes_toserver: 9160
+      flow.pkts_toclient: 49
+      flow.pkts_toserver: 50
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.id: 49
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 109
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961933
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 48
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: a5fcf973
+      nfs.id: 49
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 110
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961933
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9580
+      flow.bytes_toserver: 9338
+      flow.pkts_toclient: 50
+      flow.pkts_toserver: 51
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: 38a4e9f6
+      nfs.id: 50
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 111
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961934
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 49
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9580
+      flow.bytes_toserver: 9338
+      flow.pkts_toclient: 50
+      flow.pkts_toserver: 51
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: 38a4e9f6
+      nfs.id: 50
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 111
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961934
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 49
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9580
+      flow.bytes_toserver: 9338
+      flow.pkts_toclient: 50
+      flow.pkts_toserver: 51
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: 38a4e9f6
+      nfs.id: 50
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 111
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961934
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 49
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: bln
+      nfs.hhash: 38a4e9f6
+      nfs.id: 50
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 112
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961934
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9766
+      flow.bytes_toserver: 9516
+      flow.pkts_toclient: 51
+      flow.pkts_toserver: 52
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 51
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 113
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961935
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 50
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9766
+      flow.bytes_toserver: 9516
+      flow.pkts_toclient: 51
+      flow.pkts_toserver: 52
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 51
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 113
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961935
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 50
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9766
+      flow.bytes_toserver: 9516
+      flow.pkts_toclient: 51
+      flow.pkts_toserver: 52
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 51
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 113
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961935
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 50
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 9766
+      flow.bytes_toserver: 9516
+      flow.pkts_toclient: 51
+      flow.pkts_toserver: 52
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 51
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 113
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961935
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 50
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.hhash: 94b45286
+      nfs.id: 51
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 114
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961935
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10048
+      flow.bytes_toserver: 9694
+      flow.pkts_toclient: 52
+      flow.pkts_toserver: 53
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 52
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 115
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961936
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 51
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10048
+      flow.bytes_toserver: 9694
+      flow.pkts_toclient: 52
+      flow.pkts_toserver: 53
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 52
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 115
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961936
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 51
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10048
+      flow.bytes_toserver: 9694
+      flow.pkts_toclient: 52
+      flow.pkts_toserver: 53
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 52
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 115
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961936
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 51
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10048
+      flow.bytes_toserver: 9694
+      flow.pkts_toclient: 52
+      flow.pkts_toserver: 53
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.id: 52
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 115
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961936
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 51
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.hhash: 94b45286
+      nfs.id: 52
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 116
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961936
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10330
+      flow.bytes_toserver: 9864
+      flow.pkts_toclient: 53
+      flow.pkts_toserver: 54
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 53
+      nfs.procedure: READLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 117
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961937
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 52
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10330
+      flow.bytes_toserver: 9864
+      flow.pkts_toclient: 53
+      flow.pkts_toserver: 54
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 53
+      nfs.procedure: READLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 117
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961937
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 52
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10330
+      flow.bytes_toserver: 9864
+      flow.pkts_toclient: 53
+      flow.pkts_toserver: 54
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 53
+      nfs.procedure: READLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 117
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961937
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 52
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: ''
+      nfs.id: 53
+      nfs.procedure: READLINK
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 118
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961937
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10496
+      flow.bytes_toserver: 10042
+      flow.pkts_toclient: 54
+      flow.pkts_toserver: 55
+      nfs.file_tx: false
+      nfs.filename: b
+      nfs.id: 54
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 119
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961938
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 53
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10496
+      flow.bytes_toserver: 10042
+      flow.pkts_toclient: 54
+      flow.pkts_toserver: 55
+      nfs.file_tx: false
+      nfs.filename: b
+      nfs.id: 54
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 119
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961938
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 53
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10496
+      flow.bytes_toserver: 10042
+      flow.pkts_toclient: 54
+      flow.pkts_toserver: 55
+      nfs.file_tx: false
+      nfs.filename: b
+      nfs.id: 54
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 119
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961938
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 53
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10496
+      flow.bytes_toserver: 10042
+      flow.pkts_toclient: 54
+      flow.pkts_toserver: 55
+      nfs.file_tx: false
+      nfs.filename: b
+      nfs.id: 54
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 119
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961938
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 53
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: b
+      nfs.hhash: a5fcf973
+      nfs.id: 54
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 120
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961938
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10778
+      flow.bytes_toserver: 10220
+      flow.pkts_toclient: 55
+      flow.pkts_toserver: 56
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.hhash: 38a4e9f6
+      nfs.id: 55
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 121
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961939
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 54
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10778
+      flow.bytes_toserver: 10220
+      flow.pkts_toclient: 55
+      flow.pkts_toserver: 56
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.hhash: 38a4e9f6
+      nfs.id: 55
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 121
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961939
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 54
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 11
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10778
+      flow.bytes_toserver: 10220
+      flow.pkts_toclient: 55
+      flow.pkts_toserver: 56
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.hhash: 38a4e9f6
+      nfs.id: 55
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 121
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961939
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 54
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: blns
+      nfs.hhash: 38a4e9f6
+      nfs.id: 55
+      nfs.procedure: REMOVE
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 122
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961939
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 3
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10964
+      flow.bytes_toserver: 10398
+      flow.pkts_toclient: 56
+      flow.pkts_toserver: 57
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 56
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 123
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961940
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 55
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 6
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10964
+      flow.bytes_toserver: 10398
+      flow.pkts_toclient: 56
+      flow.pkts_toserver: 57
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 56
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 123
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961940
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 55
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 12
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10964
+      flow.bytes_toserver: 10398
+      flow.pkts_toclient: 56
+      flow.pkts_toserver: 57
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 56
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 123
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961940
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 55
+- filter:
+    count: 1
+    match:
+      alert.action: allowed
+      alert.category: ''
+      alert.gid: 1
+      alert.rev: 0
+      alert.severity: 3
+      alert.signature: ''
+      alert.signature_id: 15
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: alert
+      flow.bytes_toclient: 10964
+      flow.bytes_toserver: 10398
+      flow.pkts_toclient: 56
+      flow.pkts_toserver: 57
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 56
+      nfs.procedure: LOOKUP
+      nfs.status: OK
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 123
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961940
+      src_ip: 139.25.22.2
+      src_port: 1022
+      tx_id: 55
+- filter:
+    count: 1
+    match:
+      dest_ip: 139.25.22.2
+      dest_port: 1022
+      event_type: nfs
+      nfs.file_tx: false
+      nfs.filename: am
+      nfs.id: 56
+      nfs.procedure: LOOKUP
+      nfs.status: ERR_NOENT
+      nfs.type: response
+      nfs.version: 3
+      pcap_cnt: 124
+      proto: UDP
+      rpc.auth_type: UNIX
+      rpc.creds.gid: 0
+      rpc.creds.machine_name: werrmsche
+      rpc.creds.uid: 0
+      rpc.status: ACCEPTED
+      rpc.xid: 1578961940
+      src_ip: 139.25.22.102
+      src_port: 2049
+- filter:
+    count: 1
+    match:
+      app_proto: failed
+      dest_ip: 139.25.22.102
+      dest_port: 1048
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 66
+      flow.bytes_toserver: 158
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 139.25.22.2
+      src_port: 722
+- filter:
+    count: 1
+    match:
+      app_proto: failed
+      dest_ip: 139.25.22.102
+      dest_port: 111
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 90
+      flow.bytes_toserver: 106
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 139.25.22.2
+      src_port: 3299
+- filter:
+    count: 1
+    match:
+      app_proto: nfs
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: flow
+      flow.age: 0
+      flow.alerted: true
+      flow.bytes_toclient: 11038
+      flow.bytes_toserver: 10398
+      flow.pkts_toclient: 57
+      flow.pkts_toserver: 57
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 139.25.22.2
+      src_port: 1022
+- filter:
+    count: 1
+    match:
+      app_proto: failed
+      dest_ip: 139.25.22.102
+      dest_port: 1048
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 66
+      flow.bytes_toserver: 82
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 139.25.22.2
+      src_port: 3296
+- filter:
+    count: 1
+    match:
+      app_proto: failed
+      dest_ip: 139.25.22.102
+      dest_port: 111
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 90
+      flow.bytes_toserver: 106
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 139.25.22.2
+      src_port: 3295
+- filter:
+    count: 1
+    match:
+      app_proto: failed
+      dest_ip: 139.25.22.102
+      dest_port: 111
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 90
+      flow.bytes_toserver: 106
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 139.25.22.2
+      src_port: 3297
+- filter:
+    count: 1
+    match:
+      app_proto: failed
+      dest_ip: 139.25.22.102
+      dest_port: 1048
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 114
+      flow.bytes_toserver: 158
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 139.25.22.2
+      src_port: 706
+- filter:
+    count: 1
+    match:
+      app_proto: failed
+      dest_ip: 139.25.22.102
+      dest_port: 2049
+      event_type: flow
+      flow.age: 0
+      flow.alerted: false
+      flow.bytes_toclient: 66
+      flow.bytes_toserver: 82
+      flow.pkts_toclient: 1
+      flow.pkts_toserver: 1
+      flow.reason: shutdown
+      flow.state: established
+      proto: UDP
+      src_ip: 139.25.22.2
+      src_port: 3298
-- 
2.47.2