alert syslog $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Login accepted at suspicious time"; content: "32006 type="; content: "login"; pcre: "/accepted|successfully/"; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002043; sid: 5002043; rev:2;)
-- Main.Sagan-Wiki-Add - 2015-10-21
New revisions of 5002043 will be below...
alert any $EXTERNAL_NET any -> $HOME_NET any (msg: "[FORTINET-AETAS] Login accepted at suspicious time"; content: "32006 type="; content: "login"; meta_content: "%sagan%",accepted,successfully; parse_src_ip: 1; alert_time: days $SAGAN_DAYS, hours $SAGAN_HOURS; classtype: successful-admin; reference: url,wiki.quadrantsec.com/bin/view/Main/5002043; sid: 5002043; rev:4;)
-- Main.Sagan-Wiki-Add - 2021-4-12