// this is a language for intrusion detection.
// network logs are queried to look for suspicious behavior
{
(and
  HOSTS "atlantic" 
  SERVICE "ftp"
)
+ 3
(and
  HOSTS "pacific"
  SERVICE "ftp")
}

{
(and
  HOSTS *
  SERVICE "ftp"
  IPADDRESS %addr)
+ 5
(and
  HOSTS *
  SERVICE "ftp"
  IPADDRESS %addr)
ANYTIME
(and 
  HOSTS "atlantic"
  ( or 
    SERVICE "execution void Fruit.e()"
    SERVICE "execution void Basket.e()"))
ANYTIME
(and 
  HOSTS %host1
  SERVICE %service1)
+ 9
(and
  (or
    HOSTS %host1
    HOSTS "pacific" 
    HOSTS "atlantic")
  SERVICE %service1
  IPADDRESS *)
(and
  (or
    HOSTS %host1
    (or
      HOSTS "pacific" 
      HOSTS "atlantic"))
  SERVICE %service1
  IPADDRESS *)
ANYTIME
SERVICE *
IPADDRESS *
}