{"id":"cat0","title":"Category 0","description":"This category detects unexpecte

1. {"id":"cat0","title":"Category 0","description":"This category detects unexpected traffic","rules":[{"id":"3","title":"Malformed message detected","description":"TODO write description for rule# 3","enabled":true,"editable":true,"rule":"\n    whenAll: m.operations.anyItem(+item.malformed)\n    run: log_alert({\n        cat: 'cat0',\n        kbid: 1804,\n        event: m\n    });\n"},{"id":"0","title":"Unknown application context","description":"Triggers an alert if the application context does not belong to known values. Supported knows values are MAP and CAP application contexts","enabled":true,"editable":true,"rule":"\n    whenAll: m.application_context.nin(used_map_ac) && m.application_context.nin(used_cap_ac)\n    run: log_alert({\n        cat: 'unknown_application_context',\n        kbid: 1802,\n        event: m\n    });\n"},{"id":"1","title":"Unknown MAP operation code","description":"Triggers an alert if the operation code does not belong to known values.","enabled":true,"editable":true,"rule":"\n    whenAll: m.application_context.in(used_map_ac) && m.operations.anyItem(item.oc.in(unused_map_oc))\n    run: log_alert({\n        cat: 'unknown_map_opcode',\n        kbid: 1803,\n        event: m\n    });\n"},{"id":"2","title":"Unknown CAP operation code","description":"Triggers an alert if the operation code does not belong to known values.","enabled":true,"editable":true,"rule":"\n    whenAll: m.application_context.in(used_cap_ac) && m.operations.anyItem(item.oc.in(unused_cap_oc))\n    run: log_alert({\n        cat: 'unknown_cap_opcode',\n        kbid: 9908,\n        event: m\n    });\n"},{"id":"4","description":"TODO write description for rule# 4","enabled":true,"editable":true,"rule":"\n    whenAll: m.operations.anyItem(item.ipv4src.nin(home_ip_range) && item.cggt.in(home_gt_range))\n    run: log_alert({\n        cat: 'gt spoofing',\n        event: m\n    });\n"},{"id":"5","description":"TODO write description for rule# 5","enabled":true,"editable":true,"rule":"\n    whenAll: m.operations.anyItem(item.ipv4src.in(home_ip_range) && item.cdgt.nin(home_gt_range))\n    run: log_alert({\n        cat: 'gt spoofing out',\n        event: m\n    });\n"},{"id":"6","description":"TODO write description for rule# 6","enabled":true,"editable":true,"rule":"\n    whenAll: ~m.application_context && m.operations.anyItem(~item.oc && item.tc == 'Begin')\n    run: log_alert({\n        cat: 'tcap_scan',\n        event: m\n    });\n"},{"id":"7","description":"TODO write description for rule# 7","enabled":true,"editable":true,"rule":"\n    whenAll: m.application_context.nin([\n        shortMsgMT_Relay,\n        shortMsgMO_Relay\n    ]) && m.operations.anyItem(~item.oc && item.tc == 'Begin')\n    run: log_alert({\n        cat: 'tcap_scan',\n        event: m\n    });\n"},{"id":"8","description":"TODO write description for rule# 8","enabled":true,"editable":true,"rule":"\n    whenAll: m.ipv4src.nin(home_ip_range) && +m.scmg.message_type\n    run: log_alert({\n        cat: 'sccp scan?',\n        event: m\n    });\n"}]}